Technical data
ServerIron ADX Administration Guide 137
53-1002434-01
Configuring authentication-method lists
2
NOTE
You do not need an authentication-method list to secure access based on ACLs or a list of IP
addresses. Refer to “Using ACLs to restrict remote access” on page 93 or “Restricting remote
access to the device to specific IP addresses” on page 95.
In an authentication-method list for a particular access method, you can specify up to seven
authentication methods. If the first authentication method is successful, the software grants
access and stops the authentication process. If the access is rejected by the first authentication
method, the software denies access and stops checking.
However, if an error occurs with an authentication method, the software tries the next method on
the list, and so on. For example, if the first authentication method is the RADIUS server, but the link
to the server is down, the software will try the next authentication method in the list.
NOTE
If an authentication method is working properly and the password (and user name, if applicable) is
not known to that method, this is not an error. The authentication attempt stops, and the user is
denied access.
The software will continue this process until either the authentication method is passed or the
software reaches the end of the method list. If the Super User level password is not rejected after
all the access methods in the list have been tried, access is granted.
Configuration considerations for authentication-method lists
• For CLI access, you must configure authentication-method lists if you want the device to
authenticate access using local user accounts or a RADIUS server. Otherwise, the device will
authenticate using only the locally based password for the Super User privilege level.
• When no authentication-method list is configured specifically for Web management access,
the device performs authentication using the SNMP community strings:
• For read-only access, you can use the user name “get” and the password “public”. The
default read-only community string is “public”.
• There is no default read-write community string. Thus, by default, you cannot open a
read-write management session using the Web Management Interface. You first must
configure a read-write community string using the CLI. Then you can log on using “set” as
the user name and the read-write community string you configure as the password. Refer
to “Configuring TACACS or TACACS+ security” on page 106.
• If you configure an authentication-method list for Web management access and specify “local”
as the primary authentication method, users who attempt to access the device using the Web
Management Interface must supply a user name and password configured in one of the local
user accounts on the device. The user cannot access the device by entering “set” or “get” and
the corresponding SNMP community string.
• For devices that can be managed using IronView, the default authentication method (if no
authentication-method list is configured for SNMP) is the CLI Super User level password. If no
Super User level password is configured, then access through IronView is not authenticated.
To use local user accounts to authenticate access through IronView, configure an
authentication-method list for SNMP access and specify “local” as the primary authentication
method.