Chapter 9 Configuring Switch-Based Authentication

Configuring the Switch for Local Authentication and Authorization

Note A Kerberos server can be a Catalyst 3750-E or 3560-E switch that is configured as a network security server and that can authenticate users by using the Kerberos protocol.

To set up a Kerberos-authenticated server-client system, follow these steps:

Configure the KDC by using Kerberos commands.

Configure the switch to use the Kerberos protocol.

For instructions, see the “Kerberos Configuration Task List” section in the “Security Server Protocols” chapter of the Cisco IOS Security Configuration Guide, Release 12.2, at this URL:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter0918 6a00800ca7ad.html#1001027

Configuring the Switch for Local Authentication and Authorization

You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. The switch then handles authentication and authorization. No accounting is available in this configuration.

Beginning in privileged EXEC mode, follow these steps to configure the switch for local AAA:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

aaa new-model

Enable AAA.

Step 3

 

 

aaa authentication login default local

Set the login authentication to use the local username database. The

 

 

default keyword applies the local user database authentication to all

 

 

ports.

Step 4

 

 

aaa authorization exec local

Configure user AAA authorization, check the local database, and allow

 

 

the user to run an EXEC shell.

Step 5

 

 

aaa authorization network local

Configure user AAA authorization for all network-related service

 

 

requests.

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-36

OL-9775-02

 

 

Page 238
Image 238
Cisco Systems 3750E Aaa authentication login default local, Aaa authorization exec local, Aaa authorization network local