9-39
Catalyst 3750 SwitchSoftware Configuration Guide
OL-8550-09
Chapter9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
Configuring CoA on the Switch
Beginning in privileged EXEC mode, follow these steps to configure CoA on a switch. This procedure
is required.
To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server
functionality on the switch, use the no aaa server radius dynamic authorization global configuration
command.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 aaa new-model Enable AAA.
Step3 aaa server radius dynamic-author Configure the switch as an authentication, authorization, and accounting
(AAA) server to facilitate interaction with an external policy server.
Step4 client {ip-address | name} [vrf vrfname]
[server-key string]
Enter dynamic authorization local server configuration mode and specify
a RADIUS client from which a device will accept CoA and disconnect
requests.
Step5 server-key [0 | 7] string Configure the RADIUS key to be shared between a device and RADIUS
clients.
Step6 port port-number Specify the port on which a device listens for RADIUS requests from
configured RADIUS clients.
Step7 auth-type {any | all | session-key} Specify the type of authorization the switch uses for RADIUS clients.
The client must match all the configured attributes for authorization.
Step8 ignore session-key (Optional) Configure the switch to ignore the session-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step9 ignore server-key (Optional) Configure the switch to ignore the server-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step10 authentication command bounce-port
ignore
(Optional) Configure the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
Step11 authentication command disable-port
ignore
(Optional) Configure the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Step12 end Return to privileged EXEC mode.
Step13 show running-config Verify your entries.
Step14 copy running-config startup-config (Optional) Save your entries in the configuration file.