6-18
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter6 Administering the Switch
Controlling Switch Access with RADIUS
Understanding RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access.
RADIUS clients run on supported Cisco routers and switches (including Catalyst 3550 multilayer
switches and Catalyst 2950 series switches) and send authentication requests to a central RADIUS
server, which contains all user authentication and network service access information. The RADIUS host
is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access
Control Server version 3.0), Livingston, Merit, Microsoft, or a nothe r softwa re p rov ide r. For more
information, refer to the RADIUS server documentation.
Use RADIUS in these network environments that require access security:
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protoc ol, suc h
as in an access environment that uses a smart card access control sy stem . In one ca se, R ADIUS ha s
been used with Enigma’s security cards to validates users and to grant access to network resources.
Networks already using RADIUS. You can add a Cisco switch containing a RADIUS cli ent to the
network. This might be the first step when you make a tran sitio n to a TACACS+ server.
Network in which the user must only access a single service. Using RADIUS, y ou c an control user
access to a single host, to a single utility such as Telnet, or to the network through a protocol such
as IEEE 802.1X. For more information about this protocol, see Chapter 7, “Configuri ng 802.1X
Port-Based Authentication.”
Networks that require resource accounting. You can use RADIUS accounting independently of
RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent
at the start and end of services, showing the amount of resources (such as time, packets, bytes, and
so forth) used during the session. An Internet service provider might use a freeware-based version
of RADIUS access control and accounting software to meet special security and billing needs.
RADIUS is not suitable in these network security situations:
Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asyn ch r ono us Ser v ices I nte rf ac e (NASI), or
X.25 PAD connections.
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if th e non- Cisco device
requires authentication.
Networks using a variety of services. RADIUS generally bi nd s a u ser to on e ser vic e mo de l.