What Are the Recommendations for Management Security?
Selecting the authentication policy for a network is very important. In large
deployments, many administrators prefer to use a RADIUS or TACACS+
server because it allows the authentication policy to be applied system wide
with little administrative effort. Additional recommendations for
management security include:
Require strong passwords
Disable factory-delivered default accounts
Enable password lockout
Configure user ACLs to protect administrative access to the network.
What Is an Authentication Profile?
An authentication profile specifies which authentication method or methods
to use to authenticate a user who attempts to access the switch management
interface. The authentication method can be one or more of the following:
ENABLE—Uses the enable password for authentication.
IAS—Uses the Internal Authentication Server database for 801X port-
LINE-—Uses the Line password for authentication.
LOCAL— Uses the ID and password in the Local User Database for
RADIUS-—Sends the user's ID and password will be authenticated using
the RADIUS server instead of locally
TACACS+— Sends the user's ID and password to the configured
TACACS+ server to be authenticated.
NONE-—No authentication is used.
You can use the same Authentication Profile for all access types, or select or
create a variety of profiles based on how a user attempts to access the switch
management interface. Profiles can be applied to each of the following access
Login—Autnenticates all attempts to login to the switch.
Enable—Authenticates all attempts to enter Privileged EXEC mode (CLI
Controlling Management Access