31-16
Software Configuration Guide—Release 12.2(25)EW
OL-6696-01
Chapter 31 Understanding and Configuring 802.1X Port-Based Authentication
How to Configure 802.1X
To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global
configuration command.
This example shows how to specify the server with IP address 172.20.39.46 as the RADIUS server. The
first command specifies port 1612 as the authorization port, sets the encryption key to rad123. The
second command dictates that key matches will be performed on the RADIUS server:
Switch(config)# radius-server host 172.l20.39.46 auth-port 1612 key rad123
Switch(config)# ip radius source-interface m/p
You can globally configure the timeout, retransmission, and encryption key values for all RADIUS
servers by using the radius-server host global configuration command. If you want to configure these
options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the
radius-server key global configuration commands.
You also need to configure some settings on the RADIUS server. These settings include the IP address
of the switch and the key string to be shared by both the server and the switch.
Refer to the following Cisco IOS security documentation for information on how to configure AAA
system accounting:
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
• http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
Enabling 802.1X Accounting
Note If you plan to implement system-wide accounting, you should also configure 802.1X accounting.
Moreover, you need to inform the accounting server of the system reload event when the system is
reloaded. Doing this, ensures that the accounting server knows that all outstanding 802.1X sessions on
this system are closed.
Once you configure 802.1X authentication and switch-to-RADIUS server communication, perform this
task to enable 802.1X accounting:
Command Purpose
Step 1
Switch # configure terminal
Enters global configuration mode.
Step 2
Switch(config)# aaa accounting
dot1x default start-stop group
radius
Enables 802.1X accounting, using the list of all RADIUS servers.
Step 3
Switch(config)# clock timezone
PST -8
Sets the time zone for the accounting event-time stamp field.
Step 4
Switch(config)# clock
calendar-valid
Enables the date for the accounting event-time stamp field.
Step 5
Switch(config-if)# aaa accounting
system default start-stop group
radius
(Optional) Enables system accounting (using the list of all RADIUS
servers) and generates system accounting reload event messages when the
switch reloads.
Step 6
Switch(config-if)# end
Returns to privileged EXEC mode.
Step 7
Switch # show running-config
Verifies your entries.
Step 8
Switch # copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
To Next Page
Loading...
Need help?
General
