Example: Configuring the switch for Remote AAA with RADIUS
Prerequisites
RADIUS servers configured in general according to the information in Remote AAA RADIUS server configuration requirements. The exact settings appropriate to your environment will vary.
Logged in to the switch with Administrator privilege and in the
config
context.
Procedure
-
Configure the global RADIUS passkey (shared secret) as "xjkW74932qX3j_$"
switch(config)# radius-server key plaintext xjkW74932qX3j_$ switch(config)#
-
Add these configuration details for two remote RADIUS servers.
Server 1 with IPv4 address 10.0.0.2, on the management interface (belonging to VRF “mgmt”), using the default PAP protocol.
Server 2 with IPv4 address 4.0.0.2, on the data interface 1/1/4 (belonging to VRF “default”), using the CHAP protocol.
switch(config)# radius-server host 10.0.0.2 vrf mgmt switch(config)# radius-server host 4.0.0.2 auth-type chap switch(config)#
-
Create a RADIUS group named
rad_grp1
, assign RADIUS server 10.0.0.2 to the group, show the group information.NOTE:The default RADIUS group named
radius
includes every RADIUS server regardless of whether any RADIUS servers are also assigned to a user-defined RADIUS group.switch(config)# aaa group server radius rad_grp1 switch(config-sg)# server 10.0.0.2 vrf mgmt switch(config-sg)# exit switch(config)# switch(config)# do show aaa server-groups radius ******* AAA Mechanism RADIUS ******* -------------------------------------------------------------------------------- GROUP NAME | SERVER NAME | PORT | VRF | PRIORITY -------------------------------------------------------------------------------- rad_grp1 | 10.0.0.2 | 1812 | mgmt | 1 -------------------------------------------------------------------------------- radius (default) | 10.0.0.2 | 1812 | mgmt | 1 radius (default) | 4.0.0.2 | 1812 | default | 2 -------------------------------------------------------------------------------- switch(config)#
-
Define the authentication sequence list so that the new RADIUS group is first, the default RADIUS group is second, and local is third. Show the authentication sequence.
switch(config)# aaa authentication login default group rad_grp1 radius local switch(config)# switch(config)# do show aaa authentication AAA Authentication: Fail-through : Disabled Limit Login Attempts : Not set Lockout Time : 300 Minimum Password Length : Not set Default Authentication for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- rad_grp1 | 0 radius | 1 local | 2 --------------------------------------------------------------------------------- switch(config)#
-
Define the accounting sequence list with two RADIUS server groups. Show the accounting sequence.
switch(config)# aaa accounting all default start-stop group rad_grp1 radius switch(config)# switch(config)# do show aaa accounting AAA Accounting: Accounting Type : all Accounting Mode : start-stop Default Accounting for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- rad_grp1 | 0 radius | 1 ---------------------------------------------------------------------------------