52
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring AAA for Administrative and
Local Access
Overview of AAA for Administrative and Local Access
D-Link Mobility System Software (MSS) supports authentication, authorization, and accounting
(AAA) for secure network connections. As administrator, you must establish administrative
access for yourself and optionally other local users before you can configure the DWS-1008
for operation.
Here is an overview of configuration topics:
• Console connection
. By default, any administrator can connect to the console port and
manage the switch, because no authentication is enforced. (D-Link recommends that you
enforce authentication on the console port after initial connection.)
• Telnet or SSH connection
. Administrators cannot establish a Telnet or Secure Shell
(SSH) connection to the DWS-1008 by default. To provide Telnet or SSH access, you
must add a username and password entry to the local database or, optionally, set the
authentication method for Telnet users to a Remote Authentication Dial-In User Service
(RADIUS) server.
• Restricted mode.
When you initially connect to the DWS-1008, your mode of operation
is restricted. In this mode, only a small subset of status and monitoring commands is
available. Restricted mode is useful for administrators with basic monitoring privileges who
are not allowed to change the configuration or run traces.
• Enabled mode.
To enter the enabled mode of operation, you type the
enable
command
at the command prompt. In enabled mode, you can use all CLI commands. Although MSS
does not require an enable password, D-Link highly recommends that you set one.
• Customized authentication.
You can require authentication for all users or for only a
subset of users. Username globbing allows different users or classes of user to be given
different authentication treatments. You can configure console authentication and Telnet
authentication separately, and you can apply different authentication methods to each. For
any user, authorization uses the same method(s) as authentication for that user.
• Local override.
A special authentication technique called local override lets you attempt
authentication via the local database before attempting authentication via a RADIUS server.
The switch attempts administrative authentication in the local database first. If it finds no
match, the DWS-1008 attempts administrative authentication on the RADIUS server.
Note.
A CLI Telnet connection to the DWS-1008 is not secure, unlike SSH, Web View
connections.
Configuring AAA for Administrative and Local Access