AAARADIUS Config

key [shared-secret]

Configures the shared secret key used for RADIUS authentication and accounting between the Cisco device and the RADIUS server.

Syntax·RADIUS Config

key [shared-secret]

When to Use This Command

Setting up a shared secret for a new RADIUS server to enable AAA authentication for network device access.
Updating the shared secret when rotating keys for security compliance.
Configuring multiple RADIUS servers with different shared secrets for redundancy.
Troubleshooting RADIUS authentication failures by verifying the shared secret matches the server.

Command Examples

Configure shared secret for a RADIUS server

RADIUS(config)# key MySecretKey123

This command sets the shared secret to 'MySecretKey123' for the RADIUS server configuration context. No output is displayed upon successful configuration.

Verify the configured shared secret

RADIUS(config)# do show run | section radius-server

radius-server host 192.168.1.100 key MySecretKey123
radius-server host 192.168.1.101 key AnotherKey456

The output shows the running configuration for RADIUS servers. Each line includes the server IP and the shared secret (shown in plaintext if not encrypted). Verify that the key matches the RADIUS server's configuration.

Understanding the Output

The 'key' command itself does not produce output. To verify the configured shared secret, use 'show running-config | section radius-server' or 'show radius-server'. In the output, each RADIUS server entry displays the IP address and the shared secret key. If the key is encrypted (e.g., 'key 7 0822455D0A16'), it means the service password-encryption is enabled. Ensure the key matches exactly what is configured on the RADIUS server; mismatched keys are a common cause of authentication failures. Also check that the key is not visible in plaintext in the configuration if security policies require encryption.

CCNA Exam Tips

CCNA exam tip: The 'key' command is configured in RADIUS config mode, not global config. You must first enter RADIUS server configuration mode using 'radius-server host <ip>'.

CCNA exam tip: Shared secrets are case-sensitive and must match exactly on both the router and the RADIUS server.

CCNA exam tip: Use 'service password-encryption' to encrypt the shared secret in the running configuration, but remember that type 7 encryption is weak and reversible.

CCNA exam tip: For CCNA, know that RADIUS uses UDP ports 1812 for authentication and 1813 for accounting, but the shared secret is configured per server.

Common Mistakes

Mistake 1: Configuring the key in global configuration mode instead of RADIUS config mode, resulting in 'Invalid input detected' error.

Mistake 2: Using spaces or special characters in the shared secret without quotes, causing the router to interpret them as separate commands.

Mistake 3: Forgetting to apply the key to the correct RADIUS server when multiple servers are configured, leading to authentication failures on some servers.

Related Commands

aaa new-model

Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.

service password-encryption

Encrypts all plaintext passwords in the running configuration to prevent unauthorized viewing of password data.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions