Configuring authentication for RADIUS access methods

Configure the switch for RADIUS authentication through the following access methods:
  • Console: Either direct serial-port connection or modem connection.

  • Telnet: Inbound Telnet must be enabled (the default).

  • SSH: To use RADIUS for SSH access, first configure the switch for SSH operation.

  • WebAgent: You can enable RADIUS authentication for WebAgent access to the switch.

  • REST: You can configure authentication mechanism used to control REST access to the switch.

You can configure RADIUS as the primary password authentication method for the above access methods. You also need to select either local, none, or authorized as a secondary, or backup, method. Note that for console access, if you configure RADIUS (or tacacs) for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event that all primary access methods fail.

Syntax

aaa authentication <console | rest | telnet | ssh | web | <enable | <login | radius>> web-based | mac-based | <chap-radius | peap-radius>>

Configures RADIUS as the primary password authentication method for console, Telnet, SSH, and/or the WebAgent.

The default primary <enable|login> authentication is local.

<console | rest | telnet | ssh | web>
[<local | none | authorized>]

Provides options for secondary authentication. For console access, secondary authentication must be local if primary access is not local. This prevents you from being locked out of the switch in the event of a failure in other access methods.

Default: none

<<web-based | mac-based> login> <chap-radius | peapmschapv2>

Password authentication for web-based or MAC-based port access to the switch. Use peap-mschapv2 when you want password verification without requiring access to a plain text password; it is more secure.

Default: chap-radius

[ none | authorized ]

Provides options for secondary authentication. The none option specifies that a backup authentication method is not used. The authorized option allows access without authentication.

Default: none.

You can configure RADIUS as the primary password authentication method for all access methods. Select either local, none or authorized as a secondary or backup method. For console access, if you configure RADIUS or TACACS for primary authentication, you must configure local for the secondary method. This prevents the possibility of being completely locked out of the switch in the event all primary access methods fail.

In certain situations, RADIUS servers can become isolated from the network. Users are not able to access the network resources configured with RADIUS access protection and are rejected. To address this situation, configuring the authorized secondary authentication method allows users unconditional access to the network when the primary authentication method fails because the RADIUS servers are unreachable.

CAUTION:

Configuring authorized as the secondary authentication method used when there is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use this method with care.

The following command output shows an example of the show authentication command displaying authorized as the secondary authentication method for port-access, web-based authentication access, and MAC authentication access. Since the configuration of authorized means no authentication is performed and the client has unconditional access to the network, the "Enable Primary" and "Enable Secondary" fields are not applicable (N/A).

Example

Suppose you already configured local passwords on the switch, but want RADIUS to protect primary Telnet and SSH access without allowing a secondary Telnet or SSH access option (the switch local passwords):

switch(config)# show authentication

 Status and Counters - Authentication Information
 Authorized enabled as backup for secondary login are preceded by *

  Login Attempts : 3 
  Lockout Delay : 0   
  Respect Privilege : Disabled 
  Bypass Username For Operator and Manager Access : Disabled 

                 | Login       Login        Login     
  Access Task    | Primary     Server Group Secondary 
  -------------- + ----------- ------------ ----------
  Console        | Local                    None      
  Telnet         | Local                    None      
  Port-Access    | Local                    Authorized      
  Webui          | Local                    None      
  SSH            | Local                    None      
  Web-Auth       | ChapRadius  radius       Authorized      
  MAC-Auth       | ChapRadius  radius       None      
  SNMP           | Local                    None      
  Local-MAC-Auth | Local                    None      
  REST           | Local                    None      

                 | Enable      Enable       Enable    
  Access Task    | Primary     Server Group Secondary 
  -------------- + ----------- ------------ ----------
  Console        | Tacacs                   Local     
  Telnet         | Local                    None      
  Webui          | Local                    None      
  SSH            | Local                    None      
  REST           | Local                    None  
NOTE:

If you configure the Login Primary method as local instead of radius (and local passwords are configured on the switch), then clients connected to your network can gain access to either the operator or manager level without encountering the RADIUS authentication specified for Enable Primary. See Local authentication process.