How Does RADIUS Control Management Access?
Many networks use a RADIUS server to maintain a centralized user database
that contains per-user authentication information. RADIUS servers provide a
centralized authentication method for:
Console to Switch Access
Access Control Port (802.1X)
Like TACACS+, RADIUS access control utilizes a database of user
information on a remote server. Making use of a single database of accessible
information—as in an Authentication Server—can greatly simplify the
authentication and management of users in a large network. One such type of
Authentication Server supports the Remote Authentication Dial In User
Service (RADIUS) protocol as defined by RFC 2865.
For authenticating users prior to access, the RADIUS standard has become
the protocol of choice by administrators of large accessible networks. To
accomplish the authentication in a secure manner, the RADIUS client and
RADIUS server must both be configured with the same shared password or
"secret". This "secret" is used to generate one-way encrypted authenticators
that are present in all RADIUS packets. The "secret" is never transmitted over
RADIUS conforms to a secure communications client/server model using
UDP as a transport protocol. It is extremely flexible, supporting a variety of
methods to authenticate and statistically track users. RADIUS is also
extensible, allowing for new methods of authentication to be added without
disrupting existing functionality.
As a user attempts to connect to the switch management interface, the switch
first detects the contact and prompts the user for a name and password. The
switch encrypts the supplied information, and a RADIUS client transports
the request to a pre-configured RADIUS server.
Controlling Management Access