Foundry Networks Switch and Router Installation And Configuration Manual page 112

Foundry Switch and Router Installation and Configuration Guide
NOTE: If an authentication method is working properly and the password (and user name, if applicable) is not
known to that method, this is not an error. The authentication attempt stops, and the user is denied access.
The software will continue this process until either the authentication method is passed or the software reaches
the end of the method list. If the Super User level password is not rejected after all the access methods in the list
have been tried, access is granted.
Configuration Considerations for Authentication-Method Lists
• For CLI access, you must configure authentication-method lists if you want the device to authenticate access
using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally
based password for the Super User privilege level.
• When no authentication-method list is configured specifically for Web management access, the device
performs authentication using the SNMP community strings:
• For read-only access, you can use the user name "get" and the password "public". The default read-only
community string is "public".
• Beginning with software release 05.1.00, there is no default read-write community string. Thus, by
default, you cannot open a read-write management session using the Web management interface. You
first must configure a read-write community string using the CLI. Then you can log on using "set" as the
user name and the read-write community string you configure as the password. See "Establishing
SNMP Community Strings" on page 3-14.
• If you configure an authentication-method list for Web management access and specify "local" as the primary
authentication method, users who attempt to access the device using the Web management interface must
supply a user name and password configured in one of the local user accounts on the device. The user
cannot access the device by entering "set" or "get" and the corresponding SNMP community string.
• For devices that can be managed using IronView, the default authentication method (if no authentication-
method list is configured for SNMP) is the CLI Super User level password. If no Super User level password is
configured, then access through IronView is not authenticated. To use local user accounts to authenticate
access through IronView, configure an authentication-method list for SNMP access and specify "local" as the
primary authentication method.
Examples of Authentication-Method Lists
Example 1: The following example shows how to configure authentication-method lists for the Web management
interface, IronView, and the Privileged EXEC and CONFIG levels of the CLI. In this example, the primary
authentication method for each is "local". The device will authenticate access attempts using the locally
configured user names and passwords first.
To configure an authentication-method list for the Web management interface, enter a command such as the
following:
BigIron(config)# aaa authentication web-server default local
This command configures the device to use the local user accounts to authenticate access to the device through
the Web management interface. If the device does not have a user account that matches the user name and
password entered by the user, the user is not granted access.
To configure an authentication-method list for IronView, enter a command such as the following:
BigIron(config)# aaa authentication snmp-server default local
This command configures the device to use the local user accounts to authenticate access attempts through
IronView.
To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the
following command:
BigIron(config)# aaa authentication enable default local
3 - 48 December 2000