Radius Operation - Cisco Catalyst 4500 Series Configuration Manual

Controlling Switch Access with RADIUS
Figure 44-18
Remote
PC

RADIUS Operation

When a user attempts to log in and authenticate to a switch that is access controlled by a RADIUS server,
these events occur:
1.
2.
3.
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or
network authorization. Users must first successfully complete RADIUS authentication before
proceeding to RADIUS authorization, if it is enabled. The additional data included with the ACCEPT or
REJECT packets includes these items:
•
•
RADIUS Change of Authorization
This section provides an overview of the RADIUS interface including available primitives and how they
are used during a Change of Authorization (CoA).
•
•
•
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
44-94
Transitioning from RADIUS to TACACS+ Services
The user is prompted to enter a username and password.
The username and encrypted password are sent over the network to the RADIUS server.
The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is either not authenticated and is prompted to re-enter the username and
password, or access is denied.
c. CHALLENGE—A challenge requires additional data from the user.
d. CHALLENGE PASSWORD—A response requests the user to select a new password.
Telnet, SSH, rlogin, or privileged EXEC services
Connection parameters, including the host or client IP address, access list, and user timeouts
Overview, page 44-95
Change-of-Authorization Requests, page 44-95
CoA Request Response Code, page 44-96
Chapter 44 Configuring 802.1X Port-Based Authentication
R1 RADIUS
server
R2 RADIUS
server
T1 TACACS+
server
T2 TACACS+
server
Workstation
OL-25340-01