143
Cisco Systems, Inc. www.cisco.com
Configuring Switch-Based Authentication
Prerequisites for Configuring Switch-Based Authentication
If you configure an SDM template and then perform the show sdm prefer command, the template currently in use
displays.
You must enter the reload privileged EXEC command to have your configured SDM template take effect.
You should have access to and should configure a RADIUS server before configuring RADIUS features on your
switch.
At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists
for RADIUS authentication. You can optionally define method lists for RADIUS authorization and accounting.
Restrictions for Configuring Switch-Based Authentication
To use the Radius CoA interface, a session must already exist on the switch. CoA can be used to identify a session
and enforce a disconnect request. The update affects only the specified session.
To use Secure Shell, you must install the cryptographic (encrypted) software image on your switch. You must obtain
authorization to use this feature and to download the cryptographic software files from Cisco.com. For more
information, see the release notes for this release.
Information About Configuring Switch-Based Authentication
Prevention for Unauthorized Switch Access
You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. Typically, you
want network administrators to have access to your switch while you restrict access to users who dial from outside the
network through an asynchronous port, connect from outside the network through a serial port, or connect through a
terminal or workstation from within the local network.
To prevent unauthorized access into your switch, you should configure one or more of these security features:
At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally
stored on the switch. When users attempt to access the switch through a port or line, they must enter the password
specified for the port or line before they can access the switch.
For an additional layer of security, you can also configure username and password pairs, which are locally stored on
the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the
switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and
privileges) to each username and password pair.
If you want to use username and password pairs, but you want to store them centrally on a server instead of locally,
you can store them in a database on a security server. Multiple networking devices can then use the same database
to obtain user authentication (and, if necessary, authorization) information.
To Next Page
Loading...
Need help?
General