Access Security Guide K/KA/KB.15.15
Configuring the primary password authentication method for console, Telnet, SSH
and WebAgent
The following commands have the server-group option. If no server-group is specified, the
default RADIUS group is used. The server group must already be configured.
NOTE: The last RADIUS server in a server group cannot be deleted if any authentication or
accounting method is using the server group.
Syntax:
aaa authentication [ <console | telnet | ssh | web> |
<enable | login > | local
| radius ] [ server-group | group-name | local | none |
authorized ]
Configures the primary password authentication method for console,Telnet, SSH,
and the WebAgent.
< local | radius >
Primary authentication method.
Default: local
[<local] radius>
Use either the local switch user/password database or a RADIUS server for
authentication.
<server-group <group-name>>
Specifies the server group to use.
[ local | none | authorized ]
Provides options for secondary authentication.
Default: none
Note that for console access, secondary authentication must be local if primary
access is not local. This prevents being locked out of the switch in the event of a
failure in other access methods.
Configuring the primary password authentication method for port-access, MAC-based,
and web-based access
Syntax:
aaa authentication [ <port-access> | < local | eap-radius |
chap-radius> | < macbased | web-based | < chap-radius |
peap-mschapv2> ] [ none | authorized | server-group |
<group-name> ] >>
Configures the primary authentication method for port-access, MAC-based, or
web-based access.
mac-based | web-based <chap-radius | peap-mschapv2>
Password authentication for web-based or MAC-based port access to the switch.
Use peap-mschapv2 for password verification without requiring access to a plain
text password; it is more secure.
Default: chap-radius
port-access <local | eap-radius | chap-radius>
Configuring 153