Authentication-method lists

To configure an authentication-method list for SNMP, enter a command such as the following.

Brocade(config)# aaa authentication snmp-server default local

This command allows certain incoming SNMP SET operations to be authenticated using the locally configured usernames and passwords. When this command is enabled, community string validation is not performed for incoming SNMP V1 and V2c packets. This command takes effect as long as the first varbind for SNMP packets is set to one of the following:

snAgGblPassword=”<username> <password>” (for AAA method local)

snAgGblPassword=”<password>” (for AAA method line, enable)

NOTE

Certain SNMP objects need additional validation. These objects include but are not limited to: snAgReload, snAgWriteNVRAM, snAgConfigFromNVRAM, snAgImgLoad, snAgCfgLoad and snAgGblTelnetPassword. For more information, see snAgGblPassword in the IronWare MIB Reference Guide.

If AAA is set up to check both the username and password, the string contains the username, followed by a space then the password. If AAA is set up to authenticate with the current Enable or Line password, the string contains the password only.

Note that the above configuration can be overridden by the command no snmp-serverpw-check, which disables password checking for SNMP SET requests.

Example 3

To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command.

Brocade(config)# aaa authentication enable default local

This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.

Example 4

To configure the device to consult a RADIUS server first to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is unavailable, enter the following command.

Brocade(config)# aaa authentication enable default radius local

Command Syntax

The following is the command syntax for the preceding examples.

Syntax: [no] aaa authentication snmp-server enable login default method1 [method2] [method3] [method4] [method5] [method6] [method7]

The snmp-server enable login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

NOTE

TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters.

Brocade ICX 6650 Security Configuration Guide

59

53-1002601-01

 

Page 79
Image 79
Brocade Communications Systems 6650 Example, Command Syntax, Following is the command syntax for the preceding examples