Understanding Radius - Cisco Catalyst 2960 Software Configuration Manual

Controlling Switch Access with RADIUS
Beginning with Cisco IOS Release 12.2(58)SE, the switch supports RADIUS for IPv6. Information is in
the
IPv6 Configuration Guide, Release
"Configuring the NAS"
Configuration Guide, Release
For complete syntax and usage information for the commands used in this section, see the Cisco IOS
Note
Security Command Reference and the
These sections contain this configuration information:
•
•
•
•
•

Understanding RADIUS

RADIUS is a distributed client/server system that secures networks against unauthorized access.
RADIUS clients run on supported Cisco routers and switches. Clients send authentication requests to a
central RADIUS server, which contains all user authentication and network service access information.
The RADIUS host is normally a multiuser system running RADIUS server software from Cisco (Cisco
Secure Access Control Server Version 3.0), Livingston, Merit, Microsoft, or another software provider.
For more information, see the RADIUS server documentation.
Note We recommend a redundant connection between a switch stack and the RADIUS server. This is to help
ensure that the RADIUS server remains accessible in case one of the connected stack members is
removed from the switch stack.
Use RADIUS in these network environments that require access security:
•
•
•
•
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
9-18
"RADIUS Over IPv6" section of the "Implementing ADSL for IPv6" chapter in the
section in the "Implementing ADSL for IPv6" chapter in the
Understanding RADIUS, page 9-18
RADIUS Operation, page 9-19
RADIUS Change of Authorization, page 9-20
Configuring RADIUS, page 9-26
Displaying the RADIUS Configuration, page 9-41
Networks with multiple-vendor access servers, each supporting RADIUS. For example, access
servers from several vendors use a single RADIUS server-based security database. In an IP-based
network with multiple vendors' access servers, dial-in users are authenticated through a RADIUS
server that has been customized to work with the Kerberos security system.
Turnkey network security environments in which applications support the RADIUS protocol, such
as in an access environment that uses a smart card access control system. In one case, RADIUS has
been used with Enigma's security cards to validates users and to grant access to network resources.
Networks already using RADIUS. You can add a Cisco switch containing a RADIUS client to the
network. This might be the first step when you make a transition to a TACACS+ server. See
Figure 9-2 on page 9-19.
Network in which the user must only access a single service. Using RADIUS, you can control user
access to a single host, to a single utility such as Telnet, or to the network through a protocol such
as IEEE 802.1x. For more information about this protocol, see
802.1x Port-Based Authentication."
2. For information about configuring this feature, see the
2.
Cisco IOS IPv6 Command
Chapter 9 Configuring Switch-Based Authentication
Cisco IOS XE IPv6
Reference.
Chapter 10, "Configuring IEEE
Cisco IOS XE
OL-26520-01