Administrator Guide
Security Commands 874
Default Configuration
By default, no dynamic RADIUS servers are configured.
Command Mode
Global Configuration
User Guidelines
Confguring a dynamic RADIUS server causes the system to begin listening on
the default port 3799 for RADIUS CoA requests. The switch ensures that a
unique Acct-Session-Id and the Calling-Station-Id is sent to the RADIUS
server in all Access-Request packets. The Acct-Session-Id and Calling-
Station-Id identifiers are maintained in the switch. CoA-Request requests
must use the Acct-Session-Id or Calling-Station-Id or both for presentation to
the NAS for subsequent CoA requests.
This method terminates the session without disabling the port. The
termination may cause the host to attempt to re-authenticate on the port. If
an ACL was applied for the session (i.e., for MAB), the ACL is removed when
the session is terminated.
If a valid authenticated RFC 3575 Disconnect-Request request is received
from a configured server and the session cannot be found, the switch returns a
CoA-NAK message with the 503 Session Context Not Found response code.
If it expected that more than one session will authenticate over a port, use of
MAC based authentication is recommended. If MAC based authentication is
enabled, the user is denied access to the port even if a previous authentication
has occurred on the port.
Command History
Introduced in version 6.2.0.1 firmware.
Example
The following example configures RADIUS servers at 1.1.1.1, 2.2.2.2, and
3.3.3.3 and CoA clients at 4.4.4.4 and 5.5.5.5. It sets the front panel ports to
use 802.1x MAC-based authentication. CoA is configured for two dynamic
RADIUS servers located at 1.1.1.1 and 2.2.2.2 using a global shared secret and
a third server using a server specific shared secret. CoA and disconnect
requests are accepted from the CoA clients at 4.4.4.4 and 5.5.5.5. Any
2CSNXXX_SWUM204.book Page 874 Monday, January 25, 2016 1:25 PM