Securing Access to Management Functions
December 2000 3 - 47
• 0 – Records commands available at the Super User level (all commands)
• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Records commands available at the Read Only level (read-only commands)
29. To configure RADIUS accounting to record when system events occur on the Foundry device, select System
from the Type field’s pulldown menu.
30. Click on the radio button next to Radius.
31. Click the Add button to save the change to the device’s running-config file.
The accounting method you selected are displayed in the table at the top of the dialog. Each time you add an
accounting method for a given access type, the software assigns a sequence number to the entry. When
accounting is performed, the software tries the accounting sources in ascending sequence order until the
request is either approved or denied. Each time you add an entry for a given access type, the software
increments the sequence number. Thus, if you want to use multiple accounting methods, make sure you
enter the primary accounting method first, the secondary accounting method second, and so on.
If you need to delete an entry, select the access type and accounting method for the entry, then click Delete.
32. Select the Save
link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device’s flash memory.
Configuring Authentication-Method Lists
To implement one or more authentication methods for securing access to the device, you configure authentication-
method lists that set the order in which the authentication methods are consulted.
In an authentication-method list, you specify the access method (Telnet, Web, SNMP, and so on) and the order in
which the device tries one or more of the following authentication methods:
• Local Telnet login password
• Local password for the Super User privilege level
• Local user accounts configured on the device
• Database on a TACACS or TACACS+ server
• Database on a RADIUS server
• No authentication
NOTE: The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported
for SNMP access.
NOTE: To authenticate Telnet access to the CLI, you also must enable the authentication by entering the
enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet
authentication using the Web management interface.
NOTE: You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
See “Using ACLs to Restrict Remote Access” on page 3-4 or “Restricting Remote Access to the Device to Specific
IP Addresses” on page 3-5.
In an authentication-method list for a particular access method, you can specify up to seven authentication
methods. If the first authentication method is successful, the software grants access and stops the authentication
process. If the access is rejected by the first authentication method, the software denies access and stops
checking.
However, if an error occurs with an authentication method, the software tries the next method on the list, and so
on. For example, if the first authentication method is the RADIUS server, but the link to the server is down, the
software will try the next authentication method in the list.