Configuring The Switch To Use Vendor-Specific Radius Attributes - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 49 Configuring 802.1X Port-Based Authentication
Command
Step 4
Switch(config)# radius-server
timeout seconds
Step 5
Switch(config)# radius-server
deadtime minutes
Step 6
Switch(config)# end
Step 7
Switch# show running-config
Step 8
Switch# copy running-config
startup-config
To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.

Configuring the Switch to Use Vendor-Specific RADIUS Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information
between the switch and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes
(VSAs) allow vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation
supports one vendor-specific option by using the format recommended in the specification. Cisco's vendor-ID is 9, and the
supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate
attribute-value (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for
optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS.
For example, this AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during PPP IPCP
address assignment):
cisco-avpair= "ip:addr-pool=first"
This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands:
cisco-avpair= "shell:priv-lvl=15"
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= "ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0"
cisco-avpair= "ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any"
cisco-avpair= "mac:inacl#3=deny any any decnet-iv"
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= "ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any"
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and
VSAs, see RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
Purpose
Specifies the number of seconds a switch waits for a reply to a RADIUS
request before resending the request. The default is 5 seconds; the range is
1 to 1000.
Specifies the number of minutes a RADIUS server, which is not responding
to authentication requests, to be skipped, thus avoiding the wait for the
request to timeout before trying the next configured server. The default is
0; the range is 1 to 1440 minutes.
Returns to privileged EXEC mode.
Verifies your settings.
(Optional) Saves your entries in the configuration file.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Controlling Switch Access with RADIUS
49-111