Chapter 10
Configuring IEEE 802.1x Port-Based Authentication
Command
Step 4
radius-server host
ip-address [acct-port
udp-port] [auth-port
udp-port] [test username
name [idle-time time]
[ignore-acct-port]
[ignore-auth-port]] [key
string]
Step 5
interface interface-id
Step 6
authentication event server
dead action {authorize |
reinitialize} vlan vlan-id
Step 7
switchport voice vlan
vlan-id
Step 8
authentication event server
dead action authorize voice
Step 9
end
Step 10
show authentication
interface interface-id
This example shows how to configure the inaccessible authentication bypass feature and configure the
critical voice VLAN:
Switch(config)# radius-server dead-criteria time 30 tries 20
Switch(config)# radius-server deadtime 60
OL-26520-01
Purpose
Configures the RADIUS server parameters:
•
acct-port udp-port—Specifies the UDP port for the RADIUS accounting server.
The range for the UDP port number is from 0 to 65536. The default is 1646.
•
auth-port udp-port—Specifies the UDP port for the RADIUS authentication
server. The range for the UDP port number is from 0 to 65536. The default is
1645.
You should configure the UDP port for the RADIUS accounting server and
Note
the UDP port for the RADIUS authentication server to nondefault values.
test username name—Enables automatic testing of the RADIUS server status,
•
and specifies the username to be used.
idle-time time—Sets the interval of time in minutes after which the switch sends
•
test packets to the server. The range is from 1 to 35791 minutes. The default is
60 minutes (1 hour).
ignore-acct-port—Disables testing on the RADIUS-server accounting port.
•
ignore-auth-port—Disables testing on the RADIUS-server authentication port.
•
For key string, specify the authentication and encryption key used between the
•
switch and the RADIUS daemon running on the RADIUS server.
Always configure the key as the last item in the radius-server host
Note
command syntax because leading spaces are ignored, but spaces within and
at the end of the key are used. If you use spaces in the key, do not enclose the
key in quotation marks unless the quotation marks are part of the key. This
key must match the encryption used on the RADIUS daemon.
You can also configure the authentication and encryption key by using the
radius-server key {0 string | 7 string | string} global configuration command.
Specifies the port to be configured and enters interface configuration mode.
Configures a critical VLAN to move hosts on the port if the RADIUS server is
unreachable:
authorize—Moves any new hosts trying to authenticate to the user-specified
•
critical VLAN.
reinitialize—Moves all authorized hosts on the port to the user-specified critical
•
VLAN.
Specifies the voice VLAN for the port. The voice VLAN cannot be the same as the
critical data VLAN configured in Step 6.
Configures critical voice VLAN to move data traffic on the port to the voice VLAN
if the RADIUS server is unreachable.
Returns to privileged EXEC mode.
(Optional) Verifies your entries.
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Configuring 802.1x Authentication
10-57