Authenticated Switch Access; Aaa Servers-Radius Or Ldap; Authentication-Only-Ace/Server - Alcatel-Lucent OmniSwitch 6450 Management Manual

Authenticated Switch Access

Authenticated Switch Access
Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With
authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or
HTTP require authentication via the local user database or via a third-party server.
This section describes how to configure management interfaces for authenticated access as well as how to
specify external servers that the switch can poll for login information. The type of server can be an
authentication-only mechanism or an authentication, authorization, and accounting (AAA) mechanism.
AAA Servers—RADIUS or LDAP
AAA servers are able to provide authorization for switch management users as well as authentication (they
also can be used for accounting). The AAA servers supported on the switch are Remote Authentication
Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) servers. User login
information and user privileges can be stored on the servers.
Privileges are used for network administrator accounts. Instead of user privileges an end-user profile can
be associated with a user for customer login accounts. User information configured on an external server
can include a profile name attribute. The switch will attempt to match the profile name to a profile stored
locally on the switch.
The following illustration shows the two different user types attempting to authenticate with a AAA
server:
LDAP or RADIUS
Server
The switch polls the server
and receives login and privi-
lege information about the
user.
For more information about types of users, see
Authentication-only—ACE/Server
Authentication-only servers are able to authenticate users for switch management access, but authoriza-
tion (or what privileges the user has after authenticating) are determined by the switch. Authentication-
only servers cannot return user privileges or end-user profiles to the switch. The authentication-only server
supported by the switch is ACE/Server, which is a part of RSA Security's SecurID product suite. RSA
Security's ACE/Agent is embedded in the switch.
page 10-4
Network Administrator
login request
OmniSwitch
AAA Server (LDAP or RADIUS)
Chapter 9, "Managing Switch User Accounts."
OmniSwitch 6250/6450 Switch Management Guide
LDAP or RADIUS
Server
The switch polls the server
for login information, which
can reference a profile
name; end-user profiles are
stored on the switch.
Managing Switch Security
Customer
login request
end-user
profile
OmniSwitch
June 2013