46-35
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Configuring 802.1X Port-Based Authentication
Configuring Switch-to-RADIUS-Server Communication
A RADIUS security server is identified by its host name or IP address, host name and specific UDP port
number, or IP address and specific UDP port numbers. The combination of the IP address and UDP port
number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on
a server at the same IP address. If two different host entries on the same RADIUS server are configured
for the same service (for example, authentication), the second host entry configured acts as the failover
backup to the first one. The RADIUS host entries are tried in the order they were configured.
To configure the RADIUS server parameters on the switch, perform this task:
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# radius-server host
{hostname | ip-address} auth-port
port-number [acct-port port-number]
[test username name]
[ignore-auth-port] [ignore-acct-port]
[idle-time min] key string
Configures the RADIUS server parameters on the switch.
For hostname | ip-address, specify the hostname or IP address of the
remote RADIUS server.
To delete the specified RADIUS server, use the no radius-server host
{hostname | ip-address} global configuration command.
auth-port port-number—Specifies the UDP destination port for
authentication requests. The default is 1645.
acct-port port-number—Specifies the UDP destination port for
accounting requests. The default is 1646.
Use test username name to enable automated RADIUS server testing,
and to detect the RADIUS server going up and down. The name
parameter is the username used in the test access request sent to the
RADIUS server; it does not need to be a valid user configured on the
server. The ignore-auth-port and ignore-acct-port options disable
testing on the authentication and accounting ports respectively.
The idle-time min parameter specifies the number of minutes before
an idle RADIUS server is tested to verify that it is still up. The default
is 60 minutes.
The key string specifies the authentication and encryption key used
between the switch and the RADIUS daemon running on the RADIUS
server. The key is a text string that must match the encryption key used
on the RADIUS server.
Note Always configure the key as the last item in the
radius-server host command syntax because leading spaces
are ignored, but spaces within and at the end of the key are
used. If you use spaces in the key, do not enclose the key in
quotation marks unless the quotation marks are part of the key.
This key must match the encryption used on the RADIUS
daemon.
If you want to use multiple RADIUS servers, use this command
multiple times.
Step 3
Switch(config-if)# radius deadtime
min
(Optional) Configures the number of minutes before a dead RADIUS
server is tested to check whether it has come back up. The default is 1
minute.
To Next Page
Loading...
