8-13
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Controlling Switch Access with
These sections contain this configuration information:
•
Default Configuration, page 8-13
•
Identifying the Server Host and Setting the Authentication Key, page 8-13
•
Configuring Login Authentication, page 8-14
•
Configuring Authorization for Privileged EXEC Access and Network Services,
page 8-16
•
Starting Accounting, page 8-17
Default Configuration
and AAA are disabled by default.
To prevent a lapse in security, you cannot configure through a network management
application. When enabled, can authenticate users accessing the switch through the CLI.
Note
Although configuration is performed through the CLI, the server authenticates
HTTP connections that have been configured with a privilege level of 15.
Identifying the Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts
for authentication. You can group servers to select a subset of the configured server hosts and use them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.
Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining
server and optionally set the encryption key:
Command
Purpose
Step 1
configure terminal
Enter global configuration mode.
Step 2
tacacs-server host
hostname
[
port
integer
] [
timeout
integer
] [
key
string
]
Identify the IP host or hosts maintaining a server. Enter this
command multiple times to create a list of preferred hosts. The software
searches for hosts in the order in which you specify them.
•
For
hostname
, specify the name or IP address of the host.
•
(Optional) For
port
integer
, specify a server port number. The default
is port 49. The range is 1 to 65535.
•
(Optional) For
timeout
integer
, specify a time in seconds the switch
waits for a response from the daemon before it times out and declares
an error. The default is 5 seconds. The range is 1 to 1000 seconds.
•
(Optional) For
key
string
, specify the encryption key for encrypting
and decrypting all traffic between the switch and the
daemon. You must configure the same key on the daemon
for encryption to be successful.
Step 3
aaa new-model
Enable AAA.