Cisco Systems IE 2000 Switch Access with RADIUS

12-8

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 12 Configuring Switch-Based Authentication

Information About Configuring Switch-Based Authentication

You can use the aaa authorization global configuration command with the tacacs+ keyword to set

parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec tacacs+ local command sets these authorization parameters:

• Use TACACS+ for privileged EXEC access authorization if authentication was performed by using

TACACS+.

• Use the local database if authentication was not performed by using TACACS+.

Note Authorization is bypassed for authenticated users who log in thro ugh the CLI even if authorization has

been configured.

The AAA accounting feature tracks the services that users are accessing and the amount of network

resources that they are consuming. When AAA accounting is enabled, the switch reports user activity to

the TACACS+ security server in the form of accounting records. Each accounting record contains

accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed

for network management, client billing, or auditing.

Switch Access with RADIUS

This section describes how to enable and configure the RADIUS, which provides detailed accounting

information and flexible administrative control over authentication and authorization processes.

RADIUS is facilitated through AAA and can be enabled only through AAA commands.

RADIUS is a distributed client/server system that secures networks against unauthorized access.

RADIUS clients run on supported Cisco routers and switches. Clients send authenti cation requests to a

central RADIUS server, which contains all user authentication and network service access information.

The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco

Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.

For more information, see the RADIUS server documentation.

Use RADIUS in these network environments that require access security:

• Networks with multiple-vendor access servers, each supporting RADIUS. For example, access

servers from several vendors use a single RADIUS server-based security database. In an IP-based

network with multiple vendors’ access servers, dial-in users are authenticated through a RADIUS

server that has been customized to work with the Kerberos security sy stem.

• Turnkey network security environments in which applications support the RADIUS protocol, su ch

as in an access environment that uses a smart card access control system. In one case, RADIUS has

been used with Enigma’s security cards to validates users and to grant access to network resources.

• Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the

network. This might be the first step when you make a transition to a TACACS+ server.

• Network in which the user must only access a single service. Using RADIUS, yo u can control user

access to a single host, to a single utility such as Telnet, or to the network through a protocol such

as IEEE 802.1x. For more information about this protocol, see Chapter 13, “Configuring IEEE

802.1x Port-Based Authentication.”