What Are the Recommendations for Management Security?
Selecting the authentication policy for a network is very important. In large
deployments, many administrators prefer to use a RADIUS or TACACS+
server because it allows the authentication policy to be applied system wide
with little administrative effort. Additional recommendations for
management security include:
•
Require strong passwords
•
Disable factory-delivered default accounts
•
Enable password lockout
•
Configure user ACLs to protect administrative access to the network.
What Is an Authentication Profile?
An authentication profile specifies which authentication method or methods
to use to authenticate a user who attempts to access the switch management
interface. The authentication method can be one or more of the following:
•
ENABLE—Uses the enable password for authentication.
•
IAS—Uses the Internal Authentication Server database for 801X port-
based authentication.
•
LINE-—Uses the Line password for authentication.
•
LOCAL— Uses the ID and password in the Local User Database for
authentication.
•
RADIUS-—Sends the user's ID and password will be authenticated using
the RADIUS server instead of locally
•
TACACS+— Sends the user's ID and password to the configured
TACACS+ server to be authenticated.
•
NONE-—No authentication is used.
You can use the same Authentication Profile for all access types, or select or
create a variety of profiles based on how a user attempts to access the switch
management interface. Profiles can be applied to each of the following access
types:
•
Login—Autnenticates all attempts to login to the switch.
•
Enable—Authenticates all attempts to enter Privileged EXEC mode (CLI
only).
Controlling Management Access
171