Specifications
Chapter 2. IBM System Networking Switch 10Gb Ethernet switch features 95
If the remote user is successfully authenticated by the authentication server, the switch
verifies the privileges of the remote user and authorizes the appropriate access. The
administrator may allow secure back door access through Telnet/SSH. Secure back door
provides switch access when the TACACS+ servers cannot be reached.
Accounting
Accounting is the action of recording a user's activities on the device for the purposes of
billing and security. It follows the authentication and authorization actions. If the
authentication and authorization is not performed through TACACS+, there are no TACACS+
accounting messages sent out.
You can use TACACS+ to record and track software login access, configuration changes,
and interactive commands.
LDAP authentication and authorization
IBM System Networking switches support the Lightweight Directory Access Protocol (LDAP)
method to authenticate and authorize remote administrators to manage the switch. LDAP is
based on a client/server model.
The switch acts as a client to the LDAP server. A remote user (the remote administrator)
interacts only with the switch, not the back-end server and database.
LDAP authentication consists of the following components:
A protocol with a frame format that uses TCP over IP
A centralized server that stores all the user authorization information
A client, in this case, the switch
Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN
consists of the user-account name concatenated with the LDAP domain name. If the
user-account name is John, the following is an example DN:
uid=John,ou=people,dc=domain,dc=com
2.8.4 MAC address notification
MAC address notification is a feature that causes a switch to generate a syslog message
when a MAC address is added or removed from the MAC address table. This feature is useful
for tracking hosts as they change the ports they are connected to.
2.8.5 802.1x Port-based network access control
Port-based network access control provides a means of authenticating and authorizing
devices attached to a LAN port that has point-to-point connection characteristics. It prevents
access to ports that fail authentication and authorization. This feature provides security to
ports of IBM System Networking Switch Module that connect to blade servers.
Extensible Authentication Protocol over LAN
IBM Networking OS can provide user-level security for its ports by using the IEEE 802.1X
protocol, which is a more secure alternative to other methods of port-based network access
control. Any device attached to an 802.1X-enabled port that fails authentication is prevented
access to the network and denied services offered through that port.