RADIUS Authentication, Authorization, and Accounting

Configuring the Switch for RADIUS Authentication

this default behavior for clients with Enable (manager) access. That is, with privilege-modeenabled, the switch immediately allows Enable (Manager) access to a client for whom the RADIUS server specifies this access level.

Syntax: [no] aaa authentication login privilege-mode

When enabled, the switch reads the Service-Type field in the client authentication received from a RADIUS server. The following table describes the applicable Service-Type values and corresponding client access levels the switch allows upon authentication by the server.

Service-Type

Value

Client Access Level

 

 

 

Administrative-

6

Manager

User

 

 

 

 

 

NAS-Prompt-

7

Operator

User

 

 

 

 

 

Any Other Type

Any Value Except

Access Denied

 

6 or 7

 

 

 

 

This feature applies to console (serial port), Telnet, SSH, and web browser interface access to the switch. It does not apply to 802.1X port-access.

Notes: While this option is enabled, a Service-Type value other than 6 or 7, or an unconfigured (null) Service-Type causes the switch to deny access to the requesting client.

The no form of the command returns the switch to the default RADIUS authentication operation. The default behavior for most interfaces is that a client authorized by the RADIUS server for Enable (Manager) access will be prompted twice, once for Login (Operator) access and once for Enable access. In the default RADIUS authentication operation, the switch’s web browser interface requires only one successful authentication request. For more information on configuring the Service Type in your RADIUS application, refer to the documentation provided with the application.

3. Configure the Switch To Access a RADIUS Server

This section describes how to configure the switch to interact with a RADIUS server for both authentication and accounting services.

5-14