Device and user level background information, Device and user level background information 145 – Cabletron Systems CSX1000 User Manual
Page 145
Workgroup Remote Access Switch 145
C
ONFIGURING
S
ECURITY
L
EVEL
Device and User Level Security
D
EVICE
AND
U
SER
L
EVEL
B
ACKGROUND
I
NFORMATION
Multi-level security (device and user level) provides you with increased security options for your
network. This feature supports device level security for all remote devices. User-level
authentication can be performed on top of device level authentication for IP, IPX, AppleTalk and
bridge users. Only users configured for user level authentication will be required to do so. Refer to
the following illustration of a sample IP network configured for multilevel security.
The network security level has been configured for both device level and user level security.
Certain remote devices, such as Ollie, are able to dial-in and are only authenticated at the device
level. However, remote devices, such as Sparky, are configured in the device level database to be
authenticated at the user level as well as at the device level.
For example, Scally is using the PC on the LAN attached to Sparky, a CSX1200. Scally needs to
download some files off of the Service Server, which is on the LAN connecting to Zoe, a CSX1200.
Upon initiation of Scally’s call, device level authentication begins. Zoe checks its on-node device
database to see if Sparky is a valid device, and whether its IP address and password are also valid.
If valid, Zoe allows the connection, however a data filter is placed on the connection. This filter only
allows Telnet session traffic to flow over the connection between Zoe and Sparky. User level
authentication begins when Scally telnets to the IP address 1.1.1.1, port 7003, which is the port
assigned to the ACE server. Zoe sends the user level login prompt to Scally’s PC. Once Scally
completes the login and password information, Zoe relays this data to the ACE Server. If Scally is
a valid user in the ACE database and provides the correct login and password, Zoe removes the
restrictive filter so he may access the Service Server, or any other system on that LAN. Now that
Scally has been properly authenticated, any users on his LAN may access the systems attached to
Zoe. For example, while Scally is downloading files, Simon could boot up his PC and access the
Internet without going through the authentication process.
ISDN
POWER
SERVICE
TX
RX
10BASE - T
LAN B-CHANNELS E1 ONLY
B2 B4
B6 B8
B26 B28
B22 B24
B18 B20
B14 B16
B10 B12
B30 L1
B1 B3
B5 B7
B25 B27
B21 B23
B17 B19
B13 B15
B9 B11
B29 B31
E1
D
T1
D
Ace Server
Internet
Service
Server
CSX1200
1.1.1.1
sys name: Zoe
1.1.1.2
Device Table
name: Sparky
name: Ollie
CSX1200
sys name: Sparky
Device Table
name: Zoe
CSX1200
sys name: Ollie
Device Table
name: Zoe
Scally
PC
PC
Simon
PC
POWER
SERVICE
TX
RX
10BASE - T
LAN B-CHANNELS E1 ONLY
B2 B4
B6 B8
B26 B28
B22 B24
B18 B20
B14 B16
B10 B12
B30 L1
B1 B3
B5 B7
B25 B27
B21 B23
B17 B19
B13 B15
B9 B11
B29 B31
E1
D
T1
D
POWER
SERVICE
TX
RX
10BASE - T
LAN B-CHANNELS E1 ONLY
B2 B4
B6 B8
B26 B28
B22 B24
B18 B20
B14 B16
B10 B12
B30 L1
B1 B3
B5 B7
B25 B27
B21 B23
B17 B19
B13 B15
B9 B11
B29 B31
E1
D
T1
D