Table of Contents
Advertisement
Understanding How Authentication Works
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must
be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers
use the key to encrypt all TACACS+ transmitted packets. If you do not configure a TACACS+ key,
packets are not encrypted. The TACACS+ key must be fewer than 100 characters.
With TACACS+, you can do the following:
•
•
•
•
•
•
•
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local
authentication at the same time.
If local authentication is disabled and you then disable all other authentication methods, local
authentication is reenabled automatically.
Understanding How RADIUS Authentication Works
RADIUS is a client-server authentication and authorization access protocol that is used by the NAS to
authenticate users attempting to connect to a network device. The NAS functions as a client, passing user
information to one or more RADIUS servers. The NAS permits or denies network access to a user based
on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between
the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must
be the same as the one that is configured on the RADIUS servers. The RADIUS clients and servers use
the key to encrypt all RADIUS-transmitted packets. If you do not configure a RADIUS key, packets are
not encrypted. The key itself is never transmitted over the network.
For more information about the RADIUS protocol, refer to RFC 2138, "Remote Authentication Dial In
Note
User Service (RADIUS)."
With RADIUS, you can do the following:
•
•
•
•
•
•
•
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Software Configuration Guide—Release 8.2GLX
30-4
Enable or disable TACACS+ authentication to determine whether a user has permission to access
the switch
Enable or disable TACACS+ authentication to determine whether a user has permission to enter
privileged mode
Specify a key that is used to encrypt the protocol packets
Specify the server on which the TACACS+ server daemon resides
Set the number of login attempts that are allowed
Set the timeout interval for server daemon response
Enable or disable the directed-request option
Enable or disable RADIUS authentication to control login access
Enable or disable RADIUS authentication to control enable access
Specify the IP addresses and User Datagram Protocol (UDP) ports of the RADIUS servers
Specify the RADIUS key that is used to encrypt RADIUS packets
Specify the RADIUS server timeout interval
Specify the RADIUS retransmit count
Specify the RADIUS server deadtime interval
Chapter 30
Configuring Switch Access Using AAA
78-15908-01
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
