Configuring the SwitchtoRadius Server Communication

The 802.1x port-based authentication scheme relies on RADIUS for authentication of supplicants (that is, the desktop, wireless LAN [WLAN], and so on). The authenticator (which is the switch, router, and so on) must be configured for RADIUS to communicate with the authentication server. It is possible to specify multiple RADIUS servers on a switch. RADIUS servers are identified by host name or IP address and specific port numbers. The combination of these two parameters creates a unique identifier providing redundancy and availability. The host entries are tried sequentially in the order configured. Use the following command in global configuration mode to specify a RADIUS server host, User Datagram Protocol (UDP) port, and shared secret text string:

radius-server host {hostname | ip-address} [auth-port port-number] key string

The auth-port port-number is an optional parameter to specify a different UDP destination port for authentication requests. The default UDP port for RADIUS on Cisco router running Cisco IOS Software Release 12.3(x) is 1645 for authentication and 1646 for accounting. The default UDP ports on a Cisco Catalyst IOS-based switch version 12.1 or higher is 1812 for authentication and 1813 for accounting.

The key string specifies the authentication and encryption key used between the authenticator and the RADIUS daemon on the authentication server. The key value is a text string that must match the key used on the RADIUS server.

0 0

Post a comment