KB.15.15

< secondary-method>

Allows reauthentications to succeed when the RADIUS server is unavailable. Users

already authenticated retain their currently-assigned session attributes.

The primary methods for port-access authentication are local, chap-radius,

or eap-radius. The primary method for web-based or mac-based authentication

is chap-radius.

The secondary methods can be none, authorized, or cached-reauth.

Default secondary authentication for all types of port access: none.

Setting the time period to allow cached reauthentication

Syntax:

[no] aaa port-access <authenticator | web-based |

mac-based port-list cached-reauth-period [1-2147483647]

Configures the period of time (in seconds) during which cached reauthentication

is allowed on the port.

Default: No limit is set.

Figure 136 Configuring the maximum number of consecutive cached reauthentications and setting

allowable time period

Enabling authorization to control access to CLI commands

To control access to the CLI commands, enter this command at the CLI.

Syntax:

[no]aaa authorization [<commands> <radius> <none>]

Configures authorization for controlling access to CLI commands. When enabled,

the switch checks the list of commands supplied by the RADIUS server during user

authentication to determine if a command entered by the user can be executed.

radius

The NAS requests authorization information from the RADIUS server. Authorization

rights are assigned by user or group.

none:

The NAS does not request authorization information.

Using 175