Accessing the switch 21
User accounts for RADIUS users
The user accounts listed in the following table can be defined in the RADIUS server dictionary file.
Table 2 User access levels
User account Description and tasks performed
User User interaction with the switch is completely passive; nothing can be changed on the switch.
Users may display information that has no security or privacy implications, such as switch
statistics and current operational state information.
Operator Operators can only effect temporary changes on the switch. These changes are lost when the
switch is rebooted/reset. Operators have access to the switch management features used for
daily switch operations. Because any changes an operator makes are undone by a reset of the
switch, operators cannot severely impact switch operation, but do have access to the
Maintenance menu. By default, the operator account is disabled and has no password.
Administrator Administrators are the only ones that can make permanent changes to the switch
configuration—changes that are persistent across a reboot/reset of the switch. Administrators
can access switch functions to configure and troubleshoot problems on the switch level. Because
administrators can also make temporary (operator-level) changes as well, they must be aware of
the interactions between temporary and permanent changes.
RADIUS attributes for user privileges
When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is, the
client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the remote
user and authorizes the appropriate access. The administrator has the option to allow backdoor access through the
console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor access is enabled,
access is allowed even if the primary and secondary authentication servers are reachable. Only when both the
primary and secondary authentication servers are not reachable, the administrator has the option to allow secure
backdoor (secbd) access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access.
When RADIUS is on, you can have either backdoor or secure backdoor enabled, but not both at the same time. The
default value for backdoor access through the console port only is enabled. You always can access the switch via
the console port, by using noradius and the administrator password, whether backdoor/secure backdoor are
enabled or not. The default value for backdoor and secure backdoor access through Telnet/SSH/HTTP/HTTPS is
disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary. RADIUS
attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary is RADIUS
vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege levels.
Table 3 Proprietary attributes for RADIUS
User name/access User service type Value
User Vendor-supplied 255
Operator Vendor-supplied 252
TACACS+ authentication
The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems
TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client
and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined
as someone requiring management access to the switch either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
• TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a
connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable
variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level
of built-in support that a TCP transport offers.
To Next Page
Loading...
Need help?
General