Configure the Switch for EAP and RADIUS

Perform the following procedure to configure the switch for EAP and RADIUS.

About this task

You must configure the switch, through which user-based-policy (UBP) users connect to communicate with the RADIUS server to exchange EAP authentication information, as well as user role information. You must specify the IP address of the RADIUS server, as well as the shared secret (a password that authenticates the device with the RADIUS server as an EAP access point). You must enable EAP globally on each device, and you must configure EAP authentication on each device port, through which EAP/UBP users connect.

For more information about EPM and UBP, see the user documentation for your Enterprise Policy Manager (EPM) application.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create a RADIUS server that is used by EAP:

    radius server host WORD <0–255> key WORD<0-20> used-by eapol enable

  3. Log on to the Interface Configuration mode:

    interface vlan <1-4059>

  4. Enable the device to communicate through EAP:

    eapol enable

  5. Exit from VLAN interface mode:

    exit

  6. Enter Interface Configuration mode:

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  7. Enable device ports for EAP authentication:

    eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} status auto

  8. Enable periodic supplicant re-authenticating:

    eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} re-authentication enable

Example

Switch:1>enable

Switch:1#configure terminal

Create a RADIUS server that is used by EAP:

Switch:1(config)#radius server host fe90:0:0:0:21b:4eee:fe5e:75fd key radiustest used-by eapol enable

Switch:1(config)#interface vlan 2

Enable the device to communicate through EAP:

Switch:1(config-if)#eapol enable

Variable Definitions

The following table defines parameters for the radius server host WORD<0–255> usedby eapol command.

Variable

Value

host WORD<0–255>

Configures a host server. WORD <0–255> specifies the IPv4 address, IPv6 address, or fully qualified domain name (FQDN). If you use an FQDN, you must also configure the switch to use DNS.

This address tells the device where to find the RADIUS server, from which it obtains EAP authentication and user role information.

key WORD<0-20>

Specifies the shared secret key that you use for RADIUS authentication. The shared secret is held in common by the RADIUS server and all EAP-enabled devices in your network. It authenticates each device with the RADIUS server as an EAP access point. When you configure your RADIUS server, you must configure the same shared secret value as you specify here.