Access security features

This section provides an overview of the switch access security features, authentication protocols, and methods.

NOTE:

The Management Interface wizard provides a convenient step-by-step method to prepare the switch for secure network operation. See Using the Management Interface wizard for details.

Access Security and Switch Authentication Features

Feature

Default setting

Security guidelines

More information and configuration details

Manager password

no password

Configuring a local Manager password is a fundamental step in reducing the possibility of unauthorized access through the switch WebAgent and console (CLI and Menu) interfaces. Set the Manager password using one of these methods:
  • CLI: password manager command, or Management interface wizard.

  • WebAgent: the password options under the Security tab, or Management interface wizard.

  • Menu interface: Console Passwords option.

  • SNMP.

Using the Management Interface wizard Using SNMP to view and configure switch authentication features

Telnet and web browser access (WebAgent)

enabled

The default remote management protocols enabled on the switch are plain text protocols, which transfer passwords in open or plain text that is easily captured. To reduce the chances of unauthorized users capturing your passwords, secure and encrypted protocols such as SSH and SSL (see below for details) should be used for remote access. This enables you to employ increased access security while still retaining remote client access. Also, access security on the switch is incomplete without disabling Telnet and the standard web browser access (WebAgent). Block unauthorized Telnet or WebAgent access attempts with these commands:
  • no telnet-server blocks inbound Telnet access.

  • no web-management prevents use of the WebAgent through http (port 80) server access.

If you choose not to disable Telnet and the WebAgent, you may want to consider using RADIUS accounting to maintain a record of password-protected access to the switch.
Using the Management Interface wizard

For more on Telnet and the WebAgent, see "Interface Access and System Information" in the management and configuration guide. For RADIUS accounting, see RADIUS Authentication, Authorization, and Accounting.

SSH

enabled

SSH provides Telnet-like functions through encrypted, authenticated transactions of the following types:
  • Client public-key authentication: uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch.

  • Switch SSH and user password authentication: this option is a subset of the client public-key authentication, and is used if the switch has SSH enabled without a login access configured to authenticate the client's key. In this case, the switch authenticates itself to clients, and users on SSH clients then authenticate themselves to the switch by providing passwords stored on a RADIUS or TACACS+ server, or locally on the switch.

  • Secure copy (SC) and secure FTP (SFTP): By opening a secure, encrypted SSH session, you can take advantage of SC and SFTP to provide a secure alternative to TFTP for transferring sensitive switch information. For more on SC and SFTP, see the section titled "Using Secure Copy and SFTP" in the "File Transfers" appendix of the management and configuration guide for your switch.

Using the Management Interface wizard

SSL

disabled

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) provide remote Web browser access (WebAgent) to the switch via authenticated transactions and encrypted paths between the switch and management station clients capable of SSL/TLS operation. The authenticated type includes server certificate authentication with user password authentication.

Using the Management Interface wizardConfiguring Secure Sockets Layer (SSL)

SNMP

public, unrestricted

In the default configuration, the switch is open to access by management stations running SNMP management applications capable of viewing and changing the settings and status data in the switch MIB (Management Information Base). Thus, controlling SNMP access to the switch and preventing unauthorized SNMP access should be a key element of your network security strategy.

Using switch security features Using the Management Interface wizardManagement and configuration guide, Chapter 14, see the section "Using SNMP Tools To Manage the Switch."

Authorized IP Managers

none

This feature uses IP addresses and masks to determine whether to allow management access to the switch across the network through the following:
  • Telnet and other terminal emulation applications.

  • The WebAgent.

  • SNMP (with a correct community name).

Authorized IP Managers

Secure Management VLAN

disabled

This feature creates an isolated network for managing the switches that offer this feature. When a secure management VLAN is enabled, CLI, Menu interface, and WebAgent access is restricted to ports configured as members of the VLAN.

See "Static Virtual LANs (VLANs)" in the advanced traffic management guide for your switch.

ACLs for Management Access Protection

none

ACLs can also be configured to protect management access by blocking inbound IP traffic that has the switch itself as the destination IP address.

IPv4 Access Control Lists (ACLs)

TACACS+ Authentication

disabled

This application uses a central server to allow or deny access to TACACS-aware devices in your network. TACACS+ uses user name/password sets with associated privilege levels to grant or deny access through either the switch serial (console) port or remotely, with Telnet. If the switch fails to connect to a TACACS+ server for the necessary authentication service, it defaults to its own locally configured passwords for authentication control. TACACS+ allows both login (read-only) and enable (read/write) privilege level access.

TACACS+ Authentication and Accounting

RADIUS Authentication

disabled

For each authorized client, RADIUS can be used to authenticate operator or manager access privileges on the switch via the serial port (CLI and Menu interface), Telnet, SSH, and Secure FTP/Secure Copy (SFTP/SCP) access methods.

RADIUS Authentication, Authorization, and Accounting

802.1X Access Control

none

This feature provides port-based or user-based authentication through a RADIUS server to protect the switch from unauthorized access and to enable the use of RADIUS-based user profiles to control client access to network services. Included in the general features are the following:
  • User-based access control supporting up to 32 authenticated clients per port.

  • Port-based access control allowing authentication by a single client to open the port.

  • Switch operation as a supplicant for point-to-point connections to other 802.1X-compliant switches.

 
Web and MAC Authentication

none

These options are designed for application on the edge of a network to provide port-based security measures for protecting private networks and the switch itself from unauthorized access. Because neither method requires clients to run any special supplicant software, both are suitable for legacy systems and temporary access situations where introducing supplicant software is not an attractive option. Both method rely on using a RADIUS server for authentication. This simplifies access security management by allowing you to control access from a master database in a single server. It also means that the same credentials can be used for authentication, regardless of which switch or switch port is the current access point into the LAN. Web authentication uses a webpage login to authenticate users for access to the network. MAC authentication grants access to a secure network by authenticating device MAC addresses for access to the network.

Web-based and MAC authentication