1-26
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-25303-03
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
Understanding IEEE 802.1x Port-Based Authentication
This example shows how to configure the inaccessible authentication bypass feature and configure the
critical voice VLAN:
Switch(config)# radius-server dead-criteria time 30 tries 20
Switch(config)# radius-server deadtime 60
Step 4
radius-server host ip-ad-
dress [acct-port udp-port]
[auth-port udp-port] [test
username name [idle-time
time] [ignore-acct-port] [ig-
nore-auth-port]] [key
string]
Configures the RADIUS server parameters:
• acct-port udp-port—Specifies the UDP port for the RADIUS accounting server.
The range for the UDP port number is from 0 to 65536. The default is 1646.
• auth-port udp-port—Specifies the UDP port for the RADIUS authentication
server. The range for the UDP port number is from 0 to 65536. The default is
1645.
Note You should configure the UDP port for the RADIUS accounting server and
the UDP port for the RADIUS authentication server to nondefault values.
• test username name—Enables automatic testing of the RADIUS server status,
and specifies the username to be used.
• idle-time time—Sets the interval of time in minutes after which the switch sends
test packets to the server. The range is from 1 to 35791 minutes. The default is
60 minutes (1 hour).
• ignore-acct-port—Disables testing on the RADIUS-server accounting port.
• ignore-auth-port—Disables testing on the RADIUS-server authentication port.
• For key string, specify the authentication and encryption key used between the
switch and the RADIUS daemon running on the RADIUS server.
Note Always configure the key as the last item in the radius-server host
command syntax because leading spaces are ignored, but spaces within and
at the end of the key are used. If you use spaces in the key, do not enclose the
key in quotation marks unless the quotation marks are part of the key. This
key must match the encryption used on the RADIUS daemon.
You can also configure the authentication and encryption key by using the radi-
us-server key {0 string | 7 string | string} global configuration command.
Step 5
interface interface-id Specifies the port to be configured and enters interface configuration mode.
Step 6
authentication event server
dead action {authorize |
reinitialize} vlan vlan-id
Configures a critical VLAN to move hosts on the port if the RADIUS server is un-
reachable:
• authorize—Moves any new hosts trying to authenticate to the user-specified
critical VLAN.
• reinitialize—Moves all authorized hosts on the port to the user-specified critical
VLAN.
Step 7
switchport voice vlan
vlan-id
Specifies the voice VLAN for the port. The voice VLAN cannot be the same as the
critical data VLAN configured in Step 6.
Step 8
authentication event server
dead action authorize voice
Configures critical voice VLAN to move data traffic on the port to the voice VLAN
if the RADIUS server is unreachable.
Step 9
end Returns to privileged EXEC mode.
Step 10
show authentication
interface interface-id
(Optional) Verifies your entries.
Command Purpose
To Next Page
Loading...
Need help?
General
