Cisco Switch RADIUS Configuration Settings

1. Switch AAA and 802.1X Settings

Configure global AAA RADIUS and 802.1X settings, define RADIUS server and enable RADIUS Change of Authorization (CoA).

aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa session-id common
aaa accounting update newinfo periodic 10

radius server {radius server name}
 address ipv4 {radius server ip} auth-port 1812 acct-port 1813
 key {radius secret key}

radius-server vsa send authentication
ip radius source-interface X (Layer 3 management interface)

aaa server radius dynamic-author
client

server-key {radius secret key}

port 3799
auth-type any

dot1x system-auth-control
ip device tracking

2. Interface 802.1X Settings

Configure 802.1X and mab on the interface along with associated timers and authentication modes.

dot1x port-control auto
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x max-reauth-req 1
dot1x radius-attributes vlan static
dot1x host-mode multi-auth

Note

Two port-control commands are provided since various Cisco IOS versions use different commands. Choose the appropriate command for your version.

Note

"mab" is configured to allow devices that do not support a supplicant to authenticate via MAC Authentication.

Note

Refer to Cisco documentation for more information on timers and authentication modes.