Enhancements in Release F.04.08

Configuring RADIUS Authentication and Accounting

zero and then trying to log on again. As an alternative, you can reboot the switch, (thus resetting the dead-time counter to assume the server is available) and then try to log on again.

Number of Login Attempts: This is actually an aaa authentication command. It controls how many times in one session a RADIUS client (as well as clients using other forms of access) can try to log in with the correct username and password. (Default: Three times per session.)

(For RADIUS accounting features, refer to “Configuring RADIUS Accounting” on page 114.)

1.Configure Authentication for the Access Methods You Want RADIUS To Protect

This section describes how to configure the switch for RADIUS authentication through the following access methods:

Console: Either direct serial-port connection or modem connection.

Telnet: Inbound Telnet must be enabled (the default).

SSH: To employ RADIUS for SSH access, you must first configure the switch for SSH operation. Refer to “Configuring Secure Shell (SSH)” on page 78.

You can also use RADIUS for Port-Based Access authentication. Refer to “Configuring Port-Based Access Control (802.1X)” on page 29.

You can configure RADIUS as the primary password authentication method for the above access methods. You will also need to select either local or none as a secondary, or backup, method. Note that for console access, if you configure radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.

Syntax: aaa authentication < console telnet ssh >

<enable login > < radius >

[ < local none > ]

Configures RADIUS as the primary password authentication method for console, Telnet, and/or SSH. (The default primary < enable login > authentication is local.)

Options for secondary authentication (default: none). Note that for console access, secondary authentication must be local

if primary access is not local. This prevents you from being completely locked out of the switch in the event of a failure in other access methods.

107