Understanding How Radius Authentication Works; Understanding How Kerberos Authentication Works - Cisco WS-C6506 Software Manual

Chapter 39 Configuring the Switch Access Using AAA

Understanding How RADIUS Authentication Works

RADIUS is a client-server authentication and authorization access protocol that is used by the NAS to
authenticate the users attempting to connect to a network device. The NAS functions as a client, passing
user information to one or more RADIUS servers. The NAS permits or denies network access to a user
based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport
between the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must
be the same as the one that is configured on the RADIUS servers. The RADIUS clients and servers use
the key to encrypt all the transmitted RADIUS packets. If you do not configure a RADIUS key, the
packets are not encrypted. The key itself is never transmitted over the network.
For more information about how the RADIUS protocol operates, refer to RFC 2138, "Remote
Note
Authentication Dial In User Service (RADIUS)."
You can configure the following RADIUS parameters on the switch:
•
•
•
•
•
•
•
RADIUS authentication is disabled by default. You can enable RADIUS authentication and other
authentication methods at the same time. You can specify which method to use first using the primary
keyword.
When local authentication is disabled, if you disable all other authentication methods, local
authentication is reenabled automatically.

Understanding How Kerberos Authentication Works

Kerberos is a client-server based secret-key network authentication method that uses a trusted Kerberos
server to verify secure access to both services and users. In Kerberos, this trusted server is called the key
distribution center (KDC). The KDC issues a ticket to validate users and services. A ticket is a temporary
set of electronic credentials that verifies the identity of a client for a particular service.
These tickets have a limited life span and can be used in place of the standard user password pair
authentication mechanism if a service trusts the Kerberos server that issued the ticket. If the standard
user password method is used, Kerberos encrypts the user passwords into the tickets, ensuring that the
passwords are not sent on the network in clear text. When you use Kerberos, the passwords are not stored
on any machine, other than the Kerberos server, for more than a few seconds. Kerberos also guards
against intruders who might pick up the encrypted tickets from the network.
OL-8978-04
Enable or disable RADIUS authentication to control login access
Enable or disable RADIUS authentication to control enable access
Specify the IP addresses and UDP ports of the RADIUS servers
Specify the RADIUS key that is used to encrypt the RADIUS packets
Specify the RADIUS server timeout interval
Specify the RADIUS retransmit count
Specify the RADIUS server dead time interval
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
Understanding How Authentication Works
39-5