Table of Contents
Advertisement
Configuring RADIUS Security
You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of
access to the Foundry switch or router:
•
Telnet access
•
SSH access
•
Web management access
•
Access to the Privileged EXEC level and CONFIG levels of the CLI
NOTE: Foundry devices do not support RADIUS security for SNMP (IronView) access.
RADIUS Authentication, Authorization, and Accounting
When RADIUS authentication is implemented, the Foundry device consults a RADIUS server to verify user
names and passwords. You can optionally configure RADIUS authorization, in which the Foundry device
consults a list of commands supplied by the RADIUS server to determine whether a user can execute a command
he or she has entered, as well as accounting, which causes the Foundry device to log information on a RADIUS
accounting server when specified events occur on the device.
NOTE: In releases prior to 07.1.00, a user logging into the device via Telnet or SSH would first enter the User
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level.
Starting with release 07.1.00, a user that is successfully authenticated by a RADIUS or TACACS+ server is
automatically placed at the Privileged EXEC level after login.
RADIUS Authentication
When RADIUS authentication takes place, the following events occur:
1.
A user attempts to gain access to the Foundry device by doing one of the following:
•
Logging into the device using Telnet, SSH, or the Web management interface
•
Entering the Privileged EXEC level or CONFIG level of the CLI
2.
The user is prompted for a username and password.
3.
The user enters a username and password.
4.
The Foundry device sends a RADIUS Access-Request packet containing the username and password to the
RADIUS server.
5.
The RADIUS server validates the Foundry device using a shared secret (the RADIUS key).
6.
The RADIUS server looks up the username in its database.
7.
If the username is found in the database, the RADIUS server validates the password.
8.
If the password is valid, the RADIUS server sends an Access-Accept packet to the Foundry device,
authenticating the user. Within the Access-Accept packet are three Foundry vendor-specific attributes that
indicate:
•
The privilege level of the user
•
A list of commands
•
Whether the user is allowed or denied usage of the commands in the list
The last two attributes are used with RADIUS authorization, if configured.
9.
The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on
the Foundry device. The user is granted the specified privilege level. If you configure RADIUS authorization,
the user is allowed or denied usage of the commands in the list.
December 2000
Securing Access to Management Functions
3 - 33
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
