C H A P T E R 9

Configuring Switch-Based Authentication

This chapter describes how to configure switch-based authentication on the Catalyst 3750-E or 3560-E switch. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.

This chapter consists of these sections:

Preventing Unauthorized Access to Your Switch, page 9-1

Protecting Access to Privileged EXEC Commands, page 9-2

Controlling Switch Access with TACACS+, page 9-10

Controlling Switch Access with RADIUS, page 9-17

Controlling Switch Access with Kerberos, page 9-31

Configuring the Switch for Local Authentication and Authorization, page 9-36

Configuring the Switch for Secure Shell, page 9-37

Configuring the Switch for Secure Socket Layer HTTP, page 9-42

Configuring the Switch for Secure Copy Protocol, page 9-48

Preventing Unauthorized Access to Your Switch

You can prevent unauthorized users from reconfiguring your switch and viewing configuration information. Typically, you want network administrators to have access to your switch while you restrict access to users who dial from outside the network through an asynchronous port, connect from outside the network through a serial port, or connect through a terminal or workstation from within the local network.

To prevent unauthorized access into your switch, you should configure one or more of these security features:

At a minimum, you should configure passwords and privileges at each switch port. These passwords are locally stored on the switch. When users attempt to access the switch through a port or line, they must enter the password specified for the port or line before they can access the switch. For more information, see the “Protecting Access to Privileged EXEC Commands” section on page 9-2.

For an additional layer of security, you can also configure username and password pairs, which are locally stored on the switch. These pairs are assigned to lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you can also assign a specific privilege level (with associated rights and privileges) to each username and password pair. For more information, see the “Configuring Username and Password Pairs” section on page 9-6.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

OL-9775-02

9-1

 

 

 

Page 203
Image 203
Cisco Systems 3750E manual Configuring Switch-Based Authentication, Preventing Unauthorized Access to Your Switch