4 overview of security methods, 1 host access control authentication (haca), Overview of security methods -10 3.4.1 – Enterasys Networks 2200 User Manual
Page 46: Host access control authentication (haca) -10, Section 3.4
Overview of Security Methods
3-10
Accessing Local Management
3.4
OVERVIEW OF SECURITY METHODS
Three security methods are available to control which users are allowed access to the switch’s host
to monitor the configuration and control of the switch.
•
Host Access Control List (ACL) – allows only the defined list of IP Addresses to communicate
with the host for Telnet, WebView (HTTP) and SNMP. To set up these parameters refer to the
Host Access Control List (ACL) screen described in
.
•
Switch Local Management Application Password – allows three levels of SNMP local
management access via serial console or telnet (super user, read-write and read-only) using the
the Password screen described in
. The three levels of remote SNMP management
access are set using the SNMP Community Names Configuration screen described in
•
Host Access Control Authentication (HACA) – authenticates user access of Telnet management,
console local management and WebView via a central Radius Client/Server application using the
Password screen described in
. For an overview of HACA and a description of how
to set the switch access policy using the Radius Configuration screen, refer to
3.4.1
Host Access Control Authentication (HACA)
To use HACA, the embedded Radius Client on the switch must be configured to communicate with
the Radius Server, and the Radius Server must be configured with the password information. The
Enterasys implementation uses Funk Software Steel-Belted Radius server software, This software
provides the ability to centralize the Authentication, Authorization, and Accounting (AAA) of the
network resources. For more information, refer to the RFC 2865 (Radius Authentication) and
RFC 2866 (Radius Accounting) for a description of the protocol.
Each switch has its own Radius Client. The client can be configured via
•
the Radius Configuration screen described in
•
the Network Tools Command Line Interface (CLI) using the “radius” and “access” commands
described in
.
The IP address of the Radius Server (and, if available, the secondary server IP address) and
shared secret text string must be configured on the Radius Client. The client can use either the
Password Authentication Protocol (PAP) or the Challenge Handshake Authentication Protocol
(CHAP) to communicate the user name and encrypted password to the Radius Server.