End user access control, Considerations for configuring end user accounts – Juniper Networks EX2500 User Manual

Securing Access to the Switch

„

19

Chapter 1: Accessing the Switch

A value of 0 (zero) denotes that RSA server key autogeneration is disabled. When
the interval value is greater than 0, the switch will autogenerate the RSA server key
every specified interval. However, RSA server key generation is skipped if the
switch is busy doing other key or cipher generation when the timer expires.

SSH Integration with RADIUS and TACACS+ Authentication

SSH is integrated with RADIUS authentication. After the RADIUS server is enabled
on the switch, all subsequent SSH authentication requests will be redirected to the
specified RADIUS servers for authentication. The redirection is transparent to the
SSH clients.

SSH is integrated with TACACS+ authentication. After the TACACS+ server is
enabled on the switch, all subsequent SSH authentication requests will be
redirected to the specified TACACS+ servers for authentication. The redirection is
transparent to the SSH clients.

End User Access Control

The EX2500 switch allows an administrator to define end user accounts that permit
end users to perform operation tasks via the switch CLI commands. Once end user
accounts are configured and enabled, the switch requires username-password
authentication.

For example, an administrator can assign a user, who can then log in to the switch
and perform operational commands (effective only until the next switch reboot).

Considerations for Configuring End User Accounts

„

A maximum of 10 user IDs are supported on the switch.

„

The EX2500 switch supports end user support for console, Telnet, EX2500
Web Device Manager, and SSHv1 or SSHv2 access to the switch.

„

If RADIUS authentication is used, the user password on the RADIUS server will
override the user password on the EX2500 switch. Also note that the password
change command on the switch only modifies the use switch password and
has no effect on the user password on the RADIUS server. RADIUS
authentication and a user password cannot be used concurrently to access the
switch.

„

Passwords for end users can be up to 128 characters in length.

NOTE:

The switch can perform only one session of key or cipher generation at a

time. Thus, an SSH client will not be able to log in if the switch is performing key
generation at that time, or if another client has logged in immediately prior. Also,
key generation will fail if an SSH client is logging in at that time.