beautypg.com

Examples of authentication-method lists – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 76

background image

In an authentication-method list for a particular access method, you can specify up to seven
authentication methods. If the first authentication method is successful, the software grants access
and stops the authentication process. If the access is rejected by the first authentication method, the
software denies access and stops checking.

However, if an error occurs with an authentication method, the software tries the next method on the
list, and so on. For example, if the first authentication method is the RADIUS server, but the link to the
server is down, the software will try the next authentication method in the list.

NOTE
If an authentication method is working properly and the password (and user name, if applicable) is not
known to that method, this is not an error. The authentication attempt stops, and the user is denied
access.

The software will continue this process until either the authentication method is passed or the software
reaches the end of the method list. If the Super User level password is not rejected after all the access
methods in the list have been tried, access is granted.

Configuration considerations for authentication-method lists

• For CLI access, you must configure authentication-method lists if you want the device to

authenticate access using local user accounts or a RADIUS server. Otherwise, the device will
authenticate using only the locally based password for the Super User privilege level.

Examples of authentication-method lists

The following examples show how to configure authentication-method lists. In these examples, the
primary authentication method for each is "local". The device will authenticate access attempts using
the locally configured usernames and passwords.

The command syntax for each of the following examples is provided in the Command Syntax section.

Example 1

To configure an authentication-method list for SNMP, enter a command such as the following.

device(config)#aaa authentication snmp-server default local

This command allows certain incoming SNMP SET operations to be authenticated using the locally
configured usernames and passwords. When this command is enabled, community string validation is
not performed for incoming SNMP V1 and V2c packets. This command takes effect as long as the first
varbind for SNMP packets is set to one of the following:

• snAgGblPassword=" username password " (for AAA method local)
• snAgGblPassword=" password " (for AAA method line, enable)

NOTE
Certain SNMP objects need additional validation. These objects include but are not limited to:
snAgReload , snAgWriteNVRAM , snAgConfigFromNVRAM , snAgImgLoad , snAgCfgLoad and
snAgGblTelnetPassword . For more information, see snAgGblPassword in the IronWare MIB
Reference Guide>.

If AAA is set up to check both the username and password, the string contains the username, followed
by a space then the password. If AAA is set up to authenticate with the current Enable or Line
password, the string contains the password only.

Configuration considerations for authentication-method lists

76

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: