RADIUS-based User Login Authentication
You can enhance security for your device by implementing Remote Authentication Dial-In User Service (RADIUS per RFCs 2865) for authenticating multiple management user accounts of the device’s embedded Web and Telnet (CLI) servers. RADIUS also prevents unauthorized access to your device.
When RADIUS authentication is not used, the user's login username and password are locally authenticated by the device using the Local Users table (see Configuring Management User Accounts). However, you can configure the device to use the Local Users table as a fallback mechanism if the RADIUS server doesn't respond.
Both RADIUS and LDAP (see Enabling LDAP-based User Login Authentication) based login methods can't be used together; configure only one of them as the login method.
If you enable RADIUS-based user login authentication, when users with Security Administrator privilege level log in to the device’s CLI, they are automatically given access to the CLI privileged mode (“#”). For all other user privilege levels, the user needs to run the enable command and then enter the password to access the CLI privileged mode.
When RADIUS authentication is used, the RADIUS server stores the user accounts - usernames, passwords, and access levels (authorization). When a management user (client) tries to access the device, the device sends the RADIUS server the user's username and password for authentication. The RADIUS server replies with an acceptance or a rejection notification. During the RADIUS authentication process, the device’s Web interface is blocked until an acceptance response is received from the RADIUS server. Communication between the device and the RADIUS server is done using a shared secret, which is not transmitted over the network.
To implement RADIUS, you need to do the following:
■ | Set up a RADIUS server (third-party) to communicate with the device - see Setting Up a Third-Party RADIUS Server |
■ | Configure the device as a RADIUS client for communication with the RADIUS server - see Configuring RADIUS Authentication |