Aaa Server Groups; Aaa Authorization; Radius Accounting - Cisco Catalyst 2960-XR Security Configuration Manual

Configuring RADIUS
they are performed; it must be applied to a specific port before any of the defined authentication methods are
performed. The only exception is the default method list. The default method list is automatically applied to
all ports except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You
can designate one or more security protocols to be used for authentication, thus ensuring a backup system for
authentication in case the initial method fails. The software uses the first method listed to authenticate users;
if that method fails to respond, the software selects the next authentication method in the method list. This
process continues until there is successful communication with a listed authentication method or until all
defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security
server or local username database responds by denying the user access—the authentication process stops, and
no other authentication methods are attempted.
Related Topics
Configuring RADIUS Login Authentication, on page 66

AAA Server Groups

You can configure the switch to use AAA server groups to group existing server hosts for authentication. You
select a subset of the configured server hosts and use them for a particular service. The server group is used
with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier
(the combination of the IP address and UDP port number), allowing different ports to be individually defined
as RADIUS hosts providing a specific AAA service. If you configure two different host entries on the same
RADIUS server for the same service, (for example, accounting), the second configured host entry acts as a
fail-over backup to the first one.
Related Topics
Defining AAA Server Groups, on page 68

AAA Authorization

AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch
uses information retrieved from the user's profile, which is in the local user database or on the security server,
to configure the user's session. The user is granted access to a requested service only if the information in the
user profile allows it.
Related Topics
Configuring RADIUS Authorization for User Privileged Access and Network Services, on page 71

RADIUS Accounting

The AAA accounting feature tracks the services that users are using and the amount of network resources that
they are consuming. When you enable AAA accounting, the switch reports user activity to the RADIUS
security server in the form of accounting records. Each accounting record contains accounting attribute-value
(AV) pairs and is stored on the security server. You can then analyze the data for network management, client
billing, or auditing.
OL-29434-01
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
AAA Server Groups
63