Send documentation comments to mdsfeedback-doc@cisco.com.
27-5
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Configuring RADIUS
In general, server group, local, and none are the three options that can be specified for any service in an
AAA configuration. Each option is tried in the order specified. If all the methods fail, local is tried.
Note Even if local is not specified as one of the options, it is tried when all other configured options fail.
When RADIUS times out, local login is always attempted. For this local login to be successfull, a local
account for the user with the same password should exist and the RADIUS timeout and retries should
take less than 40 seconds. The user is authenticated if the username and password exists in the local
authentication configuration.
Configuring RADIUS
Cisco MDS 9000 Family switches can use the RADIUS protocol to communicate with remote AAA
servers. You can configure multiple RADIUS servers and server groups and set timeout and retry counts.
This section defines the RADIUS operation, identifies its network environments, and describes its
configuration possibilities.
RADIUS is a distributed client/server protocol that secures networks against unauthorized access. In the
Cisco implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send
authentication requests to a central RADIUS server that contains all user authentication and network
service access information.
Note Most tabs in the Information pane for features using CFS are dimmed until you click the CFS tab. The
CFS tab shows which switches have CFS enabled and shows the master switch for this feature. Once the
CFS tab is click, the other Information pane tabs that use CFS are activated.
Setting the RADIUS Server for Authentication and Accounting
You can add up to 64 RADIUS servers in Cisco MDS SAN-OS or up to five RADIUS servers in Cisco
FabricWare. RADIUS keys are always stored in encrypted form in persistent storage. The running
configuration also displays encrypted keys.
By default, a switch retries a RADIUS server only once. This number can be configured. The maximum
is five retries per server.
To add a RADIUS server, follow these steps:
Step 1 Choose Switches > Security > AAA in Fabric Manager or choose Security > AAA in Device Manager.
Step 2 Choose the Servers tab. You see the RADIUS or TACACS+ servers configured.
Step 3 Click Create Row in Fabric Manager or Create in Device Manager. You see the Create Server dialog
box.
Step 4 Select the radius radio button to add a RADIUS server.
Step 5 Set the IP address, authentication port and accounting port values.
Step 6 Select whether the shared key is plain or encrypted in the KeyType field and set the key in the Key field.
Step 7 Set the timeout and retry values for authentication attempts.