Aaa Server Groups - Cisco IE-4000 Software Configuration Manual

Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Servers, page 176.
You can configure the switch to use AAA server groups to group existing server hosts for authentication. For more
information, see Defining AAA Server Groups, page
RADIUS Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various
ports. The method list defines the types of authentication to be performed and the sequence in which they are performed;
it must be applied to a specific port before any of the defined authentication methods are performed. The only exception
is the default method list (which, by coincidence, is named default). The default method list is automatically applied to
all ports except those that have a named method list explicitly defined.
Radius Method List
A method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts on a user.
You can use method lists to designate one or more security protocols to be used (such as TACACS+ or local username
lookup), which ensures a backup system if the initial method fails. The software uses the first method listed to
authenticate, to authorize, or to keep accounts on users. If that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method or the method list
is exhausted.

AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You select a
subset of the configured server hosts and use them for a particular service. The server group is used with a global
server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the
combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts
providing a specific AAA service. If you configure two different host entries on the same RADIUS server for the same
service, (for example, accounting), the second configured host entry acts as a failover backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You
can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port
and acct-port keywords.
RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information
retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's
session. The user is granted access to a requested service only if the information in the user profile allows it.
You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict
a user's network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:

Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS.

Use the local database if authentication was not performed by using RADIUS.
Note: Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been
configured.
174.
156