Cisco Systems DOC-7814982 Controlling Switch Access with RADIUS

7-18

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Controlling Switch Access with RADIUS

This section describes how to enable and configure the Remote Authentication Dial-In User Service

(RADIUS), which provides detailed accounting information and flexible administrative control over

authentication and authorization processes. RADIUS is f acilitated through AAA and can be enabled only

through A AA comm an ds.

Note For comple te syntax an d usage infor mation for the commands us ed in this sectio n, refer t o the Cisco IOS

Securi ty Com mand R eference for R elease 1 2.1 .

This se ctio n c onta ins thi s configu ratio n inf or mat ion:

•Understa ndin g R ADI US, p ag e 7-1 8

•RADIUS Operation, page 7-19

•Configuring RA DIUS , pa ge 7-2 0

•Display ing the RAD IUS Configurati on, page 7- 31

RADIUS is a distributed client/server system that secures networks against unauthorized access.

RADIUS cli ents run on supp orted Cisco routers and switches, incl uding Cat alyst 3550 multilaye r

switches and Catalyst 2950 series switches. Clients send authentication requests to a central RADIUS

serv er, which contains al l user authent ication and netw ork service access information. The RADIUS host

is normally a multiuser system running RADIUS server software from Cisco (Cisco Secure Access

Control Se r ver version 3 .0), Livingst on, M eri t, Mic ro soft, or ano ther so ftware pr ovider. For mor e

information, refer to the RADIUS server documentation.

Use RADIUS in these network environments that require access security:

•Networks with multiple-vendor access servers, each supporting RADIUS. For example, access

servers from seve ral vendors use a single RADIUS server-based security database. In an IP-ba sed

network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS

server th at ha s been cus tomi zed to work wit h the Kerber os secur ity syste m.

•Turnkey network se curi ty environment s in w hic h app lica tio ns suppo rt the RAD IUS pro to col , such

as in an acces s environment tha t uses a smart card access control system. In one case, RADIUS has

been used with Enigma’s security cards to validates users and to grant access to network resources.

•Networks alre ady using RA DIU S. You can add a Cisc o s witc h c ont aining a R ADI US c lie nt to th e

network. This might be the first step when you make a transition to a TACACS+ server. See

Figure 7-2 on page 7-19.

•Network in which the user must only access a si ngle service. Using RADIUS, you can control user

access to a single host, to a single utility such as Telnet, or to the network through a protocol such

as IE EE 802. 1X. For mo re inf or matio n a bo ut th is pr otoc ol, see Cha pter 8, “C onfiguring 802.1X

Port-Based Authentication.”

•Networks that requir e resourc e accounting . You can use RADIUS ac counting indepen dentl y of

RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent

at the start a n d end of serv ices, showing t he amount of resource s (such as time, packets, bytes, and

so forth) used during the se ssion. An Inte rnet ser vice provider might use a fre eware-b ased version

of RADIUS access control and accounting software to meet special security and billing needs.