Filter
Top Products
Managing Switch Security Quick Steps for Setting Up ASA
OmniSwitch 6600 Family Switch Management Guide March 2005 page 8-7
Quick Steps for Setting Up ASA
1 If the local user database will be used for user login information, set up user accounts through the user
command. User accounts may include user privileges or an end-user profile. In this example user privi-
leges are configured:
-> user thomas password pubs read-write domain-network ip-helper telnet
If SNMP access is configured for the user, the global SNMP setting for the switch may have to be config-
ured through the snmp security command. See Chapter 7, “Managing Switch User Accounts,” for more
information about setting up user accounts.
2 If an external RADIUS or LDAP server will be used for user login information, use the aaa radius-
server or aaa ldap-server commands to configure the switch to communicate with these servers. For
example:
-> aaa radius-server rad1 host 10.10.1.2 timeout 3
For more information, see the “Managing Authentication Servers” chapter in the OmniSwitch 6600 Family
Network Configuration Guide.
3 Use the aaa authentication command to specify the management interface through which switch
access is permitted (such as console, telnet, ftp, http, or ssh). Specify the server and backup servers to be
used for checking user login and privilege information. Multiple servers of different types may be speci-
fied. For example:
-> aaa authentication telnet rad1 ldap2 local
The order of the server names is important. The switch uses the first available server in the list. In this
example, the switch would use rad1 to authenticate Telnet users. If rad1 becomes unavailable, the switch
will use ldap2. If ldap2 then becomes unavailable, the switch will use the local user database to authenti-
cate users.
4 Repeat step 3 for each management interface to which you want to configure access; or use the default
keyword to specify access for all interfaces for which access is not specifically denied. For example, if
you want to configure access for all management interfaces except HTTP, you would enter:
-> no aaa authentication http
-> aaa authentication default rad1 local
Note the following:
• SNMP access may only use LDAP servers or the local user database. If you configure the default
management access with only RADIUS and/or ACE, SNMP will not be enabled.
• It is recommended that Telnet and FTP be disabled if Secure Shell (ssh) is enabled.
• If you want to use WebView to manage the switch, make sure HTTP is enabled.
5 Specify an accounting server if a RADIUS or LDAP server will be used for accounting. Specify local
if accounting may be done on the switch through the Switch Logging feature. Multiple servers may be
specified as backups.
-> aaa accounting session ldap2 local