Cisco Systems MDS 9000 SNMP Security Options, Switch AAA Functionalities, Authentication, Authorization

Send documentation comments to mdsfeedback-doc@cisco.com.

27-2

Cisco MDS 9000 Family Fabric Manager Configuration Guide

OL-6965-03, Cisco MDS SAN-OS Release 2.x

Chapter 27 RADIUS and TACACS+

Authentication, Authorization, and Accounting

These security mechanisms can also be configured for the following scenarios:

•iSCSI authentication (see the “iSCSI User Authentication” section on page 20-17).

•Fibre Channel Security Protocol (FC-SP) authentication (see the “Fibre Channel Security Protocol”

section on page 30-1)

SNMP Security Options

The SNMP agent supports security features for SNMPv1,SNMPv 2c, and SNMPv3. Normal SNMP

security mechanisms apply to all applications that use SNMP (for example, Cisco MDS 9000 Fabric

Manager).

Fabric Manager and Device Manager security options also apply to the CLI.

See the “SNMP Version 3” section on page 26-2.

Using Fabric Manager, you can configure authentication, authorization, and accounting (AAA) switch

functionalities on any switch in the Cisco MDS 9000 Family.

Authentication is the process of verifying the identity of the person managing the switch. This identity

verification is based on the user ID and password combination provided by the person trying to manage

the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using the local

lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).

Note When Fabric Manager logs into a Cisco MDS SAN-OS switch successfully through Telnet or SSH and

if that switch is configured for AAA server-based authentication, a temporary SNMP user entry is

automatically created with an expiry time of one day. The SNMP v3 protocol data units (PDUs) with

your Telnet/SSH login name as the SNMPv3 user are authenticated by the switch. Fabric Manager can

temporarily use the Telnet/SSH login name as the SNMP v3 auth and priv passphrase. This temporary

SNMP login is only allowed if you have one or more active MDS Shell sessions. If you do not have an

active session at any given time, your login is deleted and you will not be allowed to perform SNMP v3

operations.

Note Fabric Manager does not support AAA passwords with trailing whitespace, for example “passwordA “.

By default, two roles exist in all Cisco MDS switches:

•Network operator—Has permission to view the configuration only. The operator cannot make any

configuration changes.

•Network administrator— Has permission to execute all commands and make configuration changes.

The administrator can also create and customize up to 64 additional roles.