Example: Configuring the switch for Remote AAA with RADIUS
Prerequisites
RADIUS servers configured in general according to the information in Remote AAA RADIUS server configuration requirements . The exact settings appropriate to your environment will vary.
Logged in to the switch with Administrator privilege and in the
config
context.
Procedure
-
Configure the global RADIUS passkey (shared secret) as "xjkW74932qX3j_$"
switch(config)# radius-server key plaintext xjkW74932qX3j_$ switch(config)#
-
Add these configuration details for two remote RADIUS servers.
Server 1 with IPv4 address 10.0.0.2, on the management interface (belonging to VRF “mgmt”), using the default PAP protocol.
Server 2 with IPv4 address 4.0.0.2, on the data interface (belonging to VRF “default”), using the CHAP protocol.
switch(config)# radius-server host 10.0.0.2 vrf mgmt switch(config)# radius-server host 4.0.0.2 auth-type chap switch(config)#
-
Create a RADIUS group named
rad_grp1
, assign RADIUS server 10.0.0.2 to the group, show the group information.NOTE:The default RADIUS group named
radius
includes every RADIUS server regardless of whether any RADIUS servers are also assigned to a user-defined RADIUS group.switch(config)# aaa group server radius rad_grp1 switch(config-sg)# server 10.0.0.2 vrf mgmt switch(config-sg)# exit switch(config)# switch(config)# do show aaa server-groups radius ******* AAA Mechanism RADIUS ******* -------------------------------------------------------------------------------- GROUP NAME | SERVER NAME | PORT | VRF | PRIORITY -------------------------------------------------------------------------------- rad_grp1 | 10.0.0.2 | 1812 | mgmt | 1 -------------------------------------------------------------------------------- radius (default) | 10.0.0.2 | 1812 | mgmt | 1 radius (default) | 4.0.0.2 | 1812 | default | 2 -------------------------------------------------------------------------------- switch(config)#
-
Define the authentication sequence list so that the new RADIUS group is first, the default RADIUS group is second, and local is third. Show the authentication sequence.
switch(config)# aaa authentication login default group rad_grp1 radius local switch(config)# switch(config)# do show aaa authentication AAA Authentication: Fail-through : Disabled Limit Login Attempts : Not set Lockout Time : 300 Minimum Password Length : Not set Default Authentication for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- rad_grp1 | 0 radius | 1 local | 2 --------------------------------------------------------------------------------- switch(config)#
-
Define the accounting sequence list with two RADIUS server groups. Show the accounting sequence.
switch(config)# aaa accounting all default start-stop group rad_grp1 radius switch(config)# switch(config)# do show aaa accounting AAA Accounting: Accounting Type : all Accounting Mode : start-stop Default Accounting for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- rad_grp1 | 0 radius | 1 ---------------------------------------------------------------------------------