Access security features

This section provides an overview of the switch access security features, authentication protocols, and methods. For more in-depth information, see the references provided (all chapter and page references are to this access security guide unless a different manual name is indicated).

NOTE:

The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.

Access security and switch authentication features

Feature

Default setting

Security guidelines

More information and configuration details

Manager password

no password

Configuring a local manager password is a fundamental step in reducing the possibility of unauthorized access through the switch WebAgent and console (CLI and Menu) interfaces. The manager password is set with any of the following methods:
  • CLI: password manager command, or Management interface wizard

  • WebAgent: the password options under the Security tab, or Management interface wizard

  • Menu interface: Console passwords option

  • SNMP

Configuring local password security

Using the Management Interface wizard

Using SNMP to view and configure switch authentication features

Telnet and web browser access (WebAgent)

enabled

The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured.

To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access.

Also, access security on the switch is incomplete without disabling Telnet and the standard web browser access (WebAgent). Unauthorized access can be blocked using these commands:
  • no telnet-server: This command blocks inbound Telnet access.

  • no web-management: This command prevents use of the WebAgent through http (port 80) server access.

If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.

Using the Management Interface wizard

For more on Telnet and the WebAgent, see "Interface Access and System Information" in the management and configuration guide.For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting

SSH

enabled

SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types:
  • client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.

  • switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.

  • Secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, see the section titled "Using Secure Copy and SFTP" in the "File Transfers" appendix of the management and configuration guide for your switch.

Using the Management Interface wizard

Configuring Secure Shell (SSH)

SSL

disabled

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) provide remote web browser access (WebAgent) to the switch through authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.

Using the Management Interface wizard

Configuring Secure Shell (SSH)

SNMP

public, unrestricted

In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

SNMP security guidelines

Using the Management Interface wizard management and configuration guide, see “Using SNMP Tools to manage the switch”.

Authorized IP managers

none

This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following:
  • Telnet and other terminal emulation applications

  • The WebAgent

  • SNMP (with a correct community name)

Using Authorized IP Managers

Secure Management VLAN

disabled

This feature creates an isolated network for managing the switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN.

advanced traffic management guide, see "Static Virtual LANs (VLANs)".

ACLs for Management Access Protection

none

ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.

IPv4 Access Control Lists (ACLs)

TACACS+ Authentication

disabled

This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses username/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet.

If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.

TACACS+ Authentication

RADIUS Authentication

disabled

For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch through the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.

RADIUS Authentication, Authorization, and Accounting

802.1X Access Control

none

This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following:
  • User-based access control supporting up to 32 authenticated clients per port.

  • Port-based access control allowing authentication by a single client to open the port.

  • Switch operation as a supplicant for point-to-point connections to other 802.1X-compliant switches.

Configuring Port and User-Based Access Control (802.1X)

Web and MAC Authentication

none

These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option.

Both methods rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means that the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a webpage login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.

Web and MAC Authentication