Example: Configuring the switch for Remote AAA with RADIUS

Prerequisites
  • RADIUS servers configured in general according to the information in Remote AAA RADIUS server configuration requirements. The exact settings appropriate to your environment will vary.

  • Logged in to the switch with Administrator privilege and in the config context.

Procedure
  1. Configure the global RADIUS passkey (shared secret) as "xjkW74932qX3j_$"
    switch(config)# radius-server key plaintext xjkW74932qX3j_$
    switch(config)#
  2. Add these configuration details for two remote RADIUS servers.
    • Server 1 with IPv4 address 10.0.0.2, on the management interface (belonging to VRF “mgmt”), using the default PAP protocol.

    • Server 2 with IPv4 address 4.0.0.2, on the data interface 1/1/4 (belonging to VRF “default”), using the CHAP protocol.

    switch(config)# radius-server host 10.0.0.2 vrf mgmt
    switch(config)# radius-server host 4.0.0.2 auth-type chap
    switch(config)#
  3. Create a RADIUS group named rad_grp1, assign RADIUS server 10.0.0.2 to the group, show the group information.
    NOTE:

    The default RADIUS group named radius includes every RADIUS server regardless of whether any RADIUS servers are also assigned to a user-defined RADIUS group.

    switch(config)# aaa group server radius rad_grp1
    switch(config-sg)# server 10.0.0.2 vrf mgmt
    switch(config-sg)# exit
    switch(config)#
    switch(config)# do show aaa server-groups radius
    
    ******* AAA Mechanism RADIUS *******
    --------------------------------------------------------------------------------
    GROUP NAME       | SERVER NAME                       | PORT | VRF     | PRIORITY
    --------------------------------------------------------------------------------
    rad_grp1         | 10.0.0.2                          | 1812 | mgmt    | 1
    --------------------------------------------------------------------------------
    radius (default) | 10.0.0.2                          | 1812 | mgmt    | 1
    radius (default) | 4.0.0.2                           | 1812 | default | 2
    --------------------------------------------------------------------------------
    switch(config)# 
    
  4. Define the authentication sequence list so that the new RADIUS group is first, the default RADIUS group is second, and local is third. Show the authentication sequence.
    switch(config)# aaa authentication login default group rad_grp1 radius local
    switch(config)#
    switch(config)# do show aaa authentication
    AAA Authentication:
      Fail-through                          : Disabled
      Limit Login Attempts                  : Not set
      Lockout Time                          : 300
      Minimum Password Length               : Not set
    
    Default Authentication for All Channels:
    ---------------------------------------------------------------------------------
    GROUP NAME                       | GROUP PRIORITY
    ---------------------------------------------------------------------------------
    rad_grp1                         | 0
    radius                           | 1
    local                            | 2
    ---------------------------------------------------------------------------------
    switch(config)#
    
  5. Define the accounting sequence list with two RADIUS server groups. Show the accounting sequence.
    switch(config)# aaa accounting all default start-stop group rad_grp1 radius
    switch(config)#
    switch(config)# do show aaa accounting
    AAA Accounting:
      Accounting Type                               : all
      Accounting Mode                               : start-stop
    
    Default Accounting for All Channels:
    ---------------------------------------------------------------------------------
    GROUP NAME                       | GROUP PRIORITY
    ---------------------------------------------------------------------------------
    rad_grp1                         | 0
    radius                           | 1
    ---------------------------------------------------------------------------------