Filter
Top Products
9-39
Catalyst 3750 Switch Software Configuration Guide
OL-8550-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
Configuring CoA on the Switch
Beginning in privileged EXEC mode, follow these steps to configure CoA on a switch. This procedure
is required.
To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server
functionality on the switch, use the no aaa server radius dynamic authorization global configuration
command.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
aaa new-model Enable AAA.
Step 3
aaa server radius dynamic-author Configure the switch as an authentication, authorization, and accounting
(AAA) server to facilitate interaction with an external policy server.
Step 4
client {ip-address | name} [vrf vrfname]
[server-key string]
Enter dynamic authorization local server configuration mode and specify
a RADIUS client from which a device will accept CoA and disconnect
requests.
Step 5
server-key [0 | 7] string Configure the RADIUS key to be shared between a device and RADIUS
clients.
Step 6
port port-number Specify the port on which a device listens for RADIUS requests from
configured RADIUS clients.
Step 7
auth-type {any | all | session-key} Specify the type of authorization the switch uses for RADIUS clients.
The client must match all the configured attributes for authorization.
Step 8
ignore session-key (Optional) Configure the switch to ignore the session-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 9
ignore server-key (Optional) Configure the switch to ignore the server-key.
For more information about the ignore command, see the Cisco IOS
Intelligent Services Gateway Command Reference on Cisco.com.
Step 10
authentication command bounce-port
ignore
(Optional) Configure the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
Step 11
authentication command disable-port
ignore
(Optional) Configure the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Step 12
end Return to privileged EXEC mode.
Step 13
show running-config Verify your entries.
Step 14
copy running-config startup-config (Optional) Save your entries in the configuration file.