Cisco Systems IE3010 Configuring the Inaccessible Authentication Bypass Feature

10-54

Cisco IE 3010 Switch Software Configuration Guide

OL-23145-01

Chapter 10 Configuring IEEE 802.1x Port-Based Authentication

Configuring 802.1x Authentication

Configuring the Inaccessible Authentication Bypass Feature

You can configure the inaccessible bypass feature, also referred to as critical authentication or the AAA

fail policy.

Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable

the inaccessible authentication bypass feature. This procedure is optional.

Command Purpose

Step 1 configure terminal Enter global configuration mode.

Step 2 radius-server dead-criteria

time time tries tries

(Optional) Set the conditions that are used to decide when a RADIUS server is

considered unavailable or dead.

The range for time is fr om 1 to 120 seconds. The switch dynamically determines the

default seconds value that is 10 to 60 seconds.

The range for tries is from 1 to 100. The switch dynamically determines the default

tries parameter that is 10 to 100.

Step 3 radius-server deadtime

minutes

(Optional) Set the number of minutes that a RADIUS server is not sent requests. The

range is from 0 to 1440 minutes (24 hours). The default is 0 minutes.

Step 4 radius-server host

ip-address [acct-port

udp-port] [auth-port

udp-port] [test username

name [idle-time time]

[ignore-acct-port]

[ignore-auth-port]] [key

string]

(Optional) Configure the RADIUS server parameters by using these keywords:

• acct-port udp-port—Specify the UDP port for the RADIUS accounting server.

The range for the UDP port number is from 0 to 65536. The default is 1646.

• auth-port udp-port—Specify the UDP port for the RADIUS authentication

server. The range for the UDP port number is from 0 to 65536. The default is

1645.

Note You should configure the UDP port for the RADIUS accounting server and

the UDP port for the RADIUS authentication server to nondefault values.

• test username name—Enable automated testing of the RADIUS server status,

and specify the username to be used.

• idle-time time—Set the interval of time in minutes after which the switch sends

test packets to the server. The range is from 1 to 35791 minutes. The default is

60 minutes (1 hour).

• ignore-acct-port—Disable testing on the RADIUS-server accounting port.

• ignore-auth-port—Disable testing on the RADIUS-server authentication port.

• key string—Specify the authentication and encryption key for all RADIUS

communication between the switch and the RADIUS daemon.

Note Always configure the key as the last item in the radius-server host

command syntax because leading spaces are ignored, but spaces within and

at the end of the key are used. If you use spaces in the key, do not enclose

the key in quotation marks unless the quotation marks are part of t he key.

This key must match the encryption used on the RADIUS dae mon.

You can also configure the authentication and encryption key by using the

radius-server key {0 string | 7 string | string} global configuration command.