Cisco Catalyst 3560-X Software Configuration Manual page 352

Configuring 802.1x Authentication
Beginning in privileged EXEC mode, follow these steps to configure the port as a critical port and enable
the inaccessible authentication bypass and critical voice VLAN features.
Command
Step 1 configure terminal
Step 2
radius-server dead-criteria
time time tries tries
Step 3 radius-server deadtime
minutes
Step 4
radius-server host ip-address
[acct-port udp-port] [auth-port
udp-port][test username name
[idle-time time]
[ignore-acct-port]
[ignore-auth-port]] [key
string]
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
1-64
Purpose
Enter global configuration mode.
(Optional) Set the conditions that are used to decide when a RADIUS server is
considered unavailable or dead.
The range for time is from 1 to 120 seconds. The switch dynamically determines
the default seconds value that is 10 to 60 seconds.
The range for tries is from 1 to 100. The switch dynamically determines the
default tries parameter that is 10 to 100.
(Optional) Set the number of minutes that a RADIUS server is not sent requests.
The range is from 0 to 1440 minutes (24 hours). The default is 0 minutes.
(Optional) Configure the RADIUS server parameters by using these keywords:
• acct-port udp-port—Specify the UDP port for the RADIUS accounting
server. The range for the UDP port number is from 0 to 65536. The default is
1646.
auth-port udp-port—Specify the UDP port for the RADIUS authentication
•
server. The range for the UDP port number is from 0 to 65536. The default is
1645.
You should configure the UDP port for the RADIUS accounting server
Note
and the UDP port for the RADIUS authentication server to nondefault
values.
test username name—Enable automated testing of the RADIUS server
•
status, and specify the username to be used.
idle-time time—Set the interval of time in minutes after which the switch
•
sends test packets to the server. The range is from 1 to 35791 minutes. The
default is 60 minutes (1 hour).
• ignore-acct-port—Disable testing on the RADIUS-server accounting port.
• ignore-auth-port—Disable testing on the RADIUS-server authentication
port.
• For key string, specify the authentication and encryption key used between
the switch and the RADIUS daemon running on the RADIUS server. The key
is a text string that must match the encryption key used on the RADIUS
server.
Always configure the key as the last item in the radius-server host
Note
command syntax because leading spaces are ignored, but spaces within
and at the end of the key are used. If you use spaces in the key, do not
enclose the key in quotation marks unless the quotation marks are part of
the key. This key must match the encryption used on the RADIUS
daemon.
You can also configure the authentication and encryption key by using the
radius-server key {0 string | 7 string | string} global configuration
command.
Chapter 1 Configuring IEEE 802.1x Port-Based Authentication
OL-25303-03