49-111
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 49 Configuring 802.1X Port-Based Authentication
Controlling Switch Access with RADIUS
To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.
Configuring the Switch to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information
between the switch and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes
(VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation
supports one vendor-specific option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the
supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate
attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for
optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS.
For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP
address assignment):
cisco-avpair= ”ip:addr-pool=first“
This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= ”tunnel-type(#64)=VLAN(13)”
cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid”
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0”
cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”
cisco-avpair= “mac:inacl#3=deny any any decnet-iv”
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and
VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Step 4
Switch(config)# radius-server
timeout seconds
Specifies the number of seconds a switch waits for a reply to a RADIUS
request before resending the request. The default is 5 seconds; the range is
1 to 1000.
Step 5
Switch(config)# radius-server
deadtime minutes
Specifies the number of minutes a RADIUS server, which is not responding
to authentication requests, to be skipped, thus avoiding the wait for the
request to timeout before trying the next configured server. The default is
0; the range is 1 to 1440 minutes.
Step 6
Switch(config)# end
Returns to privileged EXEC mode.
Step 7
Switch# show running-config
Verifies your settings.
Step 8
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
Command Purpose
To Next Page
Loading...
Need help?
General
