beautypg.com

Aaa authorization and accounting, Aaa a – LevelOne GTL-2691 User Manual

Page 310

background image

C

HAPTER

13

| Security Measures

AAA Authorization and Accounting

– 310 –

DHCP Snooping

Filter IP traffic on insecure ports for which the source

address cannot be identified via DHCP snooping.

N

OTE

:

The priority of execution for the filtering commands is Port Security,

Port Authentication, Network Access, Web Authentication, Access Control

Lists, IP Source Guard, and then DHCP Snooping.

AAA A

UTHORIZATION

AND

A

CCOUNTING

The Authentication, authorization, and accounting (AAA) feature provides

the main framework for configuring access control on the switch. The three

security functions can be summarized as follows:

Authentication — Identifies users that request access to the network.

Authorization — Determines if users can access specific services.

Accounting — Provides reports, auditing, and billing for services that

users have accessed on the network.

The AAA functions require the use of configured RADIUS or TACACS+

servers in the network. The security servers can be defined as sequential

groups that are applied as a method for controlling user access to specified

services. For example, when the switch attempts to authenticate a user, a

request is sent to the first server in the defined group, if there is no

response the second server will be tried, and so on. If at any point a pass

or fail is returned, the process stops.

The switch supports the following AAA features:

Accounting for IEEE 802.1X authenticated users that access the

network through the switch.

Accounting for users that access management interfaces on the switch

through the console and Telnet.

Accounting for commands that users enter at specific CLI privilege

levels.

Authorization of users that access management interfaces on the

switch through the console and Telnet.

To configure AAA on the switch, you need to follow this general process:

1.

Configure RADIUS and TACACS+ server access parameters. See

"Configuring Local/Remote Logon Authentication" on page 311

.

2.

Define RADIUS and TACACS+ server groups to support the accounting
and authorization of services.

See also other documents in the category LevelOne Routers: