Support User Manuals

Cisco Systems 2960 Model Vehicle User Manual

Open as PDF

of 1004

9-20

Catalyst 2960 and 2960-S Switch Software Configuration Guide

OL-8603-09

Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with RADIUS

RADIUS Operation

When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server,

these events occur:

1. The user is prompted to enter a username and password.

2. The username and encrypted password are sent over the network to the RADIUS server.

3. The user receives one of these responses from the RADIUS server:

a. ACCEPT—The user is authenticated.

b. REJECT—The user is either not authenticated and is prompted to re-enter the username and

password, or access is denied.

c. CHALLENGE—A challenge requires additional data from the user.

d. CHALLENGE PASSWORD—A response requests the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or

network authorization. Users must first successfully complete RADIUS authentication before

proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or

REJECT packets includes these items:

• Telnet, SSH, rlogin, or privileged EXEC services

• Connection parameters, including the host or client IP address, access list, and user timeouts

RADIUS Change of Authorization

To use this feature, the switch must be running the LAN Base or IP Base image.

This section provides an overview of the RADIUS interface including available primitives and how they

are used during a Change of Authorization (CoA).

• Overview, page 9-20

• Change-of-Authorization Requests, page 9-21

• CoA Request Response Code, page 9-22

• CoA Request Commands, page 9-23

• Session Reauthentication, page 9-24

• Stacking Guidelines for Session Termination, page 9-26

Overview

A standard RADIUS interface is typically used in a pulled model where the request originates from a

network attached device and the response come from the queried servers. Catalyst switches support the

RADIUS Change of Authorization (CoA) extensions defined in RFC 5176 that are typically used in a

pushed model and allow for the dynamic reconfiguring of sessions from external authentication,

authorization, and accounting (AAA) or policy servers.

Beginning with Cisco IOS Release 12.2(52)SE, the switch supports these per-session CoA requests:

• Session reauthentication

• Session termination

previous next