| Security Measures
C
13
HAPTER
AAA Authentication, Authorization and Accounting
AAA A
UTHENTICATION
IPv4 Source Guard
◆
source address cannot be identified via DHCPv4 snooping nor static
source bindings.
IPv6 Source Guard
◆
source address cannot be identified via ND snooping, DHCPv6
snooping, nor static source bindings.
DHCP Snooping
– Filter IP traffic on insecure ports for which the source
◆
address cannot be identified via DHCP snooping.
The priority of execution for the filtering commands is Port Security,
N
:
OTE
Port Authentication, Network Access, Web Authentication, Access Control
Lists, IP Source Guard, and then DHCP Snooping.
, A
UTHORIZATION AND
The authentication, authorization, and accounting (AAA) feature provides
the main framework for configuring access control on the switch. The three
security functions can be summarized as follows:
Authentication — Identifies users that request access to the network.
◆
◆
Authorization — Determines if users can access specific services.
Accounting — Provides reports, auditing, and billing for services that
◆
users have accessed on the network.
The AAA functions require the use of configured RADIUS or TACACS+
servers in the network. The security servers can be defined as sequential
groups that are applied as a method for controlling user access to specified
services. For example, when the switch attempts to authenticate a user, a
request is sent to the first server in the defined group, if there is no
response the second server will be tried, and so on. If at any point a pass
or fail is returned, the process stops.
The switch supports the following AAA features:
Accounting for IEEE 802.1X authenticated users that access the
◆
network through the switch.
Accounting for users that access management interfaces on the switch
◆
through the console and Telnet.
Accounting for commands that users enter at specific CLI privilege
◆
levels.
Authorization of users that access management interfaces on the
◆
switch through the console and Telnet.
– 306 –
– Filters IPv4 traffic on insecure ports for which the
– Filters IPv6 traffic on insecure ports for which the
A
CCOUNTING