Step 1
|
enable
|
Enables privileged EXEC mode.
|
Step 2
|
configure
terminal
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
service
dhcp
Router(config)# service dhcp
|
Enables DHCP server and relay agent features on the router. By default, these features are enabled on the router.
|
Step 4
|
aaa new-model
Router(config)# aaa new-model
|
Enables the authentication, authorization, and accounting (AAA) access control system.
|
Step 5
|
aaa
group
server
radius
group-name
Router(config)# aaa group server radius group1
|
Specifies the name of the server host list to group RADIUS server hosts. Enters server-group configuration mode.
group-name
--Character string to name the server group. The following words cannot be used as group name:
-
auth-guest
-
enable
-
guest
-
if-authenticated
-
if-needed
-
krb5
-
krb-instance
-
krb-telnet
-
line
-
local
-
none
-
radius
-
rcmd
-
tacacs
-
tacacsplus
|
Step 6
|
server
ip-address
[auth-port port-number ] [acct-port port-number ]
Router(config-sg)# server 10.1.1.1 auth-port 1700 acct-port 1701
|
Specifies
the
IP
address
of
the
RADIUS
server
host
for
the
defined
server
group.
Repeat
this
command
for
each
RADIUS
server
host
to
associate
with
the
server
group.
-
ip-address--
IP address of the RADIUS server host.
-
auth-port
port-number--
(Optional) Specifies the UDP destination port for authentication requests. Default value is 1645.
-
acct-port
port-number--
(Optional) Specifies the UDP destination port for accounting requests. Default value is 1646.
|
Step 7
|
exit
|
Exits server-group configuration mode.
|
Step 8
|
aaa
authorization
network
method-list-name
group
group-name
Router(config)# aaa authorization network auth1 group group1
|
Specifies the methods list and server group for DHCP authorization.
-
method-list-name
--Character string to name the authorization methods list.
-
group
--Specifies a server group.
-
group-name
--Name of the server group to apply to DHCP authorization.
|
Step 9
|
aaa
accounting
network
method-list-name
start-stop
group
group-name
Router(config)# aaa accounting network acct1 start-stop group group1
|
Specifies that AAA accounting runs for all network service requests.
-
method-list-name
--Character string to name the accounting methods list.
-
start-stop
--Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The
start accounting record is sent in the background. The requested user process begins regardless of whether or not the start
accounting notice is received by the accounting server.
-
group
--Specifies a server group.
-
group-name
--Name of the server group to apply to DHCP accounting.
|
Step 10
|
ip
dhcp
pool
name
Router(config)# ip dhcp pool pool1
|
Specifies a name for the DHCP server address pool. Enters DHCP pool configuration mode.
|
Step 11
|
accounting
method-list-name
Router(config-dhcp)# accounting acct1
|
|
Step 12
|
authorization
method
method-list-name
Router(config-dhcp)# authorization method auth1
|
Enables DHCP authorization.
|
Step 13
|
authorization
shared-password
password
Router(config-dhcp)# authorization shared-password cisco
|
Specifies the password that is configured in the RADIUS user profile.
|
Step 14
|
authorization
username
string
Router(config-dhcp)# authorization username %%c-user1
|
Specifies the parameters that RADIUS sends to a DHCP server when downloading configuration information for a DHCP client.
The string command argument contains the following formatting characters to insert DHCP client information:
-
%c-
--Ethernet address of the DHCP client (chaddr field)
-
%i-
--Inner VLAN ID from the DHCP relay information (option 82)
-
%o---Outer VLAN ID from the DHCP relay information (option 82)
-
%p
--Port number from the DHCP relay information (option 82)
-
%g
--Gateway address of the DHCP relay agent (giaddr field)
-
%%
--Transmits the percent sign (%) character in the string sent to the RADIUS server
Note
|
The percent (%) is a marker to insert the DHCP client information associated with the specified character. The % is not sent
to the RADIUS server unless you specify the %% character.
|
|
Step 15
|
exit
Router(config-dhcp)# exit
|
Exits DHCP pool configuration mode.
|
Step 16
|
interface
type
slot
/
subslot
/
port
[. subinterface ]
Router(config)# interface ethernet 1/10.0
|
Configures an interface or subinterface that allows the DHCP client to obtain an IP address from the DHCP server. Enters interface
or subinterface configuration mode.
|
Step 17
|
encapsulation
dot1q
vlan-id
second-dot1q
{any | vlan-id [, vlan-id [- vlan-id ]]}
Router(config-subif)# encapsulation dot1q 100 second-dot1q 200
|
(Optional) Enables IEEE 802.1Q encapsulation of traffic on a subinterface in a virtual LAN (VLAN).
-
vlan-id
--VLAN ID, integer in the range 1 to 4094. To separate the starting and ending VLAN ID values that are used to define a range
of VLAN IDs, enter a hyphen. (Optional) To separate each VLAN ID range from the next range, enter a comma.
-
second-dot1q--Supports the IEEE 802.1Q-in-Q VLAN Tag Termination feature to configure an inner VLAN ID.
-
any
--Any second tag in the range 1 to 4094.
|
Step 18
|
ip
address
address
mask
Router(config-if)# ip address 192.168.1.1 255.255.255.0
|
Specifies an IP address for an interface or subinterface.
|
Step 19
|
no shutdown
Router(config-if)# no shutdown
|
Enables the interface or subinterface.
|
Step 20
|
radius-server
host
ip-address
[auth-port port-number ] [acct-port port-number ]
Router(config)# radius-server host 10.1.1.1
|
Specifies a RADIUS server host.
-
ip-address
is the IP address of the RADIUS server host.
-
auth-port
port-number--
(Optional) Specifies the UDP destination port for authentication requests. Default value is 1645.
-
acct-port
port-number--
(Optional) Specifies the UDP destination port for accounting requests. Default value is 1646.
|
Step 21
|
radius-server
key
{0 string | 7 string | string }
Router(config)# radius-server key cisco
|
Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon.
Note
|
Any key you enter must match the key on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end
of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are
part of the key.
|
|
Step 22
|
exit
|
Exits global configuration mode.
|