Cisco Systems 3560-X, 3750-X Default RADIUS Configuration, Identifying the RADIUS Server Host

10-27

Catalyst 3750-X and 3560-X Switch Software Configuration Guide

OL-21521-01

Chapter 10 Configuring Switch-Based Authentication Controlling Switch Access with RADIUS

Default RADIUS Configuration

RADIUS and AAA are disabled by default.

To prevent a lapse in security, you cannot configure RADIUS through a network management

application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.

Identifying the RADIUS Server Host

Switch-to-RADIUS-server communication involves several components:

• Hostname or IP address

• Authentication destination port

• Accounting destination port

• Key string

• Timeout period

• Retransmission value

You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port

numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the

UDP port number creates a unique identifier, allowing different ports to be individually defined as

RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be

sent to multiple UDP ports on a server at the same IP address.

If two different host entries on the same RADIUS server are configured for the same service—for

example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using

this example, if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD

message appears, and then the switch tries the second host entry configured on the same device for

accounting services. (The RADIUS host entries are tried in the order that they are configured.)

A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange

responses. To configure RADIUS to use the AAA security commands, you must specify the host running

the RADIUS server daemon and a secret text (key) string that it shares with the switch.

The timeout, retransmission, and encryption key values can be configured globally for all RADIUS

servers, on a per-server basis, or in some combination of global and per-server settings. To apply these

settings globally to all RADIUS servers communicating with the switch, use the three unique global

configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To

apply these values on a specific RADIUS server, use the radius-server host global configuration

command.

Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on

the switch, the per-server timer, retransmission, and key value commands override global timer,

retransmission, and key value commands. For information on configuring these settings on all RADIUS

servers, see the “Configuring Settings for All RADIUS Servers” section on page 10-35.

You can configure the switch to use AAA server groups to group existing server hosts for authentication.

For more information, see the “Defining AAA Server Groups” section on page 10-31.