Send documentation comments to mdsfeedback-doc@cisco.com.
27-2
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 27 RADIUS and TACACS+
Authentication, Authorization, and Accounting
These security mechanisms can also be configured for the following scenarios:
•iSCSI authentication (see the “iSCSI User Authentication” section on page 20-17).
•Fibre Channel Security Protocol (FC-SP) authentication (see the “Fibre Channel Security Protocol”
section on page 30-1)
SNMP Security Options
The SNMP agent supports security features for SNMPv1,SNMPv 2c, and SNMPv3. Normal SNMP
security mechanisms apply to all applications that use SNMP (for example, Cisco MDS 9000 Fabric
Manager).
Fabric Manager and Device Manager security options also apply to the CLI.
See the “SNMP Version 3” section on page 26-2.
Switch AAA Functionalities
Using Fabric Manager, you can configure authentication, authorization, and accounting (AAA) switch
functionalities on any switch in the Cisco MDS 9000 Family.
Authentication
Authentication is the process of verifying the identity of the person managing the switch. This identity
verification is based on the user ID and password combination provided by the person trying to manage
the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using the local
lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Note When Fabric Manager logs into a Cisco MDS SAN-OS switch successfully through Telnet or SSH and
if that switch is configured for AAA server-based authentication, a temporary SNMP user entry is
automatically created with an expiry time of one day. The SNMP v3 protocol data units (PDUs) with
your Telnet/SSH login name as the SNMPv3 user are authenticated by the switch. Fabric Manager can
temporarily use the Telnet/SSH login name as the SNMP v3 auth and priv passphrase. This temporary
SNMP login is only allowed if you have one or more active MDS Shell sessions. If you do not have an
active session at any given time, your login is deleted and you will not be allowed to perform SNMP v3
operations.
Note Fabric Manager does not support AAA passwords with trailing whitespace, for example “passwordA “.
Authorization
By default, two roles exist in all Cisco MDS switches:
•Network operator—Has permission to view the configuration only. The operator cannot make any
configuration changes.
•Network administrator— Has permission to execute all commands and make configuration changes.
The administrator can also create and customize up to 64 additional roles.