System information
Operation 1-13
Software Release 2.0.1
C613-03018-00 REV A
The users authenticated by the UAF can be operators or other routers. If the
user is another router, the authentication will occur without appearing in a
terminal screen.
The UAF supports three methods of user authentication, an internal database
called the User Authentication Database, and interrogation of external RADIUS
(Remote Authentication Dial In User Service) or TACACS (Terminal Access
Controller Access System) servers.
The UAF first queries the User Authentication Database. If the supplied login
name and password does not match an entry in the User Authentication
Database, the UAF sends authentication requests to any RADIUS servers that
have been defined. If there are no defined RADIUS servers or all the RADIUS
servers return a reject response, the UAF will send authentication requests to
any TACACS servers that have been defined. If the supplied login name and
password matches an entry in the User Authentication Database, or one of the
defined RADIUS or TACACS servers returns an accept response to an
authentication request, the login is accepted. If the supplied login name and
password does not match an entry in the User Authentication Database, and all
of the defined RADIUS or TACACS servers return reject responses to
authentication requests, the login is rejected.
The User Authentication Database
The User Authentication Database stores information about the users who are
permitted to have access to the router’s command prompt, asynchronous
services and dialup services. Users are identified by a login name. Each login
name has an associated record in the database which specifies:
■
The password that the user must enter to login to the router.
■
The privilege level for the user: USER, MANAGER or SECURITY
OFFICER.
■
Whether or not the user is permitted to use the TELNET command on
page 11-24 of Chapter 11, Terminal Server, or to connect to a Telnet service
from a Telnet session.
■
The IP address, network mask and MTU (Maximum Transmission Unit) to
use for PPP or SLIP connections to the router via an asynchronous port.
■
A callback number for use with the PPP callback facility.
Adding Entries to the User Authentication Database
When the router is started up for the first time one account is created
automatically. This account has the login name MANAGER, the password
“friend”, and MANAGER privilege. This account can not be deleted, although
the password may be changed. The MANAGER account makes the MANAGE
command (supported in Release 6.6 and earlier) obsolete.
The manager should change the password of the MANAGER account at the
earliest opportunity. Leaving the MANAGER account with the default
password is a security risk, as the account name and default password are well
documented.