Table of Contents
Advertisement
Managing Switch Security
Setting Up Management Interfaces for ASA
By default, authenticated access is available through the console port. Access through other management
interfaces is disabled. This chapter describes how to set up access for management interfaces. For more
details about particular management interfaces and how they are used, see
Switch."
To give switch access to management interfaces, use the
access to each interface type; the default keyword may be used to configure access for all interface types.
Specify the server(s) to be used for authentication through the indicated management interface.
To specify an external authentication server or servers, use the RADIUS or LDAP server name. To spec-
ify that the local user database should be used for authentication, use the local keyword.
RADIUS and LDAP servers are set up to communicate with the switch via the
aaa ldap-server
commands. For more information about configuring the switch to communicate with
these servers, see the "Managing Authentication Servers" chapter of the Network Configuration Guide.
The order of the specified servers is important. The switch uses only one server for authentication—the
first available server in the list. All authentication attempts will be tried on that server. Other servers are
not tried, even if they are available. If local is specified, it must be last in the list since the local user data-
base is always available when the switch is up.
Servers may also be used for accounting, or logging, of authenticated sessions. See
ing for ASA" on page
The following table describes the management access interfaces or methods and the types of authentica-
tion servers that may be used with them:
Server Type
RADIUS
LDAP
local
Enabling Switch Access
Enter the aaa authentication command with the relevant keyword that indicates the management inter-
face and specify the servers to be used for authentication. In this example, Telnet access for switch
management is enabled. Telnet users will be authenticated through a chain of servers that includes a
RADIUS server and an LDAP server that have already been configured through the aaa radius-server
and aaa ldap-server commands respectively. For example:
-> aaa authentication telnet rad1 ldap2 local
After this command is entered, Telnet users will be authenticated to manage the switch through the rad1
RADIUS server. If that server is unavailable, the LDAP server, ldap2, will be polled for user information.
If that server is unavailable, the local user database will be polled for user information. Note that if the
local user database is specified, it must be last in the list of servers.
To disable authenticated access for a management interface use the no form of the command with the
keyword for the interface. For example:
-> no aaa authentication ftp
OmniSwitch AOS Release 7 Switch Management Guide
7-11.
Management Access Method
Telnet, FTP, HTTP, SSH
Telnet, FTP, HTTP, SSH, SNMP
console, FTP, HTTP, SSH, SNMP
Setting Up Management Interfaces for ASA
Chapter 1, "Logging Into the
aaa authentication
March 2011
command to allow or deny
aaa radius-server
and
"Configuring Account-
page 7-9
Advertisement
Table of Contents
