Controlling Switch Access with RADIUS
Command
Step 8
Switch(config-locsvr-da-radius)#
ignore session-key
Step 9
Switch(config-locsvr-da-radius)#
ignore server-key
Step 10
Switch(config-locsvr-da-radius)#
exit
Step 11
Switch(config)# authentication
command bounce-port ignore
Step 12
Switch(config)# authentication
command disable-port ignore
Step 13
Switch# end
Step 14
Switch# show running-config
Step 15
Switch# copy running-config
startup-config
To disable AAA, use the no aaa new-model global configuration command. To disable the AAA server functionality on the
switch, use the no aaa server radius dynamic authorization global configuration command:
Switch(config)# aaa server radius dynamic-author
Switch(config-locsvr-da-radius)# client ip addr vrf vrfname
Switch(config-locsvr-da-radius)# server-key cisco123
Switch(config-locsvr-da-radius)# port 3799
Note
Default port for packet of disconnect is 1700. Port 3799 is required to interoperate with ACS 5.1.
Switch(config)# authentication command bounce-port ignore
Monitoring and Troubleshooting CoA Functionality
The following Cisco IOS commands can be used to monitor and troubleshoot CoA functionality on the switch:
debug radius
•
•
debug aaa coa
•
debug aaa pod
•
debug aaa subsys
•
debug cmdhd [detail | error | events]
show aaa attributes protocol radius
•
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
49-114
Chapter 49
Purpose
(Optional) Configures the switch to ignore the session-key.
For more information about the ignore command, see the
Intelligent Services Gateway Command Reference
(Optional) Configures the switch to ignore the server-key.
For more information about the ignore command, see the
Intelligent Services Gateway Command Reference
Switches to global configuration mode.
(Optional) Configures the switch to ignore a CoA request to temporarily
disable the port hosting a session. The purpose of temporarily disabling
the port is to trigger a DHCP renegotiation from the host when a VLAN
change occurs and there is no supplicant on the endpoint to detect the
change.
(Optional) Configures the switch to ignore a nonstandard command
requesting that the port hosting a session be administratively shut down.
Shutting down the port results in termination of the session.
Use standard CLI or SNMP commands to re-enable the port.
Returns to privileged EXEC mode.
Verifies your entries.
(Optional) Saves your entries in the configuration file.
Configuring 802.1X Port-Based Authentication
Cisco IOS
on Cisco.com.
Cisco IOS
on Cisco.com.