Open as PDF
52 CHAPTER 3: CONFIGURING AAA FOR ADMINISTRATIVE AND LOCAL ACCESS
5 Customized authentication. You can require authentication for all
users or for only a subset of users. Username globbing (see “User Globs,
MAC Address Globs, and VLAN Globs” on page 30) allows different
users or classes of user to be given different authentication treatments.
You can configure console authentication and Telnet authentication
separately, and you can apply different authentication methods to each.
For any user, authorization uses the same method(s) as authentication for
6 Local override. A special authentication technique called local override
lets you attempt authentication via the local database before attempting
authentication via a RADIUS server. The WX switch attempts
administrative authentication in the local database first. If it finds no
match, the WX attempts administrative authentication on the RADIUS
server. (For information about setting a WX switch to use RADIUS servers,
see Chapter 22, “Configuring Communication with RADIUS,” on
7 Accounting for administrative access sessions. Accounting records
can be stored and displayed locally or sent to a RADIUS server.
Accounting records provide an audit trail of the time an administrative
user logged in, the administrator’s username, the number of bytes
transferred, and the time the session started and ended.
Figure 3 illustrates a typical WX switch, MAPs, and network administrator
in an enterprise network. As network administrator, you initially access
the WX switch via the console. You can then optionally configure
authentication, authorization, and accounting for administrative access
3Com recommends enforcing authentication for administrative access
using usernames and passwords stored either locally or on RADIUS