123
4. Configuring Security Features
4.1. Controlling Management Access
A user can access the switch management interface only after providing a valid user name and password
combination that matches the user account information stored in the user database configured on the
switch.
QNOS software includes several additional features to increase management security and help prevent
unauthorized access to the switch configuration interfaces.
4.1.1. Using RADIUS Servers for Management Security
Many networks use a RADIUS server to maintain a centralized user database that contains per-user
authentication information. RADIUS servers provide a centralized authentication method for:
ï‚·
Telnet Access
ï‚·
Console to Switch Access
ï‚·
Access Control Port (802.1X)
RADIUS access control utilizes a database of user information on a remote server. Making use of a single
database of accessible information—as in an Authentication Server—can greatly simplify the authentication
and management of users in a large network. One such type of Authentication Server supports the Remote
Authentication Dial In User Service (RADIUS) protocol as defined by RFC 2865.
For authenticating users prior to access, the RADIUS standard has become the protocol of choice by
administrators of large accessible networks. To accomplish the authentication in a secure manner, the
RADIUS client and RADIUS server must both be configured with the same shared password or secret. This
secret is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The
secret is never transmitted over the network.
RADIUS conforms to a secure communications client/server model using UDP as a transport protocol. It is
extremely flexible, supporting a variety of methods to authenticate and statistically track users. RADIUS is
also extensible, allowing for new methods of authentication to be added without disrupting existing
functionality.
As a user attempts to connect to the switch management interface, the switch first detects the contact and
prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS
client transports the request to a pre-configured RADIUS server.
To Next Page
Loading...
Need help?
General