Chapter 2. IBM System Networking Switch 10Gb Ethernet switch features 95
If the remote user is successfully authenticated by the authentication server, the switch
verifies the privileges of the remote user and authorizes the appropriate access. The
administrator may allow secure back door access through Telnet/SSH. Secure back door
provides switch access when the TACACS+ servers cannot be reached.
Accounting
Accounting is the action of recording a user's activities on the device for the purposes of
billing and security. It follows the authentication and authorization actions. If the
authentication and authorization is not performed through TACACS+, there are no TACACS+
accounting messages sent out.
You can use TACACS+ to record and track software login access, configuration changes,
and interactive commands.
LDAP authentication and authorization
IBM System Networking switches support the Lightweight Directory Access Protocol (LDAP)
method to authenticate and authorize remote administrators to manage the switch. LDAP is
based on a client/server model.
The switch acts as a client to the LDAP server. A remote user (the remote administrator)
interacts only with the switch, not the back-end server and database.
LDAP authentication consists of the following components:
A protocol with a frame format that uses TCP over IP
A centralized server that stores all the user authorization information
A client, in this case, the switch
Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN
consists of the user-account name concatenated with the LDAP domain name. If the
user-account name is John, the following is an example DN:
uid=John,ou=people,dc=domain,dc=com
2.8.4 MAC address notification
MAC address notification is a feature that causes a switch to generate a syslog message
when a MAC address is added or removed from the MAC address table. This feature is useful
for tracking hosts as they change the ports they are connected to.
2.8.5 802.1x Port-based network access control
Port-based network access control provides a means of authenticating and authorizing
devices attached to a LAN port that has point-to-point connection characteristics. It prevents
access to ports that fail authentication and authorization. This feature provides security to
ports of IBM System Networking Switch Module that connect to blade servers.
Extensible Authentication Protocol over LAN
IBM Networking OS can provide user-level security for its ports by using the IEEE 802.1X
protocol, which is a more secure alternative to other methods of port-based network access
control. Any device attached to an 802.1X-enabled port that fails authentication is prevented
access to the network and denied services offered through that port.
96 Implementing IBM System Networking 10Gb Ethernet Switches
The 802.1X standard describes port-based network access control by using Extensible
Authentication Protocol over LAN (EAPoL). EAPoL provides a means of authenticating and
authorizing devices attached to a LAN port that has point-to-point connection characteristics
and of preventing access to that port in cases of authentication and authorization failures.
EAPoL is a client-server protocol that has the following components:
Supplicant or Client
The Supplicant is a device that requests network access and provides the required
credentials (user name and password) to the Authenticator and the Authenticator Server.
Authenticator
The Authenticator enforces authentication and controls access to the network. The
Authenticator grants network access based on the information provided by the Supplicant
and the response from the Authentication Server. The Authenticator acts as an
intermediary between the Supplicant and the Authentication Server: requesting identity
information from the client, forwarding that information to the Authentication Server for
validation, relaying the server’s responses to the client, and authorizing network access
based on the results of the authentication exchange. The IBM System Networking switch
acts as an Authenticator.
Authentication Server
The Authentication Server validates the credentials provided by the Supplicant to
determine whether the Authenticator should grant access to the network. The
Authentication Server may be co-located with the Authenticator. The VFSM relies on
external RADIUS servers for authentication.
Upon a successful authentication of the client by the server, the 802.1X-controlled port
transitions from unauthorized to authorized state, and the client is allowed full access to
services through the port. When the client sends an EAP-Logoff message to the
authenticator, the port transitions from an authorized to unauthorized state.
EAPoL authentication process
The clients and authenticators communicate by using Extensible Authentication Protocol
(EAP), which was originally designed to run over PPP, and for which the IEEE 802.1X
Standard defined an encapsulation method over Ethernet frames, called EAP over
LAN (EAPoL).
Get Implementing IBM System Networking 10Gb Ethernet Switches now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
