6-29
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter6 Administering the Swi tc h Controlling Switch Access with RADIUS
For example, the following AV p air ac tiv ate s Cisco ’s multiple named ip address pools feature during IP
authorization (during PPP’s IPCP address assignment):
cisco-avpair= ”ip:addr-pool=first“
The following example shows how to provide a user logging in from a switch with immediate access to
privileged EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, refer to RFC 2138, “Remote Authentication Dial-In User Servic e
(RADIUS).”
Beginning in privileged EXEC mode, follow these steps to confi gure t he sw itch to re co gnize a nd use
VSAs:
For a complete list of RADIUS attributes or more information about vend or-specif ic a tt ribute 26, refer
to the “RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide for Release 12.1.
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communi cating vendor-proprietary
information between the switch and the RADIUS server, some vendor s hav e exte nded the RADI US
attribute set in a unique way. Cisco IOS software supports a subset of vend or-propri etary RA DIU S
attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compli ant), you
must specify the host running the RADIUS server daemon and the secret text string it shares with the
switch. You specify the RADIUS host and secret text string by using the radi us-server global
configuration commands.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 radius-server vsa send [accounting |
authentication]Enable the switch to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
(Optional) Use the accounting keyword to limit the set of recognized
vendor-specific attributes to only accounting attributes.
(Optional) Use the authentication keyword to limit the set of
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Step3 end Return to privileged EXEC mode.
Step4 show running-config Verify your settings.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.