Specifications
Administrative AAA Configuration Scenarios
3-2 Configuring AAA for Administrative and Local Access
• Enabledmode.Toentertheenabledmodeofoperation,youtypetheenablecommandatthe
commandprompt.Inenabledmode,youcanuseallCLIcommands.AlthoughMSSdoesnot
requireanenablepassword,Enterasys Networkshighlyrecommendsthatyousetone.
• Customizedauthentication.Youcanrequireauthenticationforall
usersorforonlyasubsetof
users.Usernameglobbing(see“UserGlobs,MACAddressGlobs,andVLANGlobs”on
page 1‐4)allowsdifferentusersorclassesofusertobegivendifferentauthentication
treatments.YoucanconfigureconsoleauthenticationandTelnetauthenticationseparately,
andyoucanapplydifferentauthentication
methodstoeach.
Foranyuser,authorizationusesthesamemethod(s)asauthenticationforthatuser.
• Localoverride.Aspecialauthenticationtechniquecalledlocaloverrideletsyouattempt
authenticationviathelocaldatabasebeforeattemptingauthenticationviaaRADIUSserver.
TheRoamAboutSwitchattemptsadministrativeauthenticationinthelocaldatabasefirst.
Ifit
findsnomatch,theRoamAboutSwitchattemptsadministrativeauthenticationonthe
RADIUSserver.(ForinformationaboutsettingaRoamAboutSwitchtouseRADIUSservers,
seeChapter 18,ConfiguringCommunicationwithRADIUS.)
• Accountingforadministrativeaccesssessions.Accountingrecordscanbestoredand
displayedlocallyorsenttoa
RADIUSserver.Accountingrecordsprovideanaudittrailofthe
timeanadministrativeuserloggedin,theadministrator’susername,thenumberofbytes
transferred,andthetimethesessionstartedandended.
Figure 3‐1illustratesatypicalRoamAboutSwitch,accesspoints,andnetworkadministratorinan
enterprisenetwork.Asnetworkadministrator,
youinitiallyaccesstheRoamAboutSwitchviathe
console.Youcanthenoptionallyconfigureauthentication,authorization,and accountingfor
administrativeaccessmode.
Enterasys Networksrecommendsenforcingauthenticationforadministrativeaccessusing
usernamesandpasswordsstoredeitherlocallyoronRADIUSservers.