Configuring authentication for the access methods that RADIUS protects

Configure the switch for RADIUS authentication through the following access methods:
  • Console: Either direct serial-port connection or modem connection.

  • Telnet: Inbound Telnet must be enabled (the default).

  • SSH: To use RADIUS for SSH access, first configure the switch for SSH operation.

  • WebAgent:You can enable RADIUS authentication for WebAgent access to the switch.

You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method. Note that for console access, if you configure radius (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.

Syntax:


aaa authentication <console|telnet|ssh|web|<enable|login <local|radius>> web-based|mac-based <chap-radius|peap-radius>>

Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the WebAgent.

The default primary <enable|login> authentication is local.


<console|telnet|ssh|web>

[<local|none|authorized>]

Provides options for secondary authentication. For console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.


<<web-based|mac-based> login> <chap-radius|peap-mschapv2>

Password authentication for web-based or MAC-based port access to the switch. Use peap-mschapv2 when you want password verification without requiring access to a plain text password; it is more secure.

Default: chap-radius


[none|authorized]

Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication.

Default: none.

In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected. To address this situation, configuring the authorized secondary authentication method allows users unconditional access to the network when the primary authentication method fails because the RADIUS servers are unreachable.

CAUTION:

Configuring authorized as the secondary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use this method with care.

Here is an example of the show authentication command displaying authorized as the secondary authentication method for port-access, web-based authentication access, and MAC authentication access. Since the configuration of authorized means no authentication will be performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A).

Example of AAA authentication using authorized for the secondary authentication method

Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords):

Example configuration for RADIUS authentication
NOTE:

If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients connected to your network can gain access to either the operator or manager level without encountering the RADIUS authentication specified for Enable Primary. See Local authentication process (RADIUS).