Configuring authentication for the access methods that RADIUS protects
Console: Either direct serial-port connection or modem connection.
Telnet: Inbound Telnet must be enabled (the default).
SSH: To use RADIUS for SSH access, first configure the switch for SSH operation.
WebAgent:You can enable RADIUS authentication for WebAgent access to the switch.
You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either
local
,
none
, or
authorized
as a secondary, or backup, method. Note that for console access, if you configure
radius
(or
tacacs
) for primary authentication, you must configure
local
for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.
Syntax:
aaa authentication <console|telnet|ssh|web|<enable|login <local|radius>> web-based|mac-based <chap-radius|peap-radius>>
Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the WebAgent.
The default primary
<enable|login>
authentication is
local
.
<console|telnet|ssh|web>
[<local|none|authorized>]
Provides options for secondary authentication. For console access, secondary authentication must be
local
if primary access is not
local
. This prevents you from being locked out of the switch in the event of a failure in other access methods.
<<web-based|mac-based> login> <chap-radius|peap-mschapv2>
Password authentication for web-based or MAC-based port access to the switch. Use
peap-mschapv2
when you want password verification without requiring access to a plain text password; it is more secure.
Default:
chap-radius
[none|authorized]
Provides options for secondary authentication. The
none
option specifies that a backup authentication method is not used. The
authorized
option allows access without authentication.
Default:
none
.
In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected. To address this situation, configuring the
authorized
secondary authentication method allows users unconditional access to the network when the primary authentication method fails because the RADIUS servers are unreachable.
Configuring
authorized
as the secondary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use this method with care.
Here is an example of the
show authentication
command displaying
authorized
as the secondary authentication method for port-access, web-based authentication access, and MAC authentication access. Since the configuration of
authorized
means no authentication will be performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A).
Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords):
If you configure the
Login Primary method as
local
instead of
radius
(and local passwords are configured on the switch), then clients connected to your network can gain access to either the operator or manager level without encountering the RADIUS authentication specified for
Enable Primary. See
Local authentication process (RADIUS).