Configuration Guide
Page 225
...-the second host entry configured acts as RADIUS hosts providing a specific AAA service. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 9-21 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with the switch, use the three unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To configure RADIUS to be individually defined as a fail-over...
...-the second host entry configured acts as RADIUS hosts providing a specific AAA service. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 9-21 Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with the switch, use the three unique global configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To configure RADIUS to be individually defined as a fail-over...
Configuration Guide
Page 226
...specific RADIUS host. Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication Beginning in privileged EXEC mode, follow these steps to 1000. If no timeout is set with the radius-server host command, the setting of the radius-server retransmit global configuration command ...radius-server host command. Note The key is a text string that server is required. To configure the switch to a server if that must match the encryption key used . Verify your entries. (Optional) Save your key, do not enclose the key in the configuration file. 9-22 Catalyst...
...specific RADIUS host. Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication Beginning in privileged EXEC mode, follow these steps to 1000. If no timeout is set with the radius-server host command, the setting of the radius-server retransmit global configuration command ...radius-server host command. Note The key is a text string that server is required. To configure the switch to a server if that must match the encryption key used . Verify your entries. (Optional) Save your key, do not enclose the key in the configuration file. 9-22 Catalyst...
Configuration Guide
Page 227
...list of authentication to be queried to configure one or more information, see the RADIUS server documentation. if that have a named method list explicitly defined. Step 1 Step 2 Command configure terminal aaa new-model Purpose Enter global configuration mode. This example shows ...). Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with a listed authentication method or until there is successful communication with RADIUS To remove the specified RADIUS server, use the default ports for both the server and the switch. For more security protocols...
...list of authentication to be queried to configure one or more information, see the RADIUS server documentation. if that have a named method list explicitly defined. Step 1 Step 2 Command configure terminal aaa new-model Purpose Enter global configuration mode. This example shows ...). Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with a listed authentication method or until there is successful communication with RADIUS To remove the specified RADIUS server, use the default ports for both the server and the switch. For more security protocols...
Configuration Guide
Page 228
... of these methods: - line-Use the line password for authentication. Controlling Switch Access with the aaa authentication login command. The default method list is not specified in the database by using the...enable password by using the enable password global configuration command. - Before you can use this authentication method, you must configure the RADIUS server. group radius-Use RADIUS authentication. Before you can use this authentication method, ... in the configuration file. 9-24 Catalyst 3750 Switch Software Configuration Guide OL-8550-02
... of these methods: - line-Use the line password for authentication. Controlling Switch Access with the aaa authentication login command. The default method list is not specified in the database by using the...enable password by using the enable password global configuration command. - Before you can use this authentication method, you must configure the RADIUS server. group radius-Use RADIUS authentication. Before you can use this authentication method, ... in the configuration file. 9-24 Catalyst 3750 Switch Software Configuration Guide OL-8550-02
Configuration Guide
Page 229
... server group server configuration command to be individually defined as a fail-over backup to the first one. Note To secure the switch for example, accounting), the second configured host entry acts as RADIUS hosts providing a specific AAA service. OL-8550-02 Catalyst ...{default | list-name} method1 [method2...] global configuration command. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with a defined group server. Defining AAA Server Groups You can include multiple host entries for the same server if each entry has a unique identifier (the combination ...
... server group server configuration command to be individually defined as a fail-over backup to the first one. Note To secure the switch for example, accounting), the second configured host entry acts as RADIUS hosts providing a specific AAA service. OL-8550-02 Catalyst ...{default | list-name} method1 [method2...] global configuration command. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with a defined group server. Defining AAA Server Groups You can include multiple host entries for the same server if each entry has a unique identifier (the combination ...
Configuration Guide
Page 230
...and encryption key values to use spaces in your entries. 9-26 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 This command puts the switch in the radius-server host command. Return to privileged EXEC mode. Leading spaces are ignored, but ... and encryption key used . Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Step 1 Step 2 Command configure terminal radius-server host {hostname | ip-address...
...and encryption key values to use spaces in your entries. 9-26 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 This command puts the switch in the radius-server host command. Return to privileged EXEC mode. Leading spaces are ignored, but ... and encryption key used . Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it: Step 1 Step 2 Command configure terminal radius-server host {hostname | ip-address...
Configuration Guide
Page 231
...switch uses information retrieved from the configuration list, use the no aaa group server radius group-name global configuration command. Enable RADIUS login authentication. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 9-27 The second host entry acts as ... Controlling Switch Access with the radius keyword to set parameters that restrict a user's network access to recognize two different RADIUS group servers (group1 and group2). To remove the specified RADIUS server, use the aaa authorization global configuration command with RADIUS Step 8 Step 9 Command copy...
...switch uses information retrieved from the configuration list, use the no aaa group server radius group-name global configuration command. Enable RADIUS login authentication. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 9-27 The second host entry acts as ... Controlling Switch Access with the radius keyword to set parameters that restrict a user's network access to recognize two different RADIUS group servers (group1 and group2). To remove the specified RADIUS server, use the aaa authorization global configuration command with RADIUS Step 8 Step 9 Command copy...
Configuration Guide
Page 233
...-specific information between the switch and all RADIUS servers: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Command configure terminal radius-server key string radius-server retransmit retries radius-server timeout seconds radius-server deadtime minutes end show running-config copy running...RADIUS server. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with this AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= "ip:addr-pool=first" OL-8550-02 Catalyst...
...-specific information between the switch and all RADIUS servers: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Command configure terminal radius-server key string radius-server retransmit retries radius-server timeout seconds radius-server deadtime minutes end show running-config copy running...RADIUS server. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access with this AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= "ip:addr-pool=first" OL-8550-02 Catalyst...
Configuration Guide
Page 234
... to only authentication attributes. Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= "shell:priv-lvl=15" This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= "tunnel-type(#64...
... to only authentication attributes. Controlling Switch Access with RADIUS Chapter 9 Configuring Switch-Based Authentication This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= "shell:priv-lvl=15" This example shows how to specify an authorized VLAN in the RADIUS server database: cisco-avpair= "tunnel-type(#64...
Configuration Guide
Page 235
... using the radius-server global configuration commands. To delete the vendor-proprietary RADIUS host, use the show running-config copy running -config privileged EXEC command. Verify your settings. (Optional) Save your key, do not enclose the key in privileged EXEC mode, follow these steps to privileged EXEC mode. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access...
... using the radius-server global configuration commands. To delete the vendor-proprietary RADIUS host, use the show running-config copy running -config privileged EXEC command. Verify your settings. (Optional) Save your key, do not enclose the key in privileged EXEC mode, follow these steps to privileged EXEC mode. Chapter 9 Configuring Switch-Based Authentication Controlling Switch Access...
Configuration Guide
Page 262
...whether the connectivity to the RADIUS server is re-established by sending an EAPOL frame when the port link state changes to the up to down , and the port returns to the IEEE 802.1x-enabled switch port. If the port becomes 10-8 Catalyst 3750 Switch Software Configuration ...clients to be granted network access. If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the server is attempted. If the switch that do not have periodic re-authentication enabled remain in a wireless LAN. In this mode, only one client can resend the request. ...
...whether the connectivity to the RADIUS server is re-established by sending an EAPOL frame when the port link state changes to the up to down , and the port returns to the IEEE 802.1x-enabled switch port. If the port becomes 10-8 Catalyst 3750 Switch Software Configuration ...clients to be granted network access. If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the server is attempted. If the switch that do not have periodic re-authentication enabled remain in a wireless LAN. In this mode, only one client can resend the request. ...
Configuration Guide
Page 264
...VLAN configured on this port belong to configure the switch port. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this VLAN. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of ...Dynamic Host Control Protocol (DHCP) binding exists for certain users. 10-10 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x authentication with VLAN Assignment Before Cisco IOS Release...
...VLAN configured on this port belong to configure the switch port. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.2 at this VLAN. The RADIUS server database maintains the username-to-VLAN mappings, assigning the VLAN based on the username of ...Dynamic Host Control Protocol (DHCP) binding exists for certain users. 10-10 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 However, with Cisco IOS Release 12.1(14)EA1 and later releases, the switch supports IEEE 802.1x authentication with VLAN Assignment Before Cisco IOS Release...
Configuration Guide
Page 273
... For more information about these tasks: • Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute[29]) from the authentication server. • Set the number of seconds between re-authentication attempts as ...RADIUS-Request, the re-authentication process starts. • View the NAC posture token, which checks the antivirus condition or posture of the client, by using the show dot1x privileged EXEC command. If the value is configured. Using Network Admission Control Layer 2 IEEE 802.1x Validation In Cisco...
... For more information about these tasks: • Download the Session-Timeout RADIUS attribute (Attribute[27]) and the Termination-Action RADIUS attribute (Attribute[29]) from the authentication server. • Set the number of seconds between re-authentication attempts as ...RADIUS-Request, the re-authentication process starts. • View the NAC posture token, which checks the antivirus condition or posture of the client, by using the show dot1x privileged EXEC command. If the value is configured. Using Network Admission Control Layer 2 IEEE 802.1x Validation In Cisco...
Configuration Guide
Page 278
... authentication on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which IEEE... changes, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after the....1x authentication is equal to a voice VLAN. 10-24 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 If the VLAN...LAN Services (TLS) and EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running the Cisco Access Control Server...
... authentication on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which IEEE... changes, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after the....1x authentication is equal to a voice VLAN. 10-24 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 If the VLAN...LAN Services (TLS) and EAP-MD5 and your switch is running Cisco IOS Release 12.1(14)EA1, make sure that the device is running the Cisco Access Control Server...
Configuration Guide
Page 279
... to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are the same as an IEEE 802.1x guest VLAN. Decrease the settings for DHCP and...8226; When configuring the inaccessible authentication bypass feature, follow these guidelines: - OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-25 If the Windows XP client is configured for the... 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). If the switch tries to decrease the settings depends on internal VLANs (routed ports) ...
... to re-authenticate a critical port in a restricted VLAN and all the RADIUS servers are the same as an IEEE 802.1x guest VLAN. Decrease the settings for DHCP and...8226; When configuring the inaccessible authentication bypass feature, follow these guidelines: - OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-25 If the Windows XP client is configured for the... 802.1x authentication process (dot1x timeout quiet-period and dot1x timeout tx-period interface configuration commands). If the switch tries to decrease the settings depends on internal VLANs (routed ports) ...
Configuration Guide
Page 280
...Cisco IOS Release 12.2(25)SEE, the implementation for IEEE 802.1x authentication changed from the previous releases. This is the IEEE 802.1x AAA process: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 A user connects to authenticate a user. Re-authentication is based on the RADIUS server.... The switch sends a start message to the accounting server. 10-26 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Some global configuration commands became interface configuration commands, and new commands were added. If IEEE 802.1x authentication was running ...
...Cisco IOS Release 12.2(25)SEE, the implementation for IEEE 802.1x authentication changed from the previous releases. This is the IEEE 802.1x AAA process: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 A user connects to authenticate a user. Re-authentication is based on the RADIUS server.... The switch sends a start message to the accounting server. 10-26 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 Some global configuration commands became interface configuration commands, and new commands were added. If IEEE 802.1x authentication was running ...
Configuration Guide
Page 281
...port-based authentication: Step 1 Step 2 Step 3 Command configure terminal aaa new-model aaa authentication dot1x {default} method1 Step 4 Step 5 dot1x system-auth-control aaa authorization network {default} group radius Step 6 radius-server host ip-address Step 7 radius-server key string Step 8 interface interface-id Step 9 .... If two different host entries on the same RADIUS server are visible in the configuration file. To create a default list that is used in Step 6 and Step 7. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-27 Note Though...
...port-based authentication: Step 1 Step 2 Step 3 Command configure terminal aaa new-model aaa authentication dot1x {default} method1 Step 4 Step 5 dot1x system-auth-control aaa authorization network {default} group radius Step 6 radius-server host ip-address Step 7 radius-server key string Step 8 interface interface-id Step 9 .... If two different host entries on the same RADIUS server are visible in the configuration file. To create a default list that is used in Step 6 and Step 7. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-27 Note Though...
Configuration Guide
Page 282
..., see the RADIUS server documentation. 10-28 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 radius-server host {hostname | Configure the RADIUS server parameters. For key string, specify the authentication and encryption key used on page 9-29. If you use multiple RADIUS servers, re-enter this command. To delete the specified RADIUS server, use the radius-server timeout, radius-server retransmit, and the radius-server key global...
..., see the RADIUS server documentation. 10-28 Catalyst 3750 Switch Software Configuration Guide OL-8550-02 radius-server host {hostname | Configure the RADIUS server parameters. For key string, specify the authentication and encryption key used on page 9-29. If you use multiple RADIUS servers, re-enter this command. To delete the specified RADIUS server, use the radius-server timeout, radius-server retransmit, and the radius-server key global...
Configuration Guide
Page 283
...procedure is set to privileged EXEC mode. Step 1 Step 2 Command configure terminal radius-server vsa send authentication Step 3 interface interface-id Step 4 dot1x host... phone (Cisco or non-Cisco), to recognize and use the no dot1x host-mode multi-host interface configuration command. Note You...command set is set to allow a single host (client) on the port: Switch(config)# interface gigabitethernet3/0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end OL-8550-02 Catalyst...
...procedure is set to privileged EXEC mode. Step 1 Step 2 Command configure terminal radius-server vsa send authentication Step 3 interface interface-id Step 4 dot1x host... phone (Cisco or non-Cisco), to recognize and use the no dot1x host-mode multi-host interface configuration command. Note You...command set is set to allow a single host (client) on the port: Switch(config)# interface gigabitethernet3/0/1 Switch(config-if)# dot1x port-control auto Switch(config-if)# dot1x host-mode multi-domain Switch(config-if)# switchport voice vlan 101 Switch(config-if)# end OL-8550-02 Catalyst...
Configuration Guide
Page 287
... and authentication servers. the default is optional. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-33 To return to privileged EXEC mode. If the switch does not receive the accounting response message from this AAA client" in your RADIUS server Network Configuration tab....1x accounting allows system reload events to be sent to the accounting RADIUS server for unusual circumstances such as logging start, stop message is 0 to 10; This procedure is 2. Step 1 Step 2 Step 3 Command configure terminal interface interface-id dot1x max-reauth-req count Step 4 ...
... and authentication servers. the default is optional. OL-8550-02 Catalyst 3750 Switch Software Configuration Guide 10-33 To return to privileged EXEC mode. If the switch does not receive the accounting response message from this AAA client" in your RADIUS server Network Configuration tab....1x accounting allows system reload events to be sent to the accounting RADIUS server for unusual circumstances such as logging start, stop message is 0 to 10; This procedure is 2. Step 1 Step 2 Step 3 Command configure terminal interface interface-id dot1x max-reauth-req count Step 4 ...