10
In addition, AAA provides the following services for login users to enhance switch security:
• Command authorization—Enables the NAS to defer to the authorization server to determine
whether a command entered by a login user is permitted for the user, ensuring that login users
execute only commands they are authorized to execute. For more information about command
authorization, see Fundamentals Configuration Guide.
• Command accounting—Allows the accounting server to record all commands executed on the
switch or all authorized commands successfully executed. For more information about command
accounting, see Fundamentals Configuration Guide.
• Level switching authentication—Allows the authentication server to authenticate users who perform
privilege level switching. As long as they pass level switching authentication, users can switch their
user privilege levels without logging out and disconnecting current connections. For more
information about user privilege level switching, see Fundamentals Configuration Guide.
You can configure different authentication, authorization, and accounting methods for different users in
a domain. See "Configuring AAA methods for ISP domains."
RADIUS server feature of the switch
Generally, the RADIUS server runs on a computer or workstation, and the RADIUS client runs on a NAS.
A network device that supports the RADIUS server feature can also serve as the RADIUS server. It works
with RADIUS clients to implement user authentication, authorization, and accounting. As shown in Figure
8, the R
ADIUS server and client can reside on the same switch or different switches.
Using a network device as the RADIUS server simplifies networking and reduces deployment costs.
Figure 8 Devices functioning as a RADIUS server
A network device serving as the RADIUS server can provide the following functions:
• User information management—Supports creating, modifying, and deleting user information,
including the username, password, authority, lifetime, and user description.
• RADIUS client information management—Supports creating and deleting RADIUS clients, which are
identified by IP addresses and configured with attributes such as a shared key. After being
configured with a managed client range, the RADIUS server processes only the RADIUS packets
from the clients within the management range. A shared key is used to ensure secure
communication between a RADIUS client and the RADIUS server.
• RADIUS authentication and authorization—RADIUS accounting is not supported.
To Next Page
Loading...
Need help?
General