Alcatel Carrier Internetworking Solutions omniswitch User Manual
Authenticated Switch Access
Managing Switch Security
page 8-4
OmniSwitch 6600 Family Switch Management Guide
March 2005
Authenticated Switch Access
Authenticated Switch Access (ASA) is a way of authenticating users who want to manage the switch. With
authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or
HTTP require authentication via the local user database or via a third-party server.
authenticated access, all switch login attempts using the console or modem port, Telnet, FTP, SNMP, or
HTTP require authentication via the local user database or via a third-party server.
This section describes how to configure management interfaces for authenticated access as well as how to
specify external servers that the switch can poll for login information. The type of server may be an
authentication-only mechanism or an authentication, authorization, and accounting (AAA) mechanism.
specify external servers that the switch can poll for login information. The type of server may be an
authentication-only mechanism or an authentication, authorization, and accounting (AAA) mechanism.
AAA Servers—RADIUS or LDAP
AAA servers are able to provide authorization for switch management users as well as authentication (they
also may be used for accounting). The AAA servers supported on the switch are Remote Authentication
Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) servers. User login
information and user privileges may be stored on the servers.
also may be used for accounting). The AAA servers supported on the switch are Remote Authentication
Dial-In User Service (RADIUS) or Lightweight Directory Access Protocol (LDAP) servers. User login
information and user privileges may be stored on the servers.
Privileges are used for network administrator accounts. Instead of user privileges an end-user profile may
be associated with a user for customer login accounts. User information configured on an external server
may include a profile name attribute. The switch will attempt to match the profile name to a profile stored
locally on the switch.
The following illustration shows the two different user types attempting to authenticate with a AAA
server:
For more information about types of users, see
Authentication-only—ACE/Server
Authentication-only servers are able to authenticate users for switch management access, but authoriza-
tion (or what privileges the user has after authenticating) are determined by the switch. Authentication-
only servers cannot return user privileges or end-user profiles to the switch. The authentication-only server
supported by the switch is ACE/Server, which is a part of RSA Security’s SecurID product suite. RSA
Security’s ACE/Agent is embedded in the switch.
tion (or what privileges the user has after authenticating) are determined by the switch. Authentication-
only servers cannot return user privileges or end-user profiles to the switch. The authentication-only server
supported by the switch is ACE/Server, which is a part of RSA Security’s SecurID product suite. RSA
Security’s ACE/Agent is embedded in the switch.
The following illustration shows the two different user types attempting to authenticate with an ACE/
Server:
Server:
The switch polls the server
for login information,
which may reference a pro-
file name; end-user profiles
are stored on the switch.
LDAP or RADIUS
Server
AAA Server (LDAP or RADIUS)
OmniSwitch
login request
The switch polls the server
and receives login and privi-
lege information about the
user.
Customer
login request
OmniSwitch
Network Administrator
LDAP or RADIUS
Server
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
OmniSwitch 6648
end-user
profile