Setting authentication-method lists for RADIUS

You can use RADIUS to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring RADIUS authentication, you create authentication-method lists specifically for these access methods, specifying RADIUS as the primary authentication method.

Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

When you configure authentication-method lists for RADIUS, you must create a separate authentication-method list for Telnet or SSH CLI access and for CLI access to the Privileged EXEC level and CONFIG levels of the CLI.

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing Telnet access to the CLI.


device(config)# enable telnet authentication
device(config)# aaa authentication login default radius local

The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.


device(config)# aaa authentication enable default radius local none

The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.

Syntax: [no] aaa authentication { enable | login default } method 1 [ method 2-7 ]

The aaa authentication | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

Note: If you configure authentication for Web management access, authentication is performed each time a page is requested from the server. When frames are enabled on the Web Management Interface, the browser sends an HTTP request for each frame. The ICX device authenticates each HTTP request from the browser. To limit authentications to one per page, disable frames on the Web Management Interface.

The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.

Table 1. Authentication method values

Method parameter

Description

line

Authenticate using the password you configured for Telnet access. The Telnet password is configured using the enable telnet password... command. Refer to Setting a Telnet password.

enable

Authenticate using the password you configured for the Super User privilege level. This password is configured using the enable super-user-password... command. Refer to Setting passwords for management privilege levels.

local

Authenticate using a local user name and password you configured on the device. Local user names and passwords are configured using the username... command. Refer to Local user account configuration.

tacacs

Authenticate using the database on a TACACS server. You also must identify the server to the device using the tacacs-server command.

tacacs+

Authenticate using the database on a TACACS+ server. You also must identify the server to the device using the tacacs-server command.

radius

Authenticate using the database on a RADIUS server. You also must identify the server to the device using the radius-server command.

none

Do not use any authentication method. The device automatically permits access.

Note: For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to Authentication-method lists.