| Security Measures
C
14
HAPTER
AAA Authorization and Accounting
AAA A
UTHORIZATION AND
DHCP Snooping
– Filter IP traffic on insecure ports for which the source
◆
address cannot be identified via DHCP snooping.
The priority of execution for the filtering commands is Port Security,
N
:
OTE
Port Authentication, Network Access, Web Authentication, Access Control
Lists, IP Source Guard, and then DHCP Snooping.
A
CCOUNTING
The Authentication, authorization, and accounting (AAA) feature provides
the main framework for configuring access control on the switch. The three
security functions can be summarized as follows:
◆
Authentication — Identifies users that request access to the network.
Authorization — Determines if users can access specific services.
◆
Accounting — Provides reports, auditing, and billing for services that
◆
users have accessed on the network.
The AAA functions require the use of configured RADIUS or TACACS+
servers in the network. The security servers can be defined as sequential
groups that are applied as a method for controlling user access to specified
services. For example, when the switch attempts to authenticate a user, a
request is sent to the first server in the defined group, if there is no
response the second server will be tried, and so on. If at any point a pass
or fail is returned, the process stops.
The switch supports the following AAA features:
Accounting for IEEE 802.1X authenticated users that access the
◆
network through the switch.
Accounting for users that access management interfaces on the switch
◆
through the console and Telnet.
Accounting for commands that users enter at specific CLI privilege
◆
levels.
Authorization of users that access management interfaces on the
◆
switch through the console and Telnet.
To configure AAA on the switch, you need to follow this general process:
Configure RADIUS and TACACS+ server access parameters. See
1.
"Configuring Local/Remote Logon Authentication" on page
Define RADIUS and TACACS+ server groups to support the accounting
2.
and authorization of services.
– 268 –
269.