Cisco Catalyst 4500 Series Configuration Manual page 1078
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Controlling Switch Access with RADIUS
For example, this AV pair activates Cisco's multiple named ip address pools feature during IP
authorization (during PPP IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"
This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:
cisco-avpair= "shell:priv-lvl=15"
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair= "ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0"
cisco-avpair= "ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any"
cisco-avpair= "mac:inacl#3=deny any any decnet-iv"
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair= "ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any"
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, see RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
To configure the switch to recognize and use VSAs, perform these steps:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# radius-server vsa
send [accounting |
authentication]
Step 3
Switch(config)# end
Step 4
Switch# show running-config
Step 5
Switch# copy running-config
startup-config
Note
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the
"RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide, Release 12.2 from the
Cisco.com page under Documentation > Cisco IOS Software > 12.2 Mainline > Command
References.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-110
Purpose
Enters global configuration mode.
Enables the switch to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
(Optional) Use the accounting keyword to limit the set of recognized
•
vendor-specific attributes to only accounting attributes.
(Optional) Use the authentication keyword to limit the set of
•
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Returns to privileged EXEC mode.
Verifies your settings.
(Optional) Saves your entries in the configuration file.
Chapter 44
Configuring 802.1X Port-Based Authentication
OL-25340-01
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
