Cisco Systems 2940 Configuring RADIUS

7-19

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter7 Configuring Switch-Ba sed Authentication Controlling Switch Access with RADIUS

Configuring RADIUS

This section describes how to configure your switch to support RADIUS. At a mi nim um, y ou mus t

identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS

authentication. You can optionally define method lists for RADIUS authorization and accounting.

A method list defines the sequence and methods to be used to authenticate, to authoriz e, or to keep

accounts on a user. You can use method lists to designate one or more security protocol s to be used (such

as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The

software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that

method does not respond, the software selects the next method in the list. This process continues until

there is successful communication with a listed method or the method list is exhausted.

You should have access to and should configure a RADIUS server before configuring RADIUS features

on your switch.

This section contains this configuration information:

•Default RADIUS Configuration, page 7-19

•Identifying the RADIUS Server Host, page 7-19 (required)

•Configuring RADIUS Login Authentication, page 7-22 (required)

•Defining AAA Server Groups, page 7-24 (optional)

•Configuring RADIUS Authorization for User Privileged Access and Network Services, page 7-2 6

(optional)

•Starting RADIUS Accounting, page 7-27 (optional)

•Configuring Settings for All RADIUS Servers, page 7-28 (optional)

•Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 7-28 (optional)

•Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 7-29

(optional)

Default RADIUS Configuration

RADIUS and AAA are disabled by default.

To prevent a lapse in security, you cannot configure RADIUS through a network management

application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.

Identifying the RADIUS Server Host

Switch-to-RADIUS-server communication involves several components:

•Host name or IP address

•Authentication destination port

•Accounting destination port

•Key string

•Timeout period

•Retransmission value

Contents

Main Catalyst 2940 Switch Software Configuration Guide Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Conventions Related Publications Obtaining Documentation Cisco.com Documentation CD-ROM Ordering Documentation Obtaining Technical Assistance Cisco TAC Website Opening a TAC Case TAC Case Priority Definitions Obtaining Additional Publications and Information Overview Features Page Page Page Management Options Management Options Management Interface Options Advantages of Using CMS and Clustering Switches Network Configuration Examples Design Concepts for Using the Switch Small Network Configuration Collapsed Backbone and Switch Cluster Configuration Large Campus Configuration 1-11 Where to Go Next Before configuring the switch, review these sections for start-up information: Page Using the Command-Line Interface Cisco IOS Command Modes Page Getting Help Specifying Ports in Interface Configuration Mode Abbreviating Commands Using no and default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Accessing the CLI from a Browser Getting Started with CMS Understanding CMS Front Panel View Topology View CMS Menu Bar, Toolbar, and Feature Bar Page Online Help Configuration Modes Guide Mode Expert Mode Wizards Privilege Levels Access to Older Switches In a Cluster Configuring CMS CMS Requirements Minimum Hardware Configuration Operating System and Browser Support Browser Plug-In Requirements Windows Solaris Cross-Platform Considerations HTTP Access to CMS Specifying an HTTP Port (Nondefault Configuration Only) Configuring an Authentication Method (Nondefault Configuration Only) Displaying CMS Launching CMS Front Panel View 1 2 3 4 12 Topology View 1 432 CMS Icons Where to Go Next Page Assigning the Switch IP Address and Default Gateway Understanding the Boot Process Assigning Switch Information Default Switch Information Understanding DHCP-Based Autoconfiguration DHCP Client Request Process Configuring the DHCP Server Configuring the TFTP Server Configuring the DNS Configuring the Relay Device Obtaining Configuration Files Example Configuration Manually Assigning IP Information 4-10 Checking and Saving the Running Configuration 4-11 Page Clustering Switches Understanding Switch Clusters Command Switch Characteristics Standby Command Switch Characteristics Candidate Switch and Member Switch Characteristics Planning a Switch Cluster Automatic Discovery of Cluster Candidates and Members Discovery Through CDP Hops Discovery Through Non-CDP-Capable and Noncluster-Capable Devices Discovery Through the Same Management VLAN Discovery Through Different Management VLANs 5-7 Discovery of Newly Installed Switches HSRP and Standby Command Switches Virtual IP Addresses Other Considerations for Cluster Standby Groups Page Automatic Recovery of Cluster Configuration IP Addresses Host Names Passwords SNMP Community Strings TACACS+ and RADIUS Access Modes in CMS Management VLAN LRE Profiles Availability of Switch-Specific Features in Switch Clusters Creating a Switch Cluster Enabling a Command Switch Adding Member Switches Page Page Creating a Cluster Standby Group Verifying a Switch Cluster Using the CLI to Manage Switch Clusters Catalyst 1900 and Catalyst 2820 CLI Considerations Using SNMP to Manage Switch Clusters Page Page Administering the Switch Managing the System Time and Date Understanding the System Clock Understanding Network Time Protocol Configuring NTP Default NTP Configuration Configuring NTP Authentication Configuring NTP Associations Configuring NTP Broadcast Service Configuring NTP Access Restrictions Creating an Access Group and Assigning a Basic IP Access List Disabling NTP Services on a Specific Interface Configuring the Source IP Address for NTP Packets Displaying the NTP Configuration Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Configuring a System Prompt Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Configuring a Login Banner Managing the MAC Address Table Building the Address Table MAC Addresses and VLANs Default MAC Address Table Configuration Changing the Address Aging Time Removing Dynamic Address Entries Configuring MAC Address Notification Traps Page Adding and Removing Static Address Entries Displaying Address Table Entries Managing the ARP Table Configuring Switch-Based Authentication Preventing Unauthorized Access to Your Switch Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Protecting Enable and Enable Secret Passwords with Encryption Setting a Telnet Password for a Terminal Line Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Changing the Default Privilege Level for Lines Logging into and Exiting a Privilege Level Controlling Switch Access with TACACS+ Understanding TACACS+ Page TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Controlling Switch Access with RADIUS Understanding RADIUS RADIUS Operation Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Switch to Use Vendor-Specific RADIUS Attributes Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Displaying the RADIUS Configuration Configuring the Switch for Local Authentication and Authorization Page Configuring 802.1X Port-Based Authentication Understanding 802.1X Port-Based Authentication Device Roles Authentication Initiation and Message Exchange Ports in Authorized and Unauthorized States Supported Topologies Using 802.1X with Voice VLAN Ports Configuring 802.1X Authentication Default 802.1X Configuration Page 802.1X Configuration Guidelines Upgrading from a Previous Software Release Enabling 802.1X Authentication Configuring the Switch-to-RADIUS-Server Communication Enabling Periodic Re-Authentication Manually Re-Authenticating a Client Connected to a Port Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Configuring the Host Mode Resetting the 802.1X Configuration to the Default Values Displaying 802.1X Statistics and Status Configuring the Switch Interfaces Understanding Interface Types Access Ports Trunk Ports Port-Based VLANs EtherChannel Port Groups Connecting Interfaces Using the Interface Command Procedures for Configuring Interfaces 9-6 Configuring a Range of Interfaces Page Configuring and Using Interface-Range Macros Page Configuring Ethernet Interfaces Default Ethernet Interface Configuration Configuring Interface Speed and Duplex Mode Configuration Guidelines Setting the Interface Speed and Duplex Parameters Configuring Auto-MDIX on an Interface Adding a Description for an Interface Monitoring and Maintaining the Interfaces Monitoring Interface and Controller Status Clearing and Resetting Interfaces and Counters Shutting Down and Restarting the Interface Page Configuring SmartPort Macros Understanding SmartPort Macros Configuring Smart-Port Macros Default SmartPort Macro Configuration SmartPort Macro Configuration Guidelines Creating and Applying SmartPort Macros Page Displaying SmartPort Macros Page Configuring STP Understanding Spanning-Tree Features STP Overview Spanning-Tree Topology and BPDUs Bridge ID, Switch Priority, and Extended System ID Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State How a Switch or Port Becomes the Root Switch or Root Port Spanning Tree and Redundant Connectivity Spanning-Tree Address Management Accelerated Aging to Retain Connectivity Spanning-Tree Modes and Protocols Supported Spanning-Tree Instances Spanning-Tree Interoperability and Backward Compatibility STP and IEEE 802.1Q Trunks Configuring Spanning-Tree Features Default Spanning-Tree Configuration STP Configuration Guidelines Disabling Spanning Tree Configuring the Root Switch Page Configuring a Secondary Root Switch Configuring the Port Priority Page Configuring the Path Cost Configuring the Switch Priority of a VLAN Configuring Spanning-Tree Timers Configuring the Hello Time Configuring the Forwarding-Delay Time for a VLAN Configuring the Maximum-Aging Time for a VLAN Displaying the Spanning-Tree Status Configuring Optional Spanning-Tree Features Understanding Optional Spanning-Tree Features Understanding Port Fast Understanding BPDU Guard Understanding BPDU Filtering Understanding UplinkFast Page Understanding BackboneFast Page Understanding EtherChannel Guard Understanding Root Guard Understanding Loop Guard Configuring Optional Spanning-Tree Features Default Optional Spanning-Tree Configuration Optional Spanning-Tree Configuration Guidelines Enabling Port Fast (Optional) Enabling BPDU Guard (Optional) Enabling BPDU Filtering (Optional) Enabling UplinkFast for Use with Redundant Links (Optional) Enabling BackboneFast (Optional) Enabling EtherChannel Guard (Optional) Enabling Root Guard (Optional) Enabling Loop Guard (Optional) Displaying the Spanning-Tree Status Configuring VLANs Understanding VLANs Supported VLANs VLAN Port Membership Modes Configuring Normal-Range VLANs Token Ring VLANs Normal-Range VLAN Configuration Guidelines VLAN Configuration Mode Options VLAN Configuration in config-vlan Mode VLAN Configuration in VLAN Configuration Mode Saving VLAN Configuration Default Ethernet VLAN Configuration Creating or Modifying an Ethernet VLAN Page Deleting a VLAN Assigning Static-Access Ports to a VLAN Displaying VLANs Configuring VLAN Trunks Trunking Overview Page 802.1Q Configuration Considerations Default Layer 2 Ethernet Interface VLAN Configuration Configuring an Ethernet Interface as a Trunk Port Interaction with Other Features Configuring a Trunk Port Page Defining the Allowed VLANs on a Trunk Changing the Pruning-Eligible List Configuring the Native VLAN for Untagged Traffic Load Sharing Using STP Load Sharing Using STP Port Priorities Page Load Sharing Using STP Path Cost Configuring VMPS Understanding VMPS Dynamic Port VLAN Membership VMPS Database Configuration File 13-24 Default VMPS Configuration Table13-6 shows the de fault VM PS a nd dy na mic po rt con figuratio n on cl ie nt swi tch es. Table13-6 Default VMPS Client and Dynamic Port Configuration VMPS Configuration Guidelines Configuring the VMPS Client Entering the IP Address of the VMPS Configuring Dynamic Access Ports on VMPS Clients Reconfirming VLAN Memberships Changing the Reconfirmation Interval Changing the Retry Count Monitoring the VMPS Troubleshooting Dynamic Port VLAN Membership VMPS Configuration Example 13-30 Configuring VTP Understanding VTP The VTP Domain VTP Modes VTP Advertisements VTP Version 2 VTP Pruning Page Configuring VTP Default VTP Configuration VTP Configuration Options VTP Configuration in Global Configuration Mode VTP Configuration in VLAN Configuration Mode VTP Configuration Guidelines Domain Names Passwords VTP Version Configuration Requirements Configuring a VTP Server Configuring a VTP Client Disabling VTP (VTP Transparent Mode) Enabling VTP Version 2 Enabling VTP Pruning Adding a VTP Client Switch to a VTP Domain Page Monitoring VTP Page Configuring Voice VLAN Understanding Voice VLAN Configuring Voice VLAN Default Voice VLAN Configuration Voice VLAN Configuration Guidelines Configuring a Port to Connect to a Cisco 7960 IP Phone Configuring Ports to Carry Voice Traffic in 802.1Q Frames Configuring Ports to Carry Voice Traffic in 802.1P Priority-Tagged Frames Overriding the CoS Priority of Incoming Data Frames Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames Displaying Voice VLAN Configuring IGMP Snooping and MVR Understanding IGMP Snooping IGMP Versions Joining a Multicast Group Leaving a Multicast Group Immediate-Leave Processing IGMP Report Suppression Source-Only Networks Configuring IGMP Snooping Default IGMP Snooping Configuration Enabling or Disabling IGMP Snooping Setting the Snooping Method Configuring a Multicast Router Port Configuring a Host Statically to Join a Group Enabling IGMP Immediate-Leave Processing Disabling IGMP Report Suppression Disabling IP Multicast-Source-Only Learning Configuring the Aging Time Displaying IGMP Snooping Information Page Understanding Multicast VLAN Registration Using MVR in a Multicast Television Application Page Configuring MVR Default MVR Configuration MVR Configuration Guidelines and Limitations Configuring MVR Global Parameters Configuring MVR Interfaces Page Displaying MVR Information Configuring IGMP Filtering and Throttling Default IGMP Filtering and Throttling Configuration Configuring IGMP Profiles Applying IGMP Profiles Page Setting the Maximum Number of IGMP Groups Configuring the IGMP Throttling Action Page Displaying IGMP Filtering and Throttling Configuration Page Configuring Port-Based Traffic Control Configuring Storm Control Understanding Storm Control Default Storm Control Configuration Enabling Storm Control Disabling Storm Control Configuring Protected Ports Configuring Port Security Understanding Port Security Secure MAC Addresses Security Violations Default Port Security Configuration Port Security Configuration Guidelines Enabling and Configuring Port Security Page Page Enabling and Configuring Port Security Aging Page Displaying Port-Based Traffic Control Settings Configuring UDLD Understanding UDLD Modes of Operation Methods to Detect Unidirectional Links Page Configuring UDLD Default UDLD Configuration Configuration Guidelines Enabling UDLD Globally Enabling UDLD on an Interface Resetting an Interface Shut Down by UDLD Displaying UDLD Status Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP Page Configuring SPAN Understanding SPAN SPAN Concepts and Terminology SPAN Session Traffic Types Source Port Destination Port SPAN Traffic SPAN Interaction with Other Features SPAN Session Limits Default SPAN Configuration Configuring SPAN SPAN Configuration Guidelines Creating a SPAN Session and Specifying Ports to Monitor Page Creating a SPAN Session and Enabling Ingress Traffic Removing Ports from a SPAN Session Displaying SPAN Status Configuring RMON Understanding RMON Configuring RMON Default RMON Configuration Configuring RMON Alarms and Events Page Configuring RMON Collection on an Interface Displaying RMON Status Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Synchronizing Log Messages Page Enabling and Disabling Time Stamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Configuring UNIX Syslog Servers Logging Messages to a UNIX Syslog Daemon Configuring the UNIX System Logging Facility Displaying the Logging Configuration Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables SNMP Notifications Configuring SNMP Default SNMP Configuration SNMP Configuration Guidelines Disabling the SNMP Agent Configuring Community Strings Configuring SNMP Groups and Users Page Configuring SNMP Notifications Page Page Setting the Agent Contact and Location Information Limiting TFTP Servers Used Through SNMP SNMP Examples Displaying SNMP Status Page Configuring Understanding QoS Queueing and Scheduling How Class of Service Works Port Priority Egress CoS Queues Configuring QoS Default QoS Configuration Configuring Classification Using Port Trust States Configuring the Trust State on Ports within the QoS Domain Page Configuring the CoS Value for an Interface Configuring Trusted Boundary Page Enabling Pass-Through Mode Configuring the Egress Queues Configuring CoS Priority Queues Configuring WRR Priority Displaying QoS Information Configuring EtherChannels Understanding EtherChannels Understanding Port-Channel Interfaces Understanding the Port Aggregation Protocol and Link Aggregation Protocol PAgP and LACP Modes Exchanging PAgP Packets Exchanging LACP Packets Physical Learners and Aggregate-Port Learners PAgP and LACP Interaction with Other Features Understanding Load Balancing and Forwarding Methods Configuring EtherChannels Default EtherChannel Configuration EtherChannel Configuration Guidelines Configuring Layer 2 EtherChannels Page Configuring EtherChannel Load Balancing Configuring the PAgP Learn Method and Priority Configuring the LACP Port Priority Configuring Hot Standby Ports Configuring the LACP System Priority Displaying EtherChannel, PAgP, and LACP Status Troubleshooting Using Recovery Procedures Recovering from Corrupted Software Recovering from a Lost or Forgotten Password Page Recovering from a Command Switch Failure Replacing a Failed Command Switch with a Cluster Member Replacing a Failed Command Switch with Another Switch Recovering from Lost Member Connectivity Preventing Autonegotiation Mismatches Diagnosing Connectivity Problems Using Ping Understanding Ping Executing Ping Using Layer 2 Traceroute Understanding Layer 2 Traceroute Usage Guidelines Displaying the Physical Path Using Debug Commands Enabling Debugging on a Specific Feature Enabling All-System Diagnostics Redirecting Debug and Error Message Output Using the crashinfo File Page APPENDIX A Supported MIBs MIB List Page Using FTP to Access the MIB Files Page INDEX Numerics A B C Page D E F G H I J L M Page N P Q R S Page Page T U V W X