User guide
Managing Switch Security Quick Steps for Setting Up ASA
OmniSwitch 7700/7800/8800 Switch Management Guide April 2006 page 8-7
Quick Steps for Setting Up ASA
1 If the local user database will be used for user login information, set up user accounts through the user
command. User accounts may include user privileges or an end-user profile. In this example user privi-
leges are configured:
-> user thomas password pubs read-write domain-network ip-helper telnet
If SNMP access is configured for the user, the global SNMP setting for the switch may have to be config-
ured through the snmp security command. See Chapter 7, “Managing Switch User Accounts,” for more
information about setting up user accounts.
2 If an external RADIUS or LDAP server will be used for user login information, use the aaa radius-
server or aaa ldap-server commands to configure the switch to communicate with these servers. For
example:
-> aaa radius-server rad1 host 10.10.1.2 timeout 3
For more information, see the “Managing Authentication Servers” chapter in the OmniSwitch 7700/7800/
8800 Network Configuration Guide.
3 Use the aaa authentication command to specify the management interface through which switch
access is permitted (such as console, telnet, ftp, http, or ssh). Specify the server and backup servers to be
used for checking user login and privilege information. Multiple servers of different types may be speci-
fied. For example:
-> aaa authentication ssh rad1 ldap2 local
The order of the server names is important. The switch uses the first available server in the list. In this
example, the switch would use rad1 to authenticate Secure Shell users. If rad1 becomes unavailable, the
switch will use ldap2. If ldap2 then becomes unavailable, the switch will use the local user database to
authenticate users.
4 Repeat step 3 for each management interface to which you want to configure access; or use the default
keyword to specify access for all interfaces for which access is not specifically denied. For example, if
you want to configure access for all management interfaces except FTP, you would enter:
-> no aaa authentication ftp
-> aaa authentication default rad1 local
Note the following:
• SNMP access may only use LDAP servers or the local user database. If you configure the default
management access with only RADIUS and/or ACE, SNMP will not be enabled.
• It is recommended that Telnet and FTP be disabled if Secure Shell (ssh) is enabled.
• If you want to use WebView to manage the switch, make sure HTTP is enabled.
5 Specify an accounting server if a RADIUS or LDAP server will be used for accounting. Specify local
if accounting may be done on the switch through the Switch Logging feature. Multiple servers may be
specified as backups.
-> aaa accounting session ldap2 local
The order of the server names is important here as well. In this example, the switch will use ldap2 for
logging switch access sessions. If ldap2 becomes unavailable, the switch will use the local Switch