Configuring 802.1x Port-Based Authentication
Configuring the switch-to-RADIUS-server communication

RADIUS security servers are identified by host name or IP address, host name and specific UDP port numbers, or IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address. If two different host entries on the same RADIUS server are configured for the same service, such as authentication, the second host entry configured acts as the fail-over backup to the first one. The RADIUS host entries are tried in the order that they are configured.

Beginning in privileged EXEC mode, follow these steps to configure the RADIUS server parameters on the switch.

Step 1 Enter global configuration mode.
Step 2 Configure the RADIUS server parameters on the switch with the radius-server host {hostname | ip-address} auth-port port-number key string command.

For hostname | ip-address, specify the host name or IP address of the remote RADIUS server. For auth-port port-number, specify the UDP destination port for authentication requests. The default is 1812. For key string, specify the authentication and encryption key used between the switch and the RADIUS server. The key is a text string that must match the encryption key used on the RADIUS server.

NOTE:

Always configure the key as the last item in the radius-server host command syntax because leading spaces are ignored, but spaces within and at the end of the key are used. If spaces are used in the key, do not enclose the key in quotation marks unless the quotation marks are part of the key.

If multiple RADIUS servers are to be used, re-enter this command.

Step 3 Return to privileged EXEC mode.
Step 4 Verify the configuration.

To delete the specified RADIUS server, use the no radius-server host {hostname | ip-address} global configuration command.

The example in Figure shows how to specify the server with IP address 172.20.39.46 as the RADIUS server, to use port 1612 as the authorization port, and to set the encryption key to rad123, matching the key on the RADIUS server.

The timeout, retransmission, and encryption key values for all RADIUS servers can be globally configured by using the radius-server host global configuration command. To configure these options on a per-server basis, use the radius-server timeout, radius-server retransmit, and the radius-server key global configuration commands.

Some settings on the RADIUS server need to be configured as well. These settings include the IP address of the switch and the key string to be shared by both the server and the switch.