Radius Operation; Default Radius Configuration; Radius Change Of Authorization - Cisco IE-4000 Software Configuration Manual

Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Figure 17 Transitioning from RADIUS to TACACS+ Services
Remote
PC

RADIUS Operation

When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server, these events
occur:
1. The user is prompted to enter a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is either not authenticated and is prompted to re-enter the username and password, or access
is denied.
c. CHALLENGE—A challenge requires additional data from the user.
d. CHALLENGE PASSWORD—A response requests the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network
authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization,
if it is enabled. The additional data included with the ACCEPT or REJECT packets includes these items:

Telnet, SSH, rlogin, or privileged EXEC services

Connection parameters, including the host or client IP address, access list, and user timeouts

Default RADIUS Configuration

RADIUS and AAA are disabled by default.
To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled,
RADIUS can authenticate users accessing the switch through the CLI.

RADIUS Change of Authorization

This section provides an overview of the RADIUS interface including available primitives and how they are used during a
Change of Authorization (CoA).
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
T2 TACACS+
server
Workstation
150