RADIUS Bypass/Authorize/Unauthorize On Cisco Switch Interface

edledge Cisco logo

Scenario:
Switch: Cisco 2960, 3650, etc
Server: Radius Server 2012, 2016, 2019
Description: In this article, we will discuss a stepwise method of how to bypass or authorize or unauthorize an interface of the Cisco switch. This configuration is valid for other Cisco switch models as well.

RADIUS is an authentication method that can be configured on the Cisco Switch to manage the client authentication. Radius configuration on Cisco switch provides an additional layer of security. It is always recommended to have redundancy in the network infrastructure to avoid any downtime. Hence RADIUS Fail-over Configuration on Cisco Switches is also possible and recommended.

The general configuration of an interface is shown below where the radius is configured as auto.

interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 100
power inline auto max 15400
srr-queue bandwidth share 10 20 25 5
priority-queue out
authentication event fail action authorize vlan 200
authentication event no-response action authorize vlan 200
authentication host-mode multi-host
authentication port-control auto
authentication periodic
authentication timer reauthenticate 120
authentication timer inactivity 60
mab eap
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
nmsp attachment suppress
end

Knowledge_Check_Cisco_01

1 / 5

What are the two types of packet capture in Cisco ASA?

2 / 5

What is the default buffer size of Cisco ASA PCAP?

3 / 5

How many interfaces in Cisco ASA can have same route map?

4 / 5

Does Cisco ASA supports PPPoE link?

5 / 5

How many 10 Gig ports are available in Cisco 5508-X ASA?

Your score is

The average score is 60%

0%

Bypass or Remove RADIUS Authentication

In this section, we will discuss how to “Bypass RADIUS Authentication” on a switch interface. Considering here the switch port is configured with default Radius configuration as shown below.

Step1: Login
Login into the switch and navigate to configuration mode.

login as: edledge
Using keyboard-interactive authentication.
Password:edlege.com

edledge-switch>en
Password:edledge.com
edledge-switch#
edledge-switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
edledge-switch(config)#

Step2: Remove Radius Config
Bypass or remove the RADIUS configuration using the command shown below.

edledge-switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
edledge-switch(config)#int gig 1/0/1
edledge-switch(config-if)#no authentication port-control
edledge-switch(config-if)#exit
edledge-switch(config)#

Force Authorize RADIUS Authentication

In this section, we will discuss how to “Force Authorize RADIUS Authentication” on a switch interface. Considering here the switch port is configured with default Radius configuration as shown above.

edledge-switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
edledge-switch(config)#int gig 1/0/1
edledge-switch(config-if)#switchport access vlan 5
edledge-switch(config-if)#authentication port-control force-authorized
edledge-switch(config-if)#exit
edledge-switch(config)#

Force Unauthorize RADIUS Authentication

In this section, we will discuss how to “Force unauthorize RADIUS Authentication” on an interface. Considering here the switch port is configured with default Radius configuration as shown above.

edledge-switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
edledge-switch(config)#int gig 1/0/1
edledge-switch(config-if)#authentication port-control force-unauthorized
edledge-switch(config-if)#exit
edledge-switch(config)#

Auto RADIUS Authentication

In this section, we will discuss how to “auto Authorize RADIUS Authentication” on a switch interface. Considering here the switch port is configured with default Radius configuration as shown above.

edledge-switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
edledge-switch(config)#int gig 1/0/1
edledge-switch(config-if)#authentication port-control auto
edledge-switch(config-if)#exit
edledge-switch(config)#

Using the above methods we can change the RADIUS authentication as per our requirement.

RADIUS is considered to be one of the good options to maintain the authentication of clients and improve security. RADIUS configuration on Ubiquiti Unifi is also easy and useful. Refer to the attached article if you are looking to change the SSH version of Cisco Switch. Also if you are looking to upgrade the firmware of the cisco switch or if the firmware upgrade of cisco switch is failing.

Source: Cisco, Lab, Knowledge Base

EA00081

Leave a Reply

Your email address will not be published. Required fields are marked *