8.3.2 Configuring Authentication with RADIUS Servers
- <Structure of this section>
(1) Login Authentication Configuration Example
- Points to note
-
The example below shows how to configure RADIUS authentication and local authentication. Configure the settings so that local authentication is performed only when authentication failed due to an abnormality, for example, when communication with the RADIUS server fails. If authentication failed due to denial, the whole authentication process ends at that point, and no local authentication is performed.
The usual setup for remote access must be completed in advance.
Command examples
-
(config)# aaa authentication login default group radius local
Sets RADIUS authentication and local authentication, in that order, as the authentication methods to be used when a user logs in.
-
(config)# aaa authentication login end-by-reject
Configures the settings so that the whole authentication process ends when denied by RADIUS authentication and no local authentication is performed.
-
(config)# radius-server host 192.168.10.1 key "039fkllf84kxm3"
Sets IP address 192.168.10.1 as the server to be used for RADIUS authentication and a shared key for communication with the server.
(2) Authentication setting when changing to administrator mode (enable command)
- Points to note
-
The example below shows how to configure RADIUS authentication and local authentication. Configure the settings so that local authentication is performed only when authentication failed due to an abnormality, for example, when communication with the RADIUS server fails. If authentication failed due to denial, the whole authentication process ends at that point, and no local authentication is performed.
Also set $enab15$ to be sent as the user name attribute for RADIUS authentication.
Command examples
-
(config)# aaa authentication enable default group radius enable
Sets RADIUS authentication and local authentication, in that order, as the authentication methods to be used when the user changes to administrator mode (by the enable command).
-
(config)# aaa authentication enable end-by-reject
Configures the settings so that the whole authentication process ends when denied by RADIUS authentication and no local authentication is performed.
-
(config)# aaa authentication enable attribute-user-per-method
Sets $enab15$ to be sent as the user name attribute for RADIUS authentication.
-
(config)# radius-server host 192.168.10.1 key "039fkllf84kxm3"
Sets IP address 192.168.10.1 as the server to be used for RADIUS authentication and a shared key for communication with the server.