Procedure 3 - Configure The Global RADIUS Commands

We configure a proactive method to check the availability of the RADIUS server. With this practice, the switch will send periodic test authentication messages to the RADIUS server (Cisco ISE). It is looking for a RADIUS response from the server. A success message is not necessary; a failed authentication will suffice, because it shows that the server is alive.

Step 1
Within global configuration mode, add a username and password for the RADIUS keepalive interval.

The username we are creating here will be added to the local user database in Cisco ISE at a later step. This account will be used in a later step where we define the RADIUS server.

  • C3750X(config)#username radius-test password password
Step 2
Add the Cisco ISE servers to the RADIUS group.

In this step we will add each Cisco ISE Policy Services Node (PSN) to the switch configuration, using the test account we created previously. Repeat for each PSN.

  • C3750X(config)#radius-server host ise_ip_address auth-port 1812 acct-port 1813 test username radius-test key shared_secret
Step 3
Set the dead criteria.

The switch has been configured to proactively check the Cisco ISE server for RADIUS responses. Now configure the counters on the switch to determine if the server is alive or dead. Our settings will be to wait 5 seconds for a response from the RADIUS server and attempt the test 3 times before marking the server dead. If a Cisco ISE server doesn't have a valid response within 15 seconds, it will be marked as dead.

  • C3750X(config)#radius-server dead-criteria time 5 tries 3
Step 4
Enable change of authorization (CoA).

Previously we defined the IP address of a RADIUS server that the switch will send RADIUS messages to. However, we define the servers that are allowed to perform change of authorization (RFC 3576) operations in a different listing, also within global configuration mode, as follows:

  • C3750X(config)#aaa server radius dynamic-author
  • C3750X(config-locsvr-da-radius)#client ise_ip_address server-key shared_secret
Step 5
Configure the switch to use the Cisco vendor-specific attributes.

Here we configure the switch to send any defined vendor-specific attributes (VSA) to Cisco ISE PSNs during authentication requests and accounting updates.

  • C3750X(config)#radius-server vsa send authentication
  • C3750X(config)#radius-server vsa send accounting
Step 6
Next, we will enable the vendor-specific attributes (VSAs).

  • C3750X(config)#radius-server attribute 6 on-for-login-auth
  • C3750X(config)#radius-server attribute 8 include-in-access-req
  • C3750X(config)#radius-server attribute 25 access-request include
Step 7
Ensure the switch always sends traffic from the correct interface.

Switches may often have multiple IP addresses associated to them. Therefore, it is a best practice to always force any management communications to occur through a specific interface. This interface IP address must match the IP address defined in the Cisco ISE Network Device object.

  • C3750X(config)#ip radius source-interface interface_name
  • C3750X(config)#snmp-server trap-source interface_name
  • C3750X(config)#snmp-server source-interface informs interface_name

Previous page
« Procedure 2 - Configure The Global AAA Commands

Next page
Procedure 4 - Configure The Switch To Allow Profiling To / From Cisco ISE. »