8-29
Cisco ME 3800X and 3600X Switch Software Configuration Guide
OL-23400-01
Chapter 8 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
This example shows how to provide a user logging in from a switch with immediate access to privileged
EXEC commands:
cisco-avpair=
”shell:priv-lvl=15“
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair=
”tunnel-type(#64)=VLAN(13)”
cisco-avpair=
”tunnel-medium-type(#65)=802 media(6)”
cisco-avpair=
”tunnel-private-group-ID(#81)=vlanid”
This example shows how to apply an input ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair=
“ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0”
cisco-avpair=
“ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any”
cisco-avpair=
“mac:inacl#3=deny any any decnet-iv”
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this
connection:
cisco-avpair=
“ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any”
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information
about vendor-IDs and VSAs, see RFC 2138, “Remote Authentication Dial-In User Service (RADIUS).”
Beginning in privileged EXEC mode, follow these steps to configure the switch to recognize and use
VSAs:
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the
“RADIUS Attributes” appendix in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary
information between the switch and the RADIUS server, some vendors have extended the RADIUS
attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS
attributes.
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
radius-server vsa send [accounting |
authentication]
Enable the switch to recognize and use VSAs as defined by RADIUS IETF
attribute 26.
•
(Optional) Use the accounting keyword to limit the set of recognized
vendor-specific attributes to only accounting attributes.
•
(Optional) Use the authentication keyword to limit the set of
recognized vendor-specific attributes to only authentication attributes.
If you enter this command without keywords, both accounting and
authentication vendor-specific attributes are used.
Step 3
end
Return to privileged EXEC mode.
Step 4
show running-config
Verify your settings.
Step 5
copy running-config startup-config
(Optional) Save your entries in the configuration file.