RADIUS Authentication, Authorization, and Accounting

Commands Authorization

 

Commands Authorization

 

The RADIUS protocol combines user authentication and authorization steps

 

into one phase. The user must be successfully authenticated before the

 

RADIUS server will send authorization information (from the user’s profile)

 

to the Network Access Server (NAS). After user authentication has occurred,

 

the authorization information provided by the RADIUS server is stored on the

 

NAS for the duration of the user’s session. Changes in the user’s authorization

 

profile during this time will not be effective until after the next authentication

 

occurs.

 

You can limit the services for a user by enabling AAA RADIUS authorization.

 

The NAS uses the information set up on the RADIUS server to control the

 

user’s access to CLI commands.

 

The authorization type implemented on the switches covered in this guide is

 

the “commands” method. This method explicitly specifies on the RADIUS

 

server which commands are allowed on the client device for authenticated

 

users. This is done on a per-user or per-group basis.

 

 

Note

The commands authorization will only be executed for commands entered

 

from Telnet, SSH, or console sessions. The Web management interface is not

 

supported.

 

By default, all users may execute a minimal set of commands regardless of

 

 

their authorization status, for example, “exit” and “logout”. This minimal set

 

of commands can prevent deadlock on the switch due to an error in the user’s

 

authorization profile on the RADIUS server.

5-26