Chapter 6
Configuring the System
RADIUS is not suitable in these network security situations:
•
•
•
Figure 6-5
Remote
PC
RADIUS Operation
When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server,
these events occur:
1.
2.
3.
78-11380-03
Multiprotocol access environments. RADIUS does not support AppleTalk Remote Access (ARA),
NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), or
X.25 PAD connections.
Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication.
RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device
requires authentication.
Networks using a variety of services. RADIUS generally binds a user to one service model.
Typical AAA Network Configuration
Catalyst 2950 switch
The user is prompted to enter a username and password.
The username and encrypted password are sent over the network to the RADIUS server.
The user receives one of these responses from the RADIUS server:
a.
ACCEPT—The user is authenticated.
b.
REJECT—The user is either not authenticated and is prompted to re-enter the username and
password, or access is denied.
CHALLENGE—A challenge requires additional data from the user.
c.
d.
CHALLENGE PASSWORD—A response requests the user to select a new password.
Controlling Switch Access with RADIUS
R1
RADIUS
server
R2
RADIUS
server
T1
TACACS+
server
T2
TACACS+
server
Workstation
Catalyst 2950 Desktop Switch Software Configuration Guide
6-25