9-39
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address}
non-standard global configuration command. To disable the key, use the no radius-server key global
configuration command.
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124
between the switch and the server:
Switch(config)# radius-server host 172.20.30.15 nonstandard
Switch(config)# radius-server key rad124
Configuring CoA on the Switch
Beginning in privileged EXEC mode, follow these steps to configure CoA on a swit ch. This procedure
is required.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 aaa new-model Enable AAA.
Step 3 aaa server radius dynamic-author Configure the switch as an authentication, authorization, and accounting
(AAA) server to facilitate interaction with an external policy server.
Step 4 client {ip-address | name} [vrf vrfname]
[server-key string]
Enter dynamic authorization local server configuration mode and specify
a RADIUS client from which a device will accept CoA and disconnect
requests.
Step 5 server-key [0 | 7] string Configure the RADIUS key to be shared between a device and RADIUS
clients.
Step 6 port port-number Specify the port on which a device listens for RADIUS requests from
configured RADIUS clients.
Step 7 auth-type {any | all | session-key} Specify the type of authorization the switch uses for RADIUS clients.
The client must match all the configured attributes for authorization.
Step 8 ignore session-key (Optional) Configure the switch to ignore the session-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 9 ignore server-key (Optional) Configure the switch to ignore the server-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 10 authentication command bounce-port
ignore
(Optional) Configure the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to det ect the
change.
Step 11 authentication command disable-port
ignore
(Optional) Configure the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Step 12 end Return to privileged EXEC mode.