12-15
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 12 Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
If two different host entries on the same RADIUS server are configured for the same service—for
example, accounting—the second host entry configured acts as a fail-over backup t o the first one. Using
this example, if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD
message appears, and then the switch tries the second host entry configured on the same device for
accounting services. (The RADIUS host entries are tried in the order that they are configured.)
A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange
responses. To configure RADIUS to use the AAA security commands, you must specify the host running
the RADIUS server daemon and a secret text (key) string that it shares with the switch.
The timeout, retransmission, and encryption key values can be configured globally for all RADIUS
servers, on a per-server basis, or in some combination of global and per-server settings. To apply these
settings globally to all RADIUS servers communicating with the switch, use the three unique global
configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To
apply these values on a specific RADIUS server, use the radius-server host global configuration
command.
Note If you configure both global and per-server functions (timeout, retransm ission, and key commands) on
the switch, the per-server timer, retransmission, and key value commands override global timer,
retransmission, and key value commands. For information on configuring these sett ings on all RADIUS
servers, see the “Configuring Settings for All RADIUS Servers” section on page 12-37.
You can configure the switch to use AAA server groups to group existing server hosts for authentication.
For more information, see the “Defining AAA Server Groups” section on page 12-35.
RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that
list to various ports. The method list defines the types of authentication to be performed and the sequence
in which they are performed; it must be applied to a specific port before any of the defined authentic ation
methods are performed. The only exception is the default method list (which, by coinc idence, is named
default). The default method list is automatically applied to all ports except those that have a named
method list explicitly defined.
Radius Method List
A method list defines the sequence and methods to be used to authenticate, to authoriz e, or to keep
accounts on a user. You can use method lists to designate one or more security protocol s to be used (such
as TACACS+ or local username lookup), which ensures a backup system if the initial method fails. The
software uses the first method listed to authenticate, to authorize, or to keep accounts on users. If that
method does not respond, the software selects the next method in the list. This process continues until
there is successful communication with a listed method or the method list is exhausted.
AAA Server Groups
You can configure the switch to use AAA server groups to group existing server hosts for authentication.
You select a subset of the configured server hosts and use them for a particular service. Th e server group
is used with a global server-host list, which lists the IP addresses of the selected server hosts.