Allied Telesis AT-8700XL Series Switch User Manual

Page 46

background image

46

AT-8700XL Series Switch User Guide

Software Release 2.6.1

C613-02030-00 REV B

In normal mode, a user with manager privilege can create and delete accounts
for users with any of these privilege levels. Users and passwords are managed
by the User Authentication Facility. Users and passwords are authenticated
using an internal database called the User Authentication Database, or by
interrogation of external RADIUS (Remote Authentication Dial In User Service) or
TACACS (Terminal Access Controller Access System) servers.

On the CLI, to use an account with manager privilege, log in to the account by
entering the command:

LOGIN

The switch prompts you to enter a user name and password. To return to USER
mode, enter the command:

LOGOFF

Make sure that you do not leave a manager session unattended. Unauthorised
use of a manager session gives access to the User Authentication Database. To
reduce the risk of unauthorised activity, a subset of manager commands have a
security timer. These commands are shown in Table 4 on page 46. When you
enter one of these commands from a manager session, the security timer is
started and is then restarted each time you enter another of these commands. If
you enter one of these commands after the timer has expired, you are
prompted to re-enter the password. The secure delay timer is by default 60
seconds. If the password is not entered correctly the password prompt is
repeated a set number of times. If the correct password is still not entered a log
message is generated and the session is logged off.

The security timer enables a manager to make successive additions and
modifications to the database at one time without having to re-enter the
password for every command.

The security timer does not provide a foolproof security mechanism. Managers
should always attempt to log out of a manager session before leaving a
terminal unattended.

If the switch is operating in security mode, the manager must also log in to a user
account with SECURITY OFFICER privilege in order to execute any of the commands
listed in Table 4 on page 46.

Table 4: Secure commands controlled by the security timer.

Command

Description

ADD TACACS SERVER

Adds a TACACS server to the list of TACACS servers used
for user authentication.

ADD USER

Adds a user to the User Authentication Database.

DELETE TACACS SERVER

Deletes a TACACS server from the list of TACACS servers
used for user authentication.

DELETE USER

Deletes a user from the User Authentication Database.

PURGE USER

Deletes all users except MANAGER from the User
Authentication Database.

SET MANAGER PORT

Assigns a port semipermanent MANAGER privilege.

SET USER

Modifies a user record in the User Authentication Database.