Enterasys Networks 1G58x-09, 1H582-xx, E1 Series 14.4 WORKING WITH SECURITY CONFIGURATIONS 14.4.1 Host Access Control Authentication (HACA)

Working with Security Configurations

Host Access Control Authentication (HACA)

Matrix E1 Series (1G58x-09 and 1H582-xx) Configuration Guide 14-113

14.4 WORKING WITH SECURITY CONFIGURATIONS14.4.1 Host Access Control Authentication (HACA)

To use HACA, the embedded RADIUS client on the Matrix E1 device must be configured to

communicate with the RADIUS server. A RADIUS server must be online and its IP address(es)

must be configured with the same password as the RADIUS client. When using the set radius

command (Section 14.3.1.2) to configure the RADIUS server IP address on the Matrix E1, the

switch will prompt for this Read-Write (rw) “server secret” password, which is used to encrypt

RADIUS frames.

By default at device startup, the RADIUS client is disabled. Default values are as follows:

• Timeout: 20 seconds

• Retries: 3

• Primary and secondary authentication ports: 0

• Last-resort-action for local and remote authentication is to challenge the user for a system

password.

The Matrix E1 Series device allows for up to 10 RADIUS servers to be configured, with up to 2

active at any given time. If only one RADIUS server is configured, the device assumes it is the

primary server. It is not necessary to reboot after the client is reconfigured.

When the RADIUS client is active on the Matrix E1 device, the user is prompted for a user login

name and password when attempting to access the host IP address via CLI. The embedded

RADIUS client encrypts the information entered by the user and sends it to the RADIUS server for

validation. Then the server returns an access-accept or access-reject response back to the client,

allowing or denying the user to access the host application with the proper access level.

When the RADIUS client cannot communicate with the RADIUS server for the time of (retries *

timeout = 3 * 20 = 60 secs), the authentication process will timeout, notify the user that the RADIUS

server has timed out by printing the message to the screen, and the RADIUS last-resort-action

setting will kick in. If the user is trying to login via the local console and the local last-resort-action

is set to accept, then the user will be granted access to the switch. On the other hand, if the local

last-resort-action is set to reject, then the user will be rejected the access to the switch. However, if

the local last-resort-action is set to challenge, the user will be prompted to enter the local username

and password. If the local username and password matches the local database, then access to the

switch is allowed.