46-116
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
OL_28731-01
Chapter 46 Configuring 802.1X Port-Based Authentication
Controlling Switch Access with RADIUS
Configuring CoA on the Switch
To configure CoA on a switch, perform these steps. This procedure is required.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# aaa new-model
Enables AAA.
Step 3
Switch(config)# aaa server radius
dynamic-author
Configures the switch as an authentication, authorization, and accounting
(AAA) server to facilitate interaction with an external policy server.
Step 4
Switch(config-locsvr-da-radius)#
client
{ip-address | name} [vrf
vrfname] [server-key string]
Enters dynamic authorization local server configuration mode and specify
a RADIUS client from which a device will accept CoA and disconnect
requests.
Step 5
Switch(config-locsvr-da-radius)#
server-ke
y [0 | 7] string
Configures the RADIUS key to be shared between a device and RADIUS
clients.
Step 6
Switch(config-locsvr-da-radius)#
port port-number
Specifies the port on which a device listens for RADIUS requests from
configured RADIUS clients.
Step 7
Switch(config-locsvr-da-radius)#
auth-type {any | all | session-key}
Specifies the type of authorization the switch uses for RADIUS clients.
The client must match all the configured attributes for authorization.
Step 8
Switch(config-locsvr-da-radius)#
ignore session-key
(Optional) Configures the switch to ignore the session-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 9
Switch(config-locsvr-da-radius)#
ignore server-key
(Optional) Configures the switch to ignore the server-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 10
Switch(config-locsvr-da-radius)#
exit
Switches to global configuration mode.
Step 11
Switch(config)# authentication
command bounce-port ignore
(Optional) Configures the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
Step 12
Switch(config)# authentication
command disable-port ignore
(Optional) Configures the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Step 13
Switch# end
Returns to privileged EXEC mode.
Step 14
Switch# show running-config
Verifies your entries.
Step 15
Switch# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
To Next Page
Loading...
Need help?
General
