Alcatel Carrier Internetworking Solutions omniswitch Manual Do Utilizador
Managing Switch Security
Authenticated Switch Access
OmniSwitch 6600 Family Switch Management Guide
March 2005
page 8-5
Note. A RADIUS server supporting the challenge and response mechanism as defined in RADIUS
RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user
authentication, and the RADIUS server is used for user authorization.
RFC 2865 may access an ACE/Server for authentication purposes. The ACE/Server is then used for user
authentication, and the RADIUS server is used for user authorization.
Interaction With the User Database
By default, switch management users may be authenticated through the console port via the local user
database. If external servers are configured for other management interfaces (such as Telnet, or HTTP) but
the servers become unavailable, the switch will poll the local user database for login information.
database. If external servers are configured for other management interfaces (such as Telnet, or HTTP) but
the servers become unavailable, the switch will poll the local user database for login information.
Access to the console port provides secure failover in case of misconfiguration or if external authentica-
tion servers become unavailable. The admin user is always authorized through the console port via the
local database (provided the correct password is supplied), even if access to the console port is disabled.
tion servers become unavailable. The admin user is always authorized through the console port via the
local database (provided the correct password is supplied), even if access to the console port is disabled.
The database includes information about whether or not a user is able to log into the switch and which
kinds of privileges or rights the user has for managing the switch. The database may be set up by the
admin user or any user with write privileges to the AAA commands.
kinds of privileges or rights the user has for managing the switch. The database may be set up by the
admin user or any user with write privileges to the AAA commands.
See
for more information about setting up the user data-
base.
ASA and Authenticated VLANs
Layer 2 Authentication uses Authenticated VLANs to authenticate users through the switch out to a
subnet. Authenticated Switch Access authenticates users into the switch to manage it. The features are
independent of each other; however, user databases for each feature may be located on the same authenti-
cation server.
subnet. Authenticated Switch Access authenticates users into the switch to manage it. The features are
independent of each other; however, user databases for each feature may be located on the same authenti-
cation server.
For more information about Authenticated VLANs, see “Configuring Authenticated VLANs” in the
OmniSwitch 6600 Family Network Configuration Guide. For more information about authentication serv-
ers, see “Configuring Authentication Servers” in the OmniSwitch 6600 Family Network Configuration
Guide.
OmniSwitch 6600 Family Network Configuration Guide. For more information about authentication serv-
ers, see “Configuring Authentication Servers” in the OmniSwitch 6600 Family Network Configuration
Guide.
OmniSwitch 6648
OmniSwitch 6648
The switch polls the server
for login information; end-
user profiles are stored on
the switch.
ACE/Server
OmniSwitch
login request
The switch polls the server
for login information; privi-
leges are stored on the
switch.
ACE/Server
Authentication-Only Server (ACE/Server)
Customer
login request
OmniSwitch
Network Administrator
OmniSwitch 6648
OmniSwitch 6648
user
privilege
s
end-user
profiles