Interaction With The User Database; Asa And Authenticated Vlans - Alcatel-Lucent OmniSwitch 6850-48 Management Manual

Managing Switch Security
The following illustration shows the two different user types attempting to authenticate with an ACE/
Server:
ACE/Server
The switch polls the server
for login information; privi-
leges are stored on the
switch.
Note. A RADIUS server supporting the challenge and response mechanism as defined in RADIUS
RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user
authentication, and the RADIUS server is used for user authorization.

Interaction With the User Database

By default, switch management users may be authenticated through the console port via the local user
database. If external servers are configured for other management interfaces (such as Telnet, or HTTP),
but the servers become unavailable, the switch will poll the local user database for login information.
Access to the console port provides secure failover in case of misconfiguration or if external authentica-
tion servers become unavailable. The admin user is always authorized through the console port via the
local database (provided the correct password is supplied), even if access to the console port is disabled.
The database includes information about whether or not a user is able to log into the switch and which
kinds of privileges or rights the user has for managing the switch. The database may be set up by the
admin user or any user with write privileges to the AAA commands.
See Chapter 8, "Managing Switch User Accounts,"
base.

ASA and Authenticated VLANs

Layer 2 Authentication uses Authenticated VLANs to authenticate users through the switch out to a
subnet. Authenticated Switch Access authenticates users into the switch to manage it. The features are
independent of each other; however, user databases for each feature may be located on the same authenti-
cation server.
For more information about Authenticated VLANs, see "Configuring Authenticated VLANs" in the
OmniSwitch AOS Release 6 Network Configuration Guide. For more information about authentication
servers, see "Configuring Authentication Servers" in the OmniSwitch AOS Release 6 Network Configura-
tion Guide.
OmniSwitch AOS Release 6 Switch Management Guide
Network Administrator
login request
user
privilege
s
OmniSwitch
Authentication-Only Server (ACE/Server)
for more information about setting up the user data-
September 2009
Authenticated Switch Access
ACE/Server
The switch polls the server
for login information; end-
user profiles are stored on
the switch.
Customer
login request
end-user
profiles
OmniSwitch
page 9-5