AT-9000 Switch Command Line User’s Guide
Section XI: Management Security 1191
Remote Manager Accounts
The switch comes with one local manager account. The account is
referred to as a local account because the switch itself authenticates the
user name and password when a manager uses the account to log on. If
the user name and password are valid, the switch allows the individual to
access its management software. Otherwise, it cancels the login to
prevent unauthorized access.
There are two ways to add more manager accounts. One way is to create
additional local accounts. This is explained in Chapter 70, “Local Manager
Accounts” on page 1093 and Chapter 71, “Local Manager Account
Commands” on page 1103. There can be up to eight local manager
accounts.
The other way to add more accounts is with a RADIUS or TACACS+
authentication server on your network. Here, the authentication of the user
names and passwords of the manager accounts is performed by one or
more authentication servers. The switch simply forwards the information to
the servers when managers log on. The steps here illustrate the
authentication process that occurs between the switch and an
authentication server when a manager logs on:
1. The switch uses its RADIUS or TACACS+ client to transmit the user
name and password to an authentication server on the network.
2. The server checks to see if the user name and password are valid.
3. If the combination is valid, the authentication server notifies the switch,
which completes the login process, allowing the manager access to its
management software.
4. If the user name and password are invalid, the authentication protocol
server notifies the switch, which cancels the login.
As explained in “Privilege Levels” on page 1094, local manager accounts
can have a privilege level of 1 or 15. Managers with a privilege level of 15
have access to all command modes. Managers with accounts that have a
privilege level of 1 are restricted to the User Exec mode when command
mode restriction is active on the switch, unless they know the special
password.
Privilege levels also apply to remote manager accounts as well. When you
create accounts on an authentication server, you should assign them a
level of 1 or 15, just like local accounts. If command mode restriction is
active on the switch, managers with a privilege level of 1 are limited to the
User Exec mode, while managers with a privilege level of 15 are given
access to the entire command mode structure. If command mode
restriction is not active on the switch, the privilege level of an account is
To Next Page
Loading...
