Cisco Systems IE 2000 RADIUS Login Authentication, Radius Method List, AAA Server Groups

12-15

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 12 Configuring Switch-Based Authentication

Information About Configuring Switch-Based Authentication

If two different host entries on the same RADIUS server are configured for the same service—for

example, accounting—the second host entry configured acts as a fail-over backup t o the first one. Using

this example, if the first host entry fails to provide accounting services, the %RADIUS-4-RADIUS_DEAD

message appears, and then the switch tries the second host entry configured on the same device for

accounting services. (The RADIUS host entries are tried in the order that they are configured.)

A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange

responses. To configure RADIUS to use the AAA security commands, you must specify the host running

the RADIUS server daemon and a secret text (key) string that it shares with the switch.

The timeout, retransmission, and encryption key values can be configured globally for all RADIUS

servers, on a per-server basis, or in some combination of global and per-server settings. To apply these

settings globally to all RADIUS servers communicating with the switch, use the three unique global

configuration commands: radius-server timeout, radius-server retransmit, and radius-server key. To

apply these values on a specific RADIUS server, use the radius-server host global configuration

command.

Note If you configure both global and per-server functions (timeout, retransm ission, and key commands) on

the switch, the per-server timer, retransmission, and key value commands override global timer,

retransmission, and key value commands. For information on configuring these sett ings on all RADIUS

servers, see the “Configuring Settings for All RADIUS Servers” section on page 12-37.

You can configure the switch to use AAA server groups to group existing server hosts for authentication.

For more information, see the “Defining AAA Server Groups” section on page 12-35.

RADIUS Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that

list to various ports. The method list defines the types of authentication to be performed and the sequence

in which they are performed; it must be applied to a specific port before any of the defined authentic ation

methods are performed. The only exception is the default method list (which, by coinc idence, is named

default). The default method list is automatically applied to all ports except those that have a named

method list explicitly defined.

Radius Method List

A method list defines the sequence and methods to be used to authenticate, to authoriz e, or to keep

accounts on a user. You can use method lists to designate one or more security protocol s to be used (such

as TACACS+ or local username lookup), which ensures a backup system if the initial method fails. The

software uses the first method listed to authenticate, to authorize, or to keep accounts on users. If that

method does not respond, the software selects the next method in the list. This process continues until

there is successful communication with a listed method or the method list is exhausted.

AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication.

You select a subset of the configured server hosts and use them for a particular service. Th e server group

is used with a global server-host list, which lists the IP addresses of the selected server hosts.