beautypg.com

Enterasys Networks 2200 User Manual

Page 48

background image

Overview of Security Methods

3-12

Accessing Local Management

The client cannot be enabled unless the primary server is configured with at least the minimum
configuration information.

When the Radius Client is active on the switch, you are prompted by an authorization screen for a
user login name and password when attempting to access the host IP address via the local console
LM, Telnet to LM, or WebView application. The embedded Radius Client encrypts the
information entered by the user and sends it to the Radius Server for validation. Then the server
returns a yes or no response back to the client, allowing or denying the user to access the host
application with the proper access level.

An access-accept response returns a message USER AUTHORIZATION =
for 3 seconds and then the main screen of the application is displayed. An access-denied response
causes an audible “beep” and the screen to return to the user name prompt.

If the Radius Client is unable to receive a response from the Radius Server, because the Radius
Server is down or inaccessible, the Radius Client will time out to a default value of 20 seconds.

If the server returns an “access-accept” response (the user successfully authenticated), it must also
return a Radius “FilterID” attribute containing an ASCII string with the following fields in the
specified format:

“Enterasys:version=V:mgmt=M:policy=N”

Where:

V is the version number (currently V=1)

M is the access level for management, one of the following strings:

“su” for super-user access

“rw” for read-write access

“ro” for read-only access

N is the policy profile number (see the policy profile MIB)

NOTE: The minimum additional information that must be configured to use a server is
its IP and Shared Secret.

NOTES:

Quotation marks (“ ”) are not part of the strings. They are used for clarification only.

If the FilterID attribute is not returned, or the “mgmt” field is absent or contains an
unrecognizable value, access is denied.

Policy profiles are not yet deployed and the “policy=N” part may be omitted.