Table of Contents
Advertisement
Default Configuration
By default, no dynamic RADIUS servers are configured.
Command Mode
Global Configuration
User Guidelines
Configuring a dynamic RADIUS server causes the system to begin listening
on the default port 3799 for RADIUS CoA requests. The switch ensures that a
unique Acct-Session-Id and the Calling-Station-Id is sent to the RADIUS
server in all Access-Request packets. The Acct-Session-Id and Calling-
Station-Id identifiers are maintained in the switch. CoA-Request requests
must use the Acct-Session-Id or Calling-Station-Id or both for presentation to
the NAS for subsequent CoA requests.
A valid authenticated RFC 3575 Disconnect-Request terminates the session
without disabling the port. The termination may cause the host to attempt to
re-authenticate on the port. If an ACL was applied for the session (i.e., for
MAB), the ACL is removed when the session is terminated.
If a valid authenticated RFC 3575 Disconnect-Request request is received
from a configured server and the session cannot be found, the switch returns a
CoA-NAK message with the 503 Session Context Not Found response code.
If it expected that more than one session will authenticate over a port, use of
MAC based authentication is recommended. If MAC based authentication is
enabled, the user is denied access to the port even if a previous authentication
has occurred on the port.
Command History
Introduced in version 6.2.0.1 firmware.
Example
The following example configures RADIUS servers at 1.1.1.1, 2.2.2.2, and
3.3.3.3 and CoA clients at 4.4.4.4 and 5.5.5.5. It sets the front panel ports to
use 802.1x MAC-based authentication. CoA is configured for two dynamic
RADIUS servers located at 1.1.1.1 and 2.2.2.2 using a global shared secret and
a third server using a server specific shared secret. CoA and disconnect
requests are accepted from the CoA clients at 4.4.4.4 and 5.5.5.5. Any
858
Security Commands
Advertisement
Table of Contents
