7-10
Catalyst 2360 Switch Software Configuration Guide
OL-19808-01
Chapter 7 Configuring Switch-Based Authentication
Controlling Switch Access with
Controlling Switch Access with
This section describes how to enable and configure Terminal Access Controller Access Control System
Plus (), which provides detailed accounting information and flexible administrative control
over authentication and authorization processes. is facilitated through authentication,
authorization, accounting (AAA) and can be enabled only through AAA commands.
Note
For complete syntax and usage information for the commands used in this section, see the
Cisco IOS
Security Command Reference, Release 12.2
.
These sections contain this configuration information:
•
•
•
•
Displaying the Configuration, page 7-16
Understanding
is a security application that provides centralized validation of users attempting to gain access
to your switch. services are maintained in a database on a daemon typically
running on a UNIX or Windows NT workstation. You should have access to and should configure a
server before the configuring features on your switch.
provides for separate and modular authentication, authorization, and accounting facilities.
allows for a single access control server (the daemon) to provide each
service—authentication, authorization, and accounting—independently. Each service can be tied into its
own database to take advantage of other services available on that server or on the network, depending
on the capabilities of the daemon.
The goal of is to provide a method for managing multiple network access points from a single
management service. Your switch can be a network access server along with other Cisco routers and
access servers. A network access server provides connections to a single user, to a network or
subnetwork, and to interconnected networks as shown in
Figure 7-1
Typical Network Configuration
, administered through the AAA security services, can provide these services:
•
Authentication—Provides complete control of authentication through login and password dialog,
challenge and response, and messaging support.
The authentication facility can conduct a dialog with the user (for example, after a username and
password are provided, to challenge a user with several questions, such as home address, mother’s
maiden name, service type, and social security number). The authentication service can
also send messages to user screens. For example, a message could notify users that their passwords
must be changed because of the company’s password aging policy.
•
Authorization—Provides fine-grained control over user capabilities for the duration of the user’s
session, including but not limited to setting autocommands, access control, session duration, or
protocol support. You can also enforce restrictions on what commands a user can execute with the
authorization feature.