Configuring the switch for EAP and RADIUS

Perform the following procedure to configure the switch for EAP and RADIUS.

About this task

You must configure the switch, through which user-based-policy (UBP) users connect to communicate with the RADIUS server to exchange EAP authentication information, as well as user role information. You must specify the IP address of the RADIUS server, as well as the shared secret (a password that authenticates the device with the RADIUS server as an EAP access point). You must enable EAP globally on each device, and you must configure EAP authentication on each device port, through which EAP/UBP users connect.

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.

For more information about EPM and UBP, see the user documentation for your Enterprise Policy Manager (EPM) application.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create a RADIUS server that is used by EAP:

    radius server host WORD <0–46> key WORD<0-20> used-by eapol

  3. Log on to the Interface Configuration mode:

    interface vlan <1-4059>

  4. Enable the device to communicate through EAP:

    eapol enable

  5. Exit from VLAN interface mode:

    exit

  6. Enter Interface Configuration mode:

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

  7. Enable device ports for EAP authentication:

    eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} status auto

  8. Enable periodic supplicant re-authenticating:

    eapol port {slot/port[/sub-port][-slot/port[/sub-port]][,...]} re-authentication enable

  9. Save your changes:

    save config

Example

Switch:1> enable

Switch:1# configure terminal

Create a RADIUS server that is used by EAP:

Switch:1(config)# radius server host fe90:0:0:0:21b:4eee:fe5e:75fd key radiustest used-by eapol

Switch:1(config)# interface vlan 2

Enable the device to communicate through EAP:

Switch:1(config-if)# eapol enable

Save your changes:

Switch:1(config-if)# save config

Variable Definitions

The following table defines parameters for the radius server host WORD<0–46> usedby eapol command.

Variable

Value

host WORD<0–46>

Specifies the IP address of the selected server.

This address tells the device where to find the RADIUS server, from which it obtains EAP authentication and user role information.

RADIUS supports IPv4 and IPv6 addresses, with no difference in functionality or configuration.

key WORD<0-20>

Specifies the shared secret key that you use for RADIUS authentication. The shared secret is held in common by the RADIUS server and all EAP-enabled devices in your network. It authenticates each device with the RADIUS server as an EAP access point. When you configure your RADIUS server, you must configure the same shared secret value as you specify here.