Figure 11: Authentication Server Operation
Web
Telnet
RADIUS/
TACACS+
server
CLI R
EFERENCES
◆
"Protocol Authentication Commands" on page 316
U
G
SAGE
UIDELINES
The switch supports the following authentication services:
◆
Authorization of users that access the Telnet, SSH, the web, or
■
console management interfaces on the switch.
Accounting for users that access the Telnet, SSH, the web, or
■
console management interfaces on the switch.
Accounting for IEEE 802.1X authenticated users that access the
■
network through the switch. This accounting can be used to provide
reports, auditing, and billing for services that users have accessed.
By default, management access is always checked against the
◆
authentication database stored on the local switch. If a remote
authentication server is used, you must specify the authentication
method and the corresponding parameters for the remote
authentication protocol on the Network Access Server Configuration
page. Local and remote logon authentication can be used to control
management access via Telnet, SSH, a web browser, or the console
interface.
When using RADIUS or TACACS+ logon authentication, the user name
◆
and password must be configured on the authentication server. The
encryption methods used for the authentication process must also be
configured or negotiated between the authentication server and logon
client. This switch can pass authentication messages between the
server and client that have been encrypted using MD5 (Message-Digest
5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer
Security).
– 75 –
| Configuring the Switch
C
4
HAPTER
console
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
Configuring Security