148
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various
ports. The method list defines the types of authentication to be performed and the sequence in which they are performed;
it must be applied to a specific port before any of the defined authentication methods are performed. The only exception
is the default method list (which, by coincidence, is named
default
). The default method list is automatically applied to
all ports except those that have a named method list explicitly defined. A defined method list overrides the default
method list.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can
designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication
in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to
respond, the software selects the next authentication method in the method list. This process continues until there is
successful communication with a listed authentication method or until all defined methods are exhausted. If
authentication fails at any point in this cycle—meaning that the security server or local username database responds by
denying the user access—the authentication process stops, and no other authentication methods are attempted.
Authorization for Privileged EXEC Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information
retrieved from the user’s profile, which is located either in the local user database or on the security server, to configure
the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the
aaa authorization
global configuration command with the
keyword to set parameters that
restrict a user’s network access to privileged EXEC mode.
The
aaa authorization exec local
command sets these authorization parameters:
Use for privileged EXEC access authorization if authentication was performed by using .
Use the local database if authentication was not performed by using .
Note:
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been
configured.
Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they
are consuming. When AAA accounting is enabled, the switch reports user activity to the security server in the
form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the
security server. This data can then be analyzed for network management, client billing, or auditing.
Switch Access with RADIUS
This section describes how to enable and configure the RADIUS, which provides detailed accounting information and
flexible administrative control over authentication and authorization processes. RADIUS is facilitated through AAA and
can be enabled only through AAA commands.
RADIUS
RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients run on
supported Cisco routers and switches. Clients send authentication requests to a central RADIUS server, which contains
all user authentication and network service access information. The RADIUS host is normally a multiuser system running
RADIUS server software from Cisco (Cisco Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or
another software provider. For more information, see the RADIUS server documentation.
Use RADIUS in these network environments that require access security:
Summary of Contents for IE 4000
Page 12: ...8 Configuration Overview Default Settings After Initial Switch Configuration ...
Page 52: ...48 Configuring Interfaces Monitoring and Maintaining the Interfaces ...
Page 108: ...104 Configuring Switch Clusters Additional References ...
Page 128: ...124 Performing Switch Administration Additional References ...
Page 130: ...126 Configuring PTP ...
Page 140: ...136 Configuring CIP Additional References ...
Page 146: ...142 Configuring SDM Templates Configuration Examples for Configuring SDM Templates ...
Page 192: ...188 Configuring Switch Based Authentication Additional References ...
Page 244: ...240 Configuring IEEE 802 1x Port Based Authentication Additional References ...
Page 298: ...294 Configuring VLANs Additional References ...
Page 336: ...332 Configuring STP Additional References ...
Page 408: ...404 Configuring DHCP Additional References ...
Page 450: ...446 Configuring IGMP Snooping and MVR Additional References ...
Page 490: ...486 Configuring SPAN and RSPAN Additional References ...
Page 502: ...498 Configuring Layer 2 NAT ...
Page 770: ...766 Configuring IPv6 MLD Snooping Related Documents ...
Page 930: ...926 Configuring IP Unicast Routing Related Documents ...
Page 976: ...972 Configuring Cisco IOS IP SLAs Operations Additional References ...
Page 978: ...974 Dying Gasp ...
Page 990: ...986 Configuring Enhanced Object Tracking Monitoring Enhanced Object Tracking ...
Page 994: ...990 Configuring MODBUS TCP Displaying MODBUS TCP Information ...
Page 996: ...992 Ethernet CFM ...
Page 1066: ...1062 Using an SD Card SD Card Alarms ...