Administrator Guide
Authentication, Authorization, and Accounting 253
Combined RADIUS, CoA, MAB and 802.1x Example
The following example configures RADIUS in conjunction with IEEE 802.1X
to provide network access to switch clients.
1
Enable 802.1x:
console#config
console(config)#dot1x system-auth-control
2
Configure 802.1x clients to use RADIUS services:
console(config)#aaa authentication dot1x default radius
3
Enable CoA for RADIUS:
console(config)#aaa server radius dynamic-author
4
Configure the remote RADIUS server for COA requests at 10.130.191.89
with “shared secret” as the key:
console(config-radius-da)#client 10.130.191.89 server-key
“shared secret”
5
Specify that any CoA with a matching key identifies a client:
console(config-radius-da)#auth-type any
console(config-radius-da)#exit
6
Configure a group of RADIUS clients (switches) to act as a single large
RADIUS client:
console(config)#radius-server attribute 4 10.130.65.4
7
Specify that the RADIUS server for host authentication/network access is
located at 10.130.191.89:
console(config)#radius-server host auth 10.130.191.89
8
Name the RADIUS server:
console(config-auth-radius)#name “Default-RADIUS-Server”
9
Configure the RADIUS shared secret as “shared secret”:
console(config-auth-radius)#key “shared secret”
console(config-auth-radius)#exit
10
Configure Gi1/0/7 to use MAC based authentication. This allows multiple
hosts sharing the same network port to be individually allowed or denied
access to network resources. CoA requests to terminate a host session can
be issued by the RADIUS server. This means that if the RADIUS server
terminates the host session and subsequently refuses to authorize the host
(based upon the MAC address), the host is denied access to the network: