Configuring Security Features On An External Aaa Server - Cisco MDS 9000 Series Configuration Manual

Configuring Security Features on an External
AAA Server
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and
tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use Remote Access
Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+)
protocols to provide solutions using remote AAA servers.
Based on the user ID and password combination provided, switches perform local authentication or authorization
using the local database or remote authentication or authorization using a AAA server. A preshared secret
key provides security for communication between the switch and AAA servers. This secret key can be
configured for all AAA servers or for only a specific AAA server. This security feature provides a central
management capability for AAA servers.
This chapter includes the following sections:
• Switch Management Security, on page 30
• Switch AAA Functionalities, on page 31
• Configuring Login Parameters, on page 39
• Configuring AAA Server Monitoring Parameters Globally, on page 41
• Configuring LDAP, on page 42
• Configuring RADIUS Server Monitoring Parameters, on page 54
• One-Time Password Support, on page 65
• Recovering the Administrator Password, on page 65
• Configuring TACACS+ Server Monitoring Parameters, on page 67
• Configuring Server Groups, on page 79
• AAA Server Distribution, on page 82
• CHAP Authentication, on page 87
• MSCHAP Authentication, on page 88
• Local AAA Services, on page 90
• Configuring Accounting Services, on page 91
• Configuring Cisco Access Control Servers, on page 93
• Default Settings, on page 97
C H A P T E R
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
5
29