HP (Hewlett-Packard) 445946-001 ユーザーズマニュアル
Accessing the switch
25
Table 2
User access levels
User account
Description and tasks performed
Administrator
Administrators are the only ones that can make permanent changes to the switch
configuration—changes that are persistent across a reboot/reset of the switch.
Administrators can access switch functions to configure and troubleshoot problems on the
switch level. Because administrators can also make temporary (operator-level) changes as
switch level. Because administrators can also make temporary (operator-level) changes as
well, they must be aware of the interactions between temporary and permanent changes.
RADIUS attributes for user privileges
When the user logs in, the switch authenticates the level of access by sending the RADIUS access request,
that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of
the remote user and authorizes the appropriate access. The administrator has the option to allow
backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS
access. When backdoor access is enabled, access is allowed even if the primary and secondary
authentication servers are reachable. Only when both the primary and secondary authentication servers
are not reachable, the administrator has the option to allow secure backdoor (
are not reachable, the administrator has the option to allow secure backdoor (
secbd
) access through the
console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you
can have either backdoor or secure backdoor enabled, but not both at the same time. The default value
for backdoor access through the console port only is
for backdoor access through the console port only is
enabled
. You always can access the switch via the
console port, by using
noradius
and the administrator password, whether backdoor/secure backdoor
are enabled or not. The default value for backdoor and secure backdoor access through
Telnet/SSH/HTTP/HTTPS is
Telnet/SSH/HTTP/HTTPS is
disabled
.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS
dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file
name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table
are defined for user privilege levels.
Table 3
Proprietary attributes for RADIUS
User name/access
User service type
Value
User Vendor-supplied
255
Operator Vendor-supplied
252
TACACS+ authentication
The switch software supports authentication, authorization, and accounting with networks using the Cisco
Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with
the remote client and initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined as someone requiring management access to the switch either through
a data or management port.
a data or management port.