46

AT-8800 Series Switch User Guide

In normal mode, a user with manager privilege can create and delete accounts for users with any of these privilege levels. Users and passwords are managed by the User Authentication Facility. Users and passwords are authenticated using an internal database called the User Authentication Database, or by interrogation of external RADIUS (Remote Authentication Dial In User Service) or TACACS (Terminal Access Controller Access System) servers.

On the CLI, to use an account with manager privilege, log in to the account by entering the command:

LOGIN

The switch prompts you to enter a user name and password. To return to USER mode, enter the command:

LOGOFF

Make sure that you do not leave a manager session unattended. Unauthorised use of a manager session gives access to the User Authentication Database. To reduce the risk of unauthorised activity, a subset of manager commands have a security timer. These commands are shown in Table 4 on page 46. When you enter one of these commands from a manager session, the security timer is started and is then restarted each time you enter another of these commands. If you enter one of these commands after the timer has expired, you are prompted to re-enter the password. The secure delay timer is by default 60 seconds. If the password is not entered correctly the password prompt is repeated a set number of times. If the correct password is still not entered a log message is generated and the session is logged off.

The security timer enables a manager to make successive additions and modifications to the database at one time without having to re-enter the password for every command.

The security timer does not provide a foolproof security mechanism. Managers should always attempt to log out of a manager session before leaving a terminal unattended.

Table 4: Secure commands controlled by the security timer.

Command

Description

 

 

ADD TACACS SERVER

Adds a TACACS server to the list of TACACS servers used

 

for user authentication.

 

 

ADD USER

Adds a user to the User Authentication Database.

 

 

DELETE TACACS SERVER

Deletes a TACACS server from the list of TACACS servers

 

used for user authentication.

 

 

DELETE USER

Deletes a user from the User Authentication Database.

 

 

PURGE USER

Deletes all users except MANAGER from the User

 

Authentication Database.

 

 

SET MANAGER PORT

Assigns a port semipermanent MANAGER privilege.

 

 

SET USER

Modifies a user record in the User Authentication Database.

 

 

If the switch is operating in security mode, the manager must also log in to a user account with SECURITY OFFICER privilege in order to execute any of the commands listed in Table 4 on page 46.

Software Release 2.6.1 C613-02039-00 REV A

Page 46
Image 46
Allied Telesis 2.6.1 manual Login