Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Brocade ICX 6650 Security Configuration Guide
41
53-1002601-01
RADIUS security
RADIUS security
You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following
types of access to the Brocade Layer 2 switch or Layer 3 switch:
types of access to the Brocade Layer 2 switch or Layer 3 switch:
•
Telnet access
•
SSH access
•
Access to the Privileged EXEC level and CONFIG levels of the CLI
RADIUS authentication, authorization, and accounting
When RADIUS authentication is implemented, the Brocade device consults a RADIUS server to
verify user names and passwords. You can optionally configure RADIUS authorization, in which the
Brocade device consults a list of commands supplied by the RADIUS server to determine whether a
user can execute a command he or she has entered, as well as accounting, which causes the
Brocade device to log information on a RADIUS accounting server when specified events occur on
the device.
verify user names and passwords. You can optionally configure RADIUS authorization, in which the
Brocade device consults a list of commands supplied by the RADIUS server to determine whether a
user can execute a command he or she has entered, as well as accounting, which causes the
Brocade device to log information on a RADIUS accounting server when specified events occur on
the device.
RADIUS authentication
When RADIUS authentication takes place, the following events occur.
1. A user attempts to gain access to the Brocade device by doing one of the following:
•
Logging into the device using Telnet or SSH
•
Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username and password.
3. The user enters a username and password.
TABLE 6
Output of the show aaa command for TACACS/TACACS+
Field
Description
Tacacs+ key
The setting configured with the tacacs-server key command. At the Super User privilege level,
the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is
displayed instead of the text.
the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is
displayed instead of the text.
Tacacs+ retries
The setting configured with the tacacs-server retransmit command.
Tacacs+ timeout
The setting configured with the tacacs-server timeout command.
Tacacs+
dead-time
dead-time
The setting configured with the tacacs-server dead-time command.
Tacacs+ Server
For each TACACS/TACACS+ server, the IP address, port, and the following statistics are
displayed:
displayed:
•
opens - Number of times the port was opened for communication with the server
•
closes - Number of times the port was closed normally
•
timeouts - Number of times port was closed due to a timeout
•
errors - Number of times an error occurred while opening the port
•
packets in - Number of packets received from the server
•
packets out - Number of packets sent to the server
connection
The current connection status. This can be “no connection” or “connection active”.