Controlling Management Access 171
What Are the Recommendations for Management Security?
Selecting the authentication policy for a network is very important. In large
deployments, many administrators prefer to use a RADIUS or TACACS+
server because it allows the authentication policy to be applied system wide
with little administrative effort. Additional recommendations for
management security include:
• Require strong passwords
• Disable factory-delivered default accounts
• Enable password lockout
• Configure user ACLs to protect administrative access to the network.
What Is an Authentication Profile?
An authentication profile specifies which authentication method or methods
to use to authenticate a user who attempts to access the switch management
interface. The authentication method can be one or more of the following:
• ENABLE—Uses the enable password for authentication.
• IAS—Uses the Internal Authentication Server database for 801X port-
based authentication.
• LINE-—Uses the Line password for authentication.
• LOCAL— Uses the ID and password in the Local User Database for
authentication.
• RADIUS-—Sends the user's ID and password will be authenticated using
the RADIUS server instead of locally
• TACACS+— Sends the user's ID and password to the configured
TACACS+ server to be authenticated.
• NONE-—No authentication is used.
You can use the same Authentication Profile for all access types, or select or
create a variety of profiles based on how a user attempts to access the switch
management interface. Profiles can be applied to each of the following access
types:
• Login—Autnenticates all attempts to login to the switch.
• Enable—Authenticates all attempts to enter Privileged EXEC mode (CLI
only).
To Next Page
Loading...
