Administrator Guide
Security Commands 984
Example
The following example configures RADIUS servers at 1.1.1.1, 2.2.2.2, and
3.3.3.3 and CoA clients at 3.3.3.3, 4.4.4.4, and 5.5.5.5. It sets the front panel
ports to use 802.1x MAC-based authentication. CoA is configured for two
RADIUS servers located at 1.1.1.1 and 2.2.2.2 using a global shared secret and
a third server using a server specific shared secret. CoA and disconnect
requests are accepted from these servers. Any authentication type is allowed
for CoA and disconnect requests.
console#configure terminal
console(config)# aaa new-model
console(config)# aaa authentication dot1x default radius
console(config)# dot1x system-auth-control
console(config)# interface range gi1/0/1-24
console(config-if)# dot1x port-control mac-based
console(config-if)# exit
console(config)# radius-server host 1.1.1.1
console(Config-radius)#primary
console(Config-radius)#exit
console(config)# radius-server host 2.2.2.2
console(Config-radius)#exit
console(config)# radius-server host 3.3.3.3
console(Config-radius)#key “That’s your secret.”
console(Config-radius)#exit
console(config)# radius-server key “Keep it. Keep it.”
console(config)# aaa server radius dynamic-author
console(config-radius-da)# client 3.3.3.3 server-key 0 “That’s your secret.”
console(config-radius-da)# client 4.4.4.4
console(config-radius-da)# client 5.5.5.5
console(config-radius-da)# server-key 0 “Keep it. Keep it.”
console(config-radius-da)# port 3799
console(config-radius-da)# auth-type any
console(config-radius-da)# exit
console(config)#dot1x system-auth-control
console(config)#dot1x initialize
ignore
Use this command to set the switch to ignore certain authentication
parameters from dynamic RADIUS clients. Use the no form of the command
to restore checking of the specific authentication parameters as configured by
the auth-type command.
2CSNXXX_SWUM204.book Page 984 Monday, January 25, 2016 1:25 PM