8-12
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 8 Configuring Switch-Based Authentication
Controlling Switch Access with
Operation
When a user attempts a simple ASCII login by authenticating to a switch using , this process
occurs:
1.
When the connection is established, the switch contacts the daemon to obtain a username
prompt to show to the user. The user enters a username, and the switch then contacts the
daemon to obtain a password prompt. The switch displays the password prompt to the user, the user
enters a password, and the password is then sent to the daemon.
allows a dialog between the daemon and the user until the daemon receives enough
information to authenticate the user. The daemon prompts for a username and password
combination, but can include other items, such as the user’s mother’s maiden name.
2.
The switch eventually receives one of these responses from the daemon:
•
ACCEPT—The user is authenticated and service can begin. If the switch is configured to
require authorization, authorization begins at this time.
•
REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
the login sequence, depending on the daemon.
•
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
•
CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete authentication before
proceeding to authorization.
3.
If authorization is required, the daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user and
the services that the user can access:
•
Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
•
Connection parameters, including the host or client IP address, access list, and user timeouts
Configuring
This section describes how to configure your switch to support . At a minimum, you must
identify the host or hosts maintaining the daemon and define the method lists for
authentication. You can optionally define method lists for authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.