8-30
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter8 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:
cisco-avpair= ”shell:priv-lvl=15“
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= ”tunnel-type(#64)=VLAN(13)”
cisco-avpair= ”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair= ”tunnel-private-group-ID(#81)=vlanid”
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair= “ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0”
cisco-avpair= “ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”
cisco-avpair= “mac:inacl#3=deny any any decnet-iv”
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair= “ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Beginning in privileged EXEC mode, follow these steps to configure the switch to recognize and use
VSAs:
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the
“RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for commu nicating vendor-proprietary
information between the switch and the RADIUS server, some vendors have extended the RADIUS
attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS
attributes.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 radius-server vsa send [accounting |
authentication]
Enable the switch to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
(Optional) Use the accounting keyword to limit the set of recognized
vendor-specific attributes to only accounting attributes.
(Optional) Use the authentication keyword to limit the set of
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Step3 end Return to privileged EXEC mode.
Step4 show running-config Verify your settings.
Step5 copy running-config startup-config (Optional) Save your entries in the configuration file.