Configuring authentication for access methods RADIUS is to protect
Console: Either direct serial-port connection or modem connection.
Telnet: Inbound Telnet must be enabled (the default).
SSH: To use RADIUS for SSH access, first configure the switch for SSH operation.
WebAgent: You can enable RADIUS authentication for WebAgent access to the switch.
You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method. Note that for console access, if you configure RADIUS (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
Syntax
aaa authentication <console | telnet | ssh | web | <enable | <login | radius>> web-based | mac-based | <chap-radius | peap-radius>>
Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the WebAgent.
The default primary
<enable|login>
authentication is local.
<console | telnet | ssh | web>
[<local | none | authorized>]
Provides options for secondary authentication. For console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.
Default: none
<<web-based | mac-based> login> <chap-radius | peapmschapv2>
Password authentication for web-based or MAC-based port access to the switch. Use
peap-mschapv2
when you want password verification without requiring access to a plain text password; it is more secure.
Default:
chap-radius
[ none | authorized ]
Provides options for secondary authentication. The
none
option specifies that a backup authentication method is not used. The
authorized
option allows access without authentication.
Default:
none
.
You can configure RADIUS as the primary password authentication method for all access methods. Select either
local
,
none
or
authorized
as a secondary or backup method. For console access, if you configure RADIUS or TACACS for primary authentication, you must configure
local
for the secondary method. This prevents the possibility of being completely locked out of the switch in the event all primary access methods fail.
In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected. To address this situation, configuring the
authorized
secondary authentication method allows users unconditional access to the network when the primary authentication method fails because the RADIUS servers are unreachable.
Configuring
authorized
as the secondary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use this method with care.
Example of AAA authentication using Authorized for the secondary authentication method shows an example of the
show authentication
command displaying
authorized
as the secondary authentication method for port-access, web-based authentication access, and MAC authentication access. Since the configuration of
authorized
means no authentication is performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A).
Example
Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords):
If you configure the
Login Primary method as
local
instead of
radius
(and local passwords are configured on the switch), then clients connected to your network can gain access to either the operator or manager level without encountering the RADIUS authentication specified for
Enable Primary. See
Local authentication process.