Technical data
BLADE OS 5.1 Application Guide
BMD00136, November 2009 Chapter 1: Accessing the Switch
27
Securing Access to the Switch
Secure switch management is needed for environments that perform significant management
functions across the Internet.
The following features are addressed in this section:
“RADIUS Authentication and Authorization” on page 27
“TACACS+ Authentication” on page 31
“LDAP Authentication and Authorization” on page 34
“Secure Shell” on page 36
“End User Access Control” on page 38
RADIUS Authentication and Authorization
Blade OS supports the RADIUS (Remote Authentication Dial-in User Service) method to
authenticate and authorize remote administrators for managing the switch. This method is based on
a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end
database server. A remote user (the remote administrator) interacts only with the RAS, not the
back-end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)
A centralized server that stores all the user authorization information
A client, in this case, the switch
The G8000—acting as the RADIUS client—communicates to the RADIUS server to authenticate
and authorize a remote administrator using the protocol definitions specified in RFC 2138 and
2866. Transactions between the client and the RADIUS server are authenticated using a shared key
that is not sent over the network. In addition, the remote administrator passwords are sent encrypted
between the RADIUS client (the switch) and the back-end RADIUS server.