In the last post in this series, we took a look at the configuration of the AAA method lists and other fun AAA requirements. These point to a RADIUS server (or group thereof). This should logically make you think of the RADIUS server setup itself. Let’s tackle the most likely commands for the lab exam now. Once again, be ready to be flexible at the command line and meet the requirements of your specific lab task. Context sensitive help can obviously be your best friend.
The RADIUS Commands
- radius-server attribute 6 on-for-login-auth – this command ensures the Service-Type attribute (attribute 6) is sent in authentication packets; this is a requirement for ISE functionality
- radius-server attribute 8 in-access-request – another requirement for ISE, this command sends the IP address of a user to the RADIUS server in the access request
- radius-server attribute 25 access-request include – this requirement for ISE includes the class attribute in the access-request
NOTE: These commands might seem impossible to remember, but just focus on 6, 8, and 25 and remember to use context sensitive help for the keywords that follow.
- radius-server host <Cisco_ISE_IP_address> auth-port 1812 acct-port 1813 key 0 <RADIUS-KEY> – this command provides the IP address of the ISE and the RFC-standard ports
- radius-server vsa send accounting – this permits the ISE to recognize and use vendor specific attributes for accounting
- radius-server vsa send authentication – this permits the ISE to recognize and use vendor specific attributes for authentication
- ip radius source-interface <if_name> – sets the source for RADIUS packets
Once again we see there are a bit more commands in this section than we might expect or are used to. Remember, with practice, these will come easy, especially when we understand their meaning and purpose. It is worth mentioning again how much context sensitive help can be your friend.