Cisco Systems ME3400G2CSA Configuring the Switch-to-RADIUS-Server Communication

8-12

Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide

78-17058-01

Chapter8 Configuring IEEE 802.1x Port-Based Authentication

Configuring IEEE 802.1x Authentication

Configuring the Switch-to-RADIUS-Server Communication

RADIUS security servers are identified by their hostname or IP address, hostname and specific UDP port

numbers, or IP address and specific UDP port numbers. The combination of the IP add ress and UDP port

number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on

a server at the same IP address. If two different host entries on the sa me RADIUS s er ver are configured

for the same service—for example, authentication—the second host entry configured acts a s the fail-o ver

backup to the first one. The RADIUS host entries are tried in the order that they were configured.

Beginning in privileged EXEC mode, follow these steps to conf igur e the RADIUS s erv er par ameter s on

the switch. This procedure is required.

Step5 aaa authorization network {default}

group radius (Optional) Configure the switch for user RADIUS authorization for all

network-related service requests, such as VLAN assignment.

Step6 interface interface-id Specify the port connected to the client that is to be enabled for IEEE

802.1x authentication, and enter interface configuration mode.

Step7 dot1x port-control auto Enable IEEE 802.1x authentication on the port.

For feature interaction information, see the “IEEE 802.1x Configuration

Guidelines” section on page8-10.

Step8 end Return to privileged EXEC mode.

Step9 show dot1x Verify your entries.

Step10 copy running-config startup-config (Optional) Save your entries in the configuration file.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 radius-server host {hostname |

ip-address} auth-port port-number key

string

Configure the RADIUS server parameters.

For hostname | ip-address, specify the hostname or IP address of the

remote RADIUS server.

For auth-port port-number, specify the UDP destination port for

authentication requests. The default is 1812. The range is 0 to 65536.

For key string, specify the authentication and encryption key used

between the switch and the RADIUS daemon running on the RADIUS

server. The key is a text string that must match the encryption key used on

the RADIUS server.

Note Always configure the key as the last item in the radius-server

host command syntax because leading spaces are ignored, but

spaces within and at the end of the key are used. If you u se sp aces

in the key, do not enclose the key in quotation marks unless the

quotation marks are part of the key. This key must match the

encryption used on the RADIUS daemon.

If you want to use multiple RADIUS servers, re-enter this command.

Step3 end Return to privileged EXEC mode.