Extreme NetIron devices support role-based authentication. A device can perform authentication and authorization (role selection) using TACACS+, RADIUS, and local configuration database. NetIron devices also support multiple authentication methods for each service.
To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.
In an authentication-method list, you specify the access method (SSHv2, Web, SNMP, and so on) and the order in which the device tries one or more of the following authentication methods:
When a list is configured, the device attempts the first method listed to provide authentication. If that method is not available, (for example, the device cannot reach a TACACS+ server) the device tries the next method until a method in the list is available or all methods have been tried.
NetIron devices allow multiple concurrent operators through SSHv2 and the console. One operator‘s configuration changes can overwrite the changes of another operator.
Note
The Crypto-officer should enable the password restriction using the enable strict-password-enforcement command.Note
When operating in the FIPS approved mode, Telnet is disabled and line authentication is not available.The enable method uses a password corresponding to each role to authenticate an operator. An operator must enter the read-only password to select the User role. An operator enters the port-config password to the Port Configuration Administrator role. An operator enters the super-user password to select the Crypto-officer Role.
To use enable authentication method, a Crypto-officer must set the password for each privilege level.
The local method of authentication uses a password associated with a user name to authenticate an operator. An operator enters a user name and corresponding password. The NetIron device assigns the role associated with the user name to the operator when authentication is successful.
To use local authentication, a Crypto-officer must define user accounts. The definition includes a user name, password, and privilege level (which determines the role).
The RADIUS method uses one or more RADIUS servers to verify user names and passwords. The NetIron device prompts an operator for user name and password. The device sends the user name and password to the RADIUS server. Upon successful authentication, the RADIUS server returns the operator‘s privilege level, which determines the operator‘s role. If a RADIUS server does not respond, the NetIron device will send the user name and password information to the next configured RADIUS server.
Note
Radius over TLS is supported in the FIPS mode.To use RADIUS authentication, a Crypto-officer must configure RADIUS server settings along with authentication and authorization settings.
The TACACS+ methods use one or more TACACS+ servers to verify user names and passwords. For TACACS+, the NetIron device prompts an operator for user name and password. The device sends the user name and password to the TACACS+ server. Upon successful authentication, the NetIron device selects the operator‘s role implicitly based on the action requested (for example, User role for a login request or Crypto-officer role for a configure terminal command). For TACACS+ authentication, the NetIron device prompts an operator for a user name, which the device uses to get a password prompt from the TACACS+ server. The operator enters a password, which the device relays to the server for validation. Upon successful authentication, the TACACS+ server supports both exec and command authorization similar to RADIUS authorization described above.
To use TACACS+ authentication, a Crypto-officer must configure TACACS+ server settings along with authentication and authorization settings.