Section 11-5. Switch Authentication

Previous page
Table of content
Next page

11-5. Switch Authentication

  • Switch authentication enables you to control how people access the switch.

  • By default switch authentication is controlled locally by the user password and the enable password.

  • You can configure the switch to use an authentication server, such as a RADIUS or TACACS+ server, for authentication.

  • After you have configured RADIUS or TACACS+, it is important to have local authentication enabled to log in to the switch if the authentication server is down.

  • Configuration for authentication is sometimes required for options such as Secure Shell (SSH) Telnet and 802.1X port authorization.

Configuration

Switch authentication specifies how users are verified before being allowed to access the user or privileged mode command-line interface prompts. Authentication can be configured by local passwords on the switch or it can be configured so users are authorized by a TACACS or RADIUS server. Use the following commands to control authentication of users on the switch.

1.

Configure local authentication.

Default authorization is handled by passwords on the switch. The commands listed in this section show how to enable or disable this default authentication. Local authentication should not be disabled even if you are using a server for authenticationbecause it provides a "back door," or a secondary option, for authentication if the server fails. A switch has two levels of authentication: user level and privileged level. These commands show how to control authentication for each level.

a. Configure user-level authentication:

COS

[View full width]

 set authentication login local {enable | disable}  [all | console | telnet | http]


Use this command to enable or disable user-level local authentication for the console, telnet, http, or all services on a COS switch.

b. Configure privileged-level authentication:

COS

[View full width]

 set authentication enable local {enable | disable}  [all | console | telnet | http]


Use this command to enable or disable privileged-level local authentication for the console, telnet, http, or all services on a COS switch.

2.

Configure TACACS authentication.

It is also possible to configure the switch to authenticate users from a database on a TACACS server. For this to work, a username and password must be configured on the TACACS server. After the server has been configured, you use the following commands to provide TACACS authentication.

a. Configure the TACACS server:

COS

 
 set tacacs server address [primary]


This command specifies the address of the TACACS server. This assumes that the switch has been configured for an IP address and has a gateway if necessary to reach the server. You can specify multiple servers, in case one of the devices is not functioning. The primary option specifies which server is queried first.

b. Enable TACACS authentication for user level:

COS

[View full width]

 set authentication login tacacs {enable | disable}  [all | console | telnet | http] [primary]


After you have specified the server address, you set the user-level authentication process to use the tacacs option for the console, telnet, http, or all services. The primary option for this command specifies that TACACS is the first authentication method. If that fails, other authentication methods, such as local login, are attempted.

c. Enable TACACS authentication for privileged level:

COS

[View full width]

 set authentication enable tacacs {enable | disable } [all | console | telnet | http] [primary]


After you have specified the server address, you set the privileged-level authentication process to use the tacacs option for the console, telnet, http, or all services. The primary option for this command specifies that TACACS is the first authentication method. If that fails, other authentication methods, such as local login, are attempted.

d. Specify the TACACS key:

COS

 
 set tacacs key key


Because the information between the TACACS device and the switch is encrypted, you must also supply the TACACS process with the key that is used by the server. This command specifies the key used.

3.

Configure RADIUS authentication.

In addition to local or TACACS, you can configure the switch to authenticate users from a database on a RADIUS server. For this to work, a username and password must be configured on the RADIUS server. After the server has been configured, you use the following commands to provide RADIUS authentication.

a. Configure the RADIUS server:

COS

 
 set radius server address [auth-port port] [primary]


This command specifies the address of the RADIUS server. This assumes that the switch has been configured for an IP address and has a gateway if necessary to reach the server. You can specify multiple servers, in case one of the devices is not functioning. The primary option specifies which server is queried first.

b. Enable RADIUS authentication for user level:

COS

[View full width]

 set authentication login radius {enable | disable}  [all | console | telnet | http] [primary]


After you have specified the server address, you set the user-level authentication process to use the radius option for the console, telnet, http, or all services. The primary option for this command specifies that RADIUS is the first authentication method. If that fails, other authentication methods, such as local login, are attempted.

c. Enable RADIUS authentication for privileged level:

COS

[View full width]

 set authentication enable radius {enable | disable } [all | console | telnet | http] [primary]


After you have specified the server address, you set the privileged-level authentication process to use the radius option for the console, telnet, http, or all services. The primary option for this command specifies that RADIUS is the first authentication method. If that fails, other authentication methods, such as local login, are attempted.

d. Specify the RADIUS key:

COS

 
 set radius key key


Because the information between the RADIUS device and the switch is encrypted, you must also supply the RADIUS process with the key that is used by the server. This command specifies the key used.

Verification

To verify configuration of authentication, use the following commands:

COS

 
 show authentication show tacacs show radius


Feature Example

This example shows the configuration for a switch that will use a RADIUS server with the address 192.168.1.10 as the primary authentication method for Telnet users and a TACACS server with the address 192.168.1.8 for the primary authentication method for console users. The TACACS key will be abc123, and the radius key will be 789xyz.

An example of the Catalyst OS configuration follows:

 Catalyst (enable)> set radius server 192.168.1.10 Catalyst (enable)> set authentication login radius enable telnet primary Catalyst (enable)> set authentication enable radius enable telnet primary Catalyst (enable)> set radius key 789xyz Catalyst (enable)> set tacacs server 192.168.1.8 Catalyst (enable)> set authentication login tacacs enable console primary Catalyst (enable)> set authentication enable tacacs enable console primary Catalyst (enable)> set tacacs key abc123


Previous page
Table of content
Next page
Cisco Field Manual. Catalyst Switch Configuration
Cisco Field Manual. Catalyst Switch Configuration
ISBN: 1587050439
EAN: N/A
Year: 2001
Pages: 150
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
VBScript Programmers Reference
Java How to Program (6th Edition) (How to Program (Deitel))
Competency-Based Human Resource Management
Twisted Network Programming Essentials
After Effects and Photoshop: Animation and Production Effects for DV and Film, Second Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy