IBM 12.1(22)EA6 User Manual
5-28
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 5 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
Configuring Settings for All RADIUS Servers
Beginning in privileged EXEC mode, follow these steps to configure global communication settings
between the switch and all RADIUS servers:
between the switch and all RADIUS servers:
To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these
commands.
commands.
Configuring the Switch to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating
vendor-specific information between the switch and the RADIUS server by using the vendor-specific
attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended
attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific
option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported
option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
vendor-specific information between the switch and the RADIUS server by using the vendor-specific
attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended
attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific
option by using the format recommended in the specification. Cisco’s vendor-ID is 9, and the supported
option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and
value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep
is = for mandatory attributes and is * for optional attributes. The full set of features available for
TACACS+ authorization can then be used for RADIUS.
value are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep
is = for mandatory attributes and is * for optional attributes. The full set of features available for
TACACS+ authorization can then be used for RADIUS.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server key string
Specify the shared secret text string used between the switch and all
RADIUS servers.
RADIUS servers.
Note
The key is a text string that must match the encryption key used on
the RADIUS server. Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in your key, do
not enclose the key in quotation marks unless the quotation marks
are part of the key.
the RADIUS server. Leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in your key, do
not enclose the key in quotation marks unless the quotation marks
are part of the key.
Step 3
radius-server retransmit retries
Specify the number of times the switch sends each RADIUS request to the
server before giving up. The default is 3; the range 1 to 1000.
server before giving up. The default is 3; the range 1 to 1000.
Step 4
radius-server timeout seconds
Specify the number of seconds a switch waits for a reply to a RADIUS
request before resending the request. The default is 5 seconds; the range is
1 to 1000.
request before resending the request. The default is 5 seconds; the range is
1 to 1000.
Step 5
radius-server deadtime minutes
Specify the number of minutes a RADIUS server, which is not responding
to authentication requests, to be skipped, thus avoiding the wait for the
request to timeout before trying the next configured server. The default is
0; the range is 1 to 1440 minutes.
to authentication requests, to be skipped, thus avoiding the wait for the
request to timeout before trying the next configured server. The default is
0; the range is 1 to 1440 minutes.
Step 6
end
Return to privileged EXEC mode.
Step 7
show running-config
Verify your settings.
Step 8
copy running-config startup-config
(Optional) Save your entries in the configuration file.