Users Guide

Table Of Contents
Authentication, Authorization, and Accounting 307
Combined RADIUS, CoA, MAB and 802.1x Example
The following example configures RADIUS in conjunction with IEEE 802.1X
to provide network access to switch clients.
1
Enable 802.1x:
console#config
console(config)#dot1x system-auth-control
2
Configure 802.1x clients to use RADIUS services:
console(config)#aaa authentication dot1x default radius
3
Enable CoA for RADIUS:
console(config)#aaa server radius dynamic-author
4
Configure the remote RADIUS server for COA requests at 10.130.191.89
with “shared secret” as the key:
console(config-radius-da)#client 10.130.191.89 server-key
“shared secret”
5
Specify that any CoA request with a matching key identifies a client:
console(config-radius-da)#auth-type any
console(config-radius-da)#exit
6
Configure a group of RADIUS clients (switches) to appear as a single large
RADIUS client (by using the same NAS-IP-Address):
console(config)#radius server attribute 4 10.130.65.4
7
Specify that the RADIUS server for host authentication/network access is
located at 10.130.191.89:
console(config)#radius server auth 10.130.191.89
console(config-auth-radius)#name Default-RADIUS-Server
8
Configure the RADIUS shared secret as “shared secret”:
console(config-auth-radius)#key “shared secret”
console(config-auth-radius)#exit
9
Configure Gi1/0/7 to use MAC based authentication. This allows multiple
hosts sharing the same network port to be individually allowed or denied
access to network resources. CoA requests to terminate a host session can
be issued by the RADIUS server. This means that if the RADIUS server
terminates the host session and subsequently refuses to authorize the host
(based upon the MAC address), the host is denied access to the network:
console(config)#interface Gi1/0/7
console(config-if-Gi1/0/7)#dot1x port-control mac-based