52 Configuring AAA for Administrative and Local Access
320657-A
administrators with basic monitoring privileges who are not allowed to change the
configuration or run traces.
4 Enabled mode. To enter the enabled mode of operation, you type the enable command at the
command prompt. In enabled mode, you can use all CLI commands. Although WSS Software
does not require an enable password, Nortel highly recommends that you set one.
5 Customized authentication. You can require authentication for all users or for only a subset of
users. Username globbing (see “User Wildcards, MAC Address Wildcards, and VLAN
Wildcards” on page 39) allows different users or classes of user to be given different
authentication treatments. You can configure console authentication and Telnet authentication
separately, and you can apply different authentication methods to each.
For any user, authorization uses the same methods as authentication for that user.
6 Local override. A special authentication technique called local override lets you attempt
authentication through the local database before attempting authentication through a RADIUS
server. The WSS attempts administrative authentication in the local database first. If it finds no
match, the WSS attempts administrative authentication on the RADIUS server. (For
information about setting a WSS to use RADIUS servers, see Chapter , “Configuring
Communication with RADIUS,” on page 477.)
7 Accounting for administrative access sessions. Accounting records can be stored and
displayed locally or sent to a RADIUS server. Accounting records provide an audit trail of the
time an administrative user logged in, the administrator’s username, the number of bytes
transferred, and the time the session started and ended.
Figure 1 on page 53 illustrates a typical WSS, AP access points, and network administrator in an enterprise
network. As network administrator, you initially access the WSS through the console. You can then optionally
configure authentication, authorization, and accounting for administrative access mode.
Nortel recommends enforcing authentication for administrative access using usernames and passwords stored
either locally or on RADIUS servers.
