Справочник Пользователя для Enterasys Networks E1 Series
Working with Security Configurations
Host Access Control Authentication (HACA)
14-113
14.4 WORKING WITH SECURITY CONFIGURATIONS
14.4.1 Host Access Control Authentication (HACA)
To use HACA, the embedded RADIUS client on the Matrix E1 device must be configured to
communicate with the RADIUS server. A RADIUS server must be online and its IP address(es)
must be configured with the same password as the RADIUS client. When using the set radius
command (
communicate with the RADIUS server. A RADIUS server must be online and its IP address(es)
must be configured with the same password as the RADIUS client. When using the set radius
command (
) to configure the RADIUS server IP address on the Matrix E1, the
switch will prompt for this Read-Write (rw) “server secret” password, which is used to encrypt
RADIUS frames.
RADIUS frames.
By default at device startup, the RADIUS client is disabled. Default values are as follows:
•
Timeout: 20 seconds
•
Retries: 3
•
Primary and secondary authentication ports: 0
•
Last-resort-action for local and remote authentication is to challenge the user for a system
password.
password.
The Matrix E1 Series device allows for up to 10 RADIUS servers to be configured, with up to 2
active at any given time. If only one RADIUS server is configured, the device assumes it is the
primary server. It is not necessary to reboot after the client is reconfigured.
active at any given time. If only one RADIUS server is configured, the device assumes it is the
primary server. It is not necessary to reboot after the client is reconfigured.
When the RADIUS client is active on the Matrix E1 device, the user is prompted for a user login
name and password when attempting to access the host IP address via CLI. The embedded
RADIUS client encrypts the information entered by the user and sends it to the RADIUS server for
validation. Then the server returns an access-accept or access-reject response back to the client,
allowing or denying the user to access the host application with the proper access level.
name and password when attempting to access the host IP address via CLI. The embedded
RADIUS client encrypts the information entered by the user and sends it to the RADIUS server for
validation. Then the server returns an access-accept or access-reject response back to the client,
allowing or denying the user to access the host application with the proper access level.
When the RADIUS client cannot communicate with the RADIUS server for the time of (retries *
timeout = 3 * 20 = 60 secs), the authentication process will timeout, notify the user that the RADIUS
server has timed out by printing the message to the screen, and the RADIUS last-resort-action
setting will kick in. If the user is trying to login via the local console and the local last-resort-action
is set to accept, then the user will be granted access to the switch. On the other hand, if the local
last-resort-action is set to reject, then the user will be rejected the access to the switch. However, if
the local last-resort-action is set to challenge, the user will be prompted to enter the local username
and password. If the local username and password matches the local database, then access to the
switch is allowed.
timeout = 3 * 20 = 60 secs), the authentication process will timeout, notify the user that the RADIUS
server has timed out by printing the message to the screen, and the RADIUS last-resort-action
setting will kick in. If the user is trying to login via the local console and the local last-resort-action
is set to accept, then the user will be granted access to the switch. On the other hand, if the local
last-resort-action is set to reject, then the user will be rejected the access to the switch. However, if
the local last-resort-action is set to challenge, the user will be prompted to enter the local username
and password. If the local username and password matches the local database, then access to the
switch is allowed.