Cisco Systems 2960 Manual De Usuario
9-39
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address}
non-standard global configuration command. To disable the key, use the no radius-server key global
configuration command.
non-standard global configuration command. To disable the key, use the no radius-server key global
configuration command.
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124
between the switch and the server:
between the switch and the server:
Switch(config)# radius-server host 172.20.30.15 nonstandard
Switch(config)# radius-server key rad124
Configuring CoA on the Switch
Beginning in privileged EXEC mode, follow these steps to configure CoA on a switch. This procedure
is required.
is required.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
aaa new-model
Enable AAA.
Step 3
aaa server radius dynamic-author
Configure the switch as an authentication, authorization, and accounting
(AAA) server to facilitate interaction with an external policy server.
(AAA) server to facilitate interaction with an external policy server.
Step 4
client {ip-address | name} [vrf vrfname]
[server-key string]
[server-key string]
Enter dynamic authorization local server configuration mode and specify
a RADIUS client from which a device will accept CoA and disconnect
requests.
a RADIUS client from which a device will accept CoA and disconnect
requests.
Step 5
server-key [0 | 7] string
Configure the RADIUS key to be shared between a device and RADIUS
clients.
clients.
Step 6
port port-number
Specify the port on which a device listens for RADIUS requests from
configured RADIUS clients.
configured RADIUS clients.
Step 7
auth-type {any | all | session-key}
Specify the type of authorization the switch uses for RADIUS clients.
The client must match all the configured attributes for authorization.
Step 8
ignore session-key
(Optional) Configure the switch to ignore the session-key.
For more information about the ignore command, see the
on Cisco.com.
Step 9
ignore server-key
(Optional) Configure the switch to ignore the server-key.
For more information about the ignore command, see the
on Cisco.com.
Step 10
authentication command bounce-port
ignore
ignore
(Optional) Configure the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
Step 11
authentication command disable-port
ignore
ignore
(Optional) Configure the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Step 12
end
Return to privileged EXEC mode.