Support User Manuals

Enterasys Networks 6G3xx Switch User Manual

Open as PDF

of 430

Overview of Security Methods

3-18 Accessing Local Management

When the Radius Client is active on the switch module, the user is presented with an authorization

screen, prompting for a user login name and password when attempting to access the host IP

address via the local console LM, Telnet to LM, or WebView application. The embedded Radius

Client encrypts the information entered by the user and sends it to the Radius Server for validation.

Then the server returns an access-accept or access-reject response back to the client, allowing or

denying the user to access the host application with the proper access level.

An access-accept response returns a message USER AUTHORIZATION = <ACCESS LEVEL>

for 3 seconds and then the main screen of the application is displayed. An access-denied response

causes an audible “beep” and the screen to return to the user name prompt.

If the Radius Client is unable to receive a response from the Radius Server, because the Radius

Server is down or inaccessible, the Radius Client will time out to a default value of 20 seconds.

If the server returns an “access-accept” response (the user successfully authenticated), it must also

return a Radius “FilterID” attribute containing an ASCII string with the following fields in the

specified format:

“Enterasys:version=V:mgmt=M:policy=N”

Where:

V is the version number (currently V=1)

M is the access level for management, one of the following strings:

“su” for super-user access

“rw” for read-write access

“ro” for read-only access

N is the policy profile number (see the policy profile MIB)

If the Radius client does not receive a response from the primary server, it will consult the

secondary server if one has been configured. If the secondary server also does not respond then the

switch module reverts to the last-resort authentication action. Last-resort authentication is

individually selectable for both local (COM port) and remote (TELNET or WebView). The

last-resort action may be to accept the user, reject the user, or challenge the user for the Local

Management passwords (resort to legacy authentication).

NOTES:

1. Quotation marks (“ ”) are used for clarification only and are not part of the command

strings.

2. If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an

unrecognizable value, access is denied.

3. Policy profiles are not yet deployed and the “policy=N” part may be omitted.

previous next