Alcatel-Lucent 6600 Switch User Manual


 
ACE/Server Managing Authentication Servers
page 20-8 OmniSwitch 6600 Family Network Configuration Guide April 2006
ACE/Server
An external ACE/Server may be used for authenticated switch access. It cannot be used for Layer 2
authentication or for policy management. Attributes are not supported on ACE/Servers. These values must
be configured on the switch through the user commands. See the “Switch Security” chapter of the
OmniSwitch 6600 Family Switch Management Guide for more information about setting up the local user
database.
Since an ACE/Server does not store or send user privilege information to the switch, user privileges for
Secur/ID logins are determined by the switch. When a user attempts to log into the switch, the user ID and
password is sent to the ACE/Server. The server determines whether the login is valid. If the login is valid,
the user privileges must be determined. The switch checks its user database for the user’s privileges. If the
user is not in the database, the switch uses the default privilege, which is determined by the default user
account. For information about the default user account, see the “Switch Security” chapter of the
OmniSwitch 6600 Family Switch Management Guide.
There are no server-specific parameters that must be configured for the switch to communicate with an
attached ACE/Server; however, you must FTP the sdconf.rec file from the server to the switch’s
/network directory. This file is required so that the switch will know the IP address of the ACE/Server.
For information about loading files onto the switch, see the OmniSwitch 6600 Family Switch Management
Guide.
The ACE client in the switch is version 4.1; it does not support the replicating and locking feature of ACE
5.0, but it may be used with an ACE 5.0 server if a legacy configuration file is loaded on the server. The
legacy configuration must specify authentication to two specific servers (master and slave). See the RSA
Security ACE/Server documentation for more information.
To display information about any servers configured for authentication, use the show aaa server
command. For more information about the output for this command, see the OmniSwitch CLI Reference
Guide.
Also, you may need to clear the ACE/Server secret occasionally because of wrong configuration or
required changes in configuration. Clearing the secret is described in the next section.
Clearing an ACE/Server Secret
The ACE/Server generates “secrets” that it sends to clients for authentication. While you cannot configure
the secret on the switch, you can clear it. The secret may need to be cleared because the server and the
switch get out of synch. See the RSA Security ACE/Server documentation for more information about the
server secret.
To clear the secret on the switch, enter the following command:
-> aaa ace-server clear
When you clear the secret on the switch, the secret must also be cleared on the ACE/Server as described
by the RSA Security ACE/Server documentation.