Cisco Systems 2950 Controlling Switch Access with RADIUS

7-17

Catalyst2950 Desktop Switch Software Configuration Guide

78-11380-05

Chapter7 Administering the Swi tc h Controlling Switch Access with RADIUS

Controlling Switch Access with RADIUS

This section describes how to enable and configure the Remote Authentication Dial-In User Service

(RADIUS), which provides detailed accounting information and flexible administrative control over

authentication and authorization processes. RADIUS is facilitated through AAA and can be enabled only

through AAA commands.

Note For complete syntax and usage information for the commands used in this section, refer to the Cisco IOS

Security Command Reference for Release 12.1.

This section contains this configuration information:

•Understanding RADIUS, page 7-17

•RADIUS Operation, page 7-18

•Configuring RADIUS, page 7-19

•Displaying the RADIUS Configuration, page 7-30

RADIUS is a distributed client/server system that secures networks against unauthorized access.

RADIUS clients run on supported Cisco routers and switches, including Catalyst 3550 multilayer

switches and Catalyst 2950 series switches. Clients send authentication requests to a central RADIUS

server, which contains all user authentication and n etwork serv ice access infor mation. The RADIUS host

is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access

Control Server version 3.0), Livingston, Merit, Microsoft, or another so ftware pr ovider. For more

information, refer to the RADIUS server documentation.

Use RADIUS in these network environments that require access security:

•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access

servers from several vendors use a single RADIUS server-based security database. In an IP-based

network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS

server that has been customized to work with the Kerberos security sy stem .

•Turnkey network security environments in which applications support the RADIUS protocol , such

as in an access environment that uses a smart card access control system. In one case, RADIUS has

been used with Enigma’s security cards to validates users and to grant access to network resources.

•Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the

network. This might be the first step when you make a transition to a TACACS+ server. See

Figure 7-2 on page 7- 18.

•Network in which the user must only access a single service. Using RADIUS, yo u can control user

access to a single host, to a single utility such as Telnet, or to the network through a protocol such

as IEEE 802.1X. For more information about this protocol , see Cha pter 8, “Configuring 802.1X

Port-Based Authentication.”

•Networks that require resource accounting. You can use RADIUS accounting independently of

RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent

at the start and end of services, showing the amount of resource s (such as time, packets, bytes, and

so forth) used during the session. An Internet service provider might use a freeware-based version

of RADIUS access control and accounting software to meet special security and billing needs.