9-27
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
OL-26520-01
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with RADIUS
• Defining AAA Server Groups, page 9-32 (optional)
• Configuring RADIUS Authorization for User Privileged Access and Network Services, page 9-34
(optional)
• Starting RADIUS Accounting, page 9-35 (optional)
• Configuring Settings for All RADIUS Servers, page 9-36 (optional)
• Configuring the Switch to Use Vendor-Specific RADIUS Attributes, page 9-37 (optional)
• Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 9-38
(optional)
• Configuring CoA on the Switch, page 9-39
• Monitoring and Troubleshooting CoA Functionality, page 9-40
• Configuring RADIUS Server Load Balancing, page 9-40 (optional)
Default RADIUS Configuration
RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management
application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.
Identifying the RADIUS Server Host
Switch-to-RADIUS-server communication involves several components:
• Hostname or IP address
• Authentication destination port
• Accounting destination port
• Key string
• Timeout period
• Retransmission value
You identify RADIUS security servers by their hostname or IP address, hostname and specific UDP port
numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the
UDP port number creates a unique identifier, allowing different ports to be individually defined as
RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be
sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for
example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using
this example, if the first host entry fails to provide accounting services, the
%RADIUS-4-RADIUS_DEAD
message appears, and then the switch tries the second host entry configured on the same device for
accounting services. (The RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange
responses. To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the switch, use the three unique global
To Next Page
Loading...
Need help?
General
