Cisco Systems DOC-7814982 Configuring RADIUS

7-20

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Controlling Switch Access with RADIUS

Configuring RADIUS

This se ctio n de scri bes how to c onfigure yo ur sw itch to su ppo rt R ADI US. At a mi nim um, y ou mus t

identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS

authentication. You can optionally define method lists for RADIUS authorization and accounting.

A metho d list defines th e seque nce and me thods to be used to auth entic ate, to authori ze, or to keep

accounts on a user. You can use method lists to designate one or more security protocols to be used (such

as TACACS+ or local username lookup), thus ensuring a backup system if the initial method fails. The

software uses the first method listed to authenticate, to authorize, or to keep accounts on users; if that

method does not respond, the software selects the next method in the list. This process continues until

there is successful communication with a listed method or the method list is exhausted.

You should hav e access to and should configure a RADIUS server before configuring RADIUS features

on your switch.

This se ctio n c onta ins thi s configu ratio n inf or mat ion:

•Default RAD IUS Configurat ion, pa ge 7-20

•Identif yi ng t he RA DIU S Ser ver Host , pa ge 7-2 0 (required)

•Configuring RAD IUS Lo gin A u then tic atio n, page 7 -23 (re quire d)

•Defining AAA Server Group s, page 7-25 (opti onal)

•Configuring RA DIUS Author iza tion f or Use r Privileged Acc ess and Networ k Ser vice s, pa ge 7-2 7

(optional)

•Startin g R ADI US A ccou nti ng, pa ge 7-2 8 ( optional)

•Configuring Se ttin gs for A ll RA DIUS Server s, page 7-29 (opt ional)

•Configuring t he Sw itch to U se Ve nd or-Specific RADI US Attr ibutes, page 7 -29 (opt iona l)

•Configuring the Switch for Vendor-Proprietary RADIUS Server Communication, page 7-30

(optional)

RADIUS and AAA are disabled by default.

To prevent a la pse i n secu rit y, you ca nn ot c on figure R ADI US thro ugh a n etwor k mana geme nt

application. When enabled, RADIUS can authenticate users accessing the switch through the CLI.

Switch-to-RADIUS-server communication involves several components:

•Host nam e or IP addr ess

•Authentication destination port

•Account ing destin ation port

•Key string

•Timeout period

•Retransmission value