Filter
Top Products
Setting Up Management Interfaces for ASA Managing Switch Security
page 8-10 OmniSwitch 6600 Family Switch Management Guide March 2005
Enabling Switch Access
Enter the aaa authentication command with the relevant keyword that indicates the management inter-
face and specify the servers to be used for authentication. In this example, Telnet access for switch
management is enabled. Telnet users will be authenticated through a chain of servers that includes a
RADIUS server and an LDAP server that have already been configured through the aaa radius-server
and aaa ldap-server commands respectively. For example:
-> aaa authentication telnet rad1 ldap2 local
After this command is entered, Telnet users will be authenticated to manage the switch through the rad1
RADIUS server. If that server is unavailable, the LDAP server, ldap2, will be polled for user information.
If that server is unavailable, the local user database will be polled for user information. Note that if the
local user database is specified, it must be last in the list of servers.
To disable authenticated access for a management interface use the no form of the command with the
keyword for the interface. For example:
-> no aaa authentication ftp
FTP access is now denied on the switch.
Note. The admin user always has switch access through the console port even if access is denied through
the console port.
To remove a server from the authenticated switch access configuration, enter the aaa authentication
command with the relevant server names(s) and leave out the names of any servers you want to remove.
For example:
-> aaa authentication telnet rad1 local
The server ldap2 is removed for Telnet access and will not be polled for user information when users
attempt to log into the switch through Telnet.
Note. SNMP can only use LDAP servers or the local user database for authentication.
Configuring the Default Setting
The default keyword may be used to specify the default setting for all management interfaces except those
that have been explicitly denied. For example:
-> no aaa authentication ftp
-> aaa authentication default ldap2 local
In this example, all management interfaces except FTP are given switch access through ldap2 and the
local user database.
Since SNMP can only use LDAP servers or the local database for authentication, RADIUS or ACE/Server
are not valid servers for SNMP management access. If the default interface setting includes only RADIUS
and/or ACE server, the default setting will not be used for SNMP. For example:
-> no aaa authentication ftp
-> aaa authentication default rad1 rad2