Cisco MDS 9000 Series Configuration Manual page 22

Users and Common Roles
Users and Common Roles
Role-based authorization limits access to switch operations by assigning users to roles. All management access
within the Cisco MDS 9000 Family is based upon roles. Users are restricted to performing the management
operations that are explicitly permitted, by the roles to which they belong.
For information on configuring users and common roles, see
RADIUS and TACACS+
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and
tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use RADIUS and
TACACS+ protocols to provide solutions using remote AAA servers. This security feature provides a centralized
user account management capability for AAA servers.
AAA uses security protocols to administer its security functions. If your router or access server is acting as
a network access server, then the communication between your network access server and the RADIUS or
TACACS+ security server is through AAA.
The chapters in this guide describe the following features:
• Switch management—A management security system that provides security to all management access
• Switch AAA functionalities—A function by which you can configure AAA switch functionalities on
• RADIUS—A distributed client and server system implemented through AAA that secures networks
• TACACS+—A security application implemented through AAA that provides a centralized validation
For information on configuring RADIUS and TACACS+, see
IP ACLs
IP access control lists (ACLs) provide basic network security on the out-of-band management Ethernet interface
and the in-band IP management Interface. The Cisco MDS 9000 Family switches use IP ACLs to restrict
traffic from unknown and untrusted sources and restrict network use based on user identity or device type.
For information on configuring IP ACLs, see
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
4
methods, including the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
any switch in the Cisco MDS 9000 Family, using the command-line interface (CLI) or Simple Network
Management Protocol (SNMP).
against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and
send authentication requests to a central RADIUS server that contains all user authentication and network
service access information.
of users who are attempting to gain access to a router or network access server. TACACS+ services are
maintained in a database on a TACACS+ daemon that typically runs on a UNIX or Windows NT
workstation. TACACS+ provides for separate and modular authentication, authorization, and accounting
facilities.
Role-Based Authorization.
Switch Management
About IPv4 and IPv6 Access Control
Security Overview
Security.
Lists.