Controlling Management Access 171What Are the Recommendations for Management Security?Selecting the authentication policy for a network is very important. In largedeployments, many administrators prefer to use a RADIUS or TACACS+server because it allows the authentication policy to be applied system widewith little administrative effort. Additional recommendations formanagement security include:• Require strong passwords• Disable factory-delivered default accounts• Enable password lockout• Configure user ACLs to protect administrative access to the network.What Is an Authentication Profile?An authentication profile specifies which authentication method or methodsto use to authenticate a user who attempts to access the switch managementinterface. The authentication method can be one or more of the following:• ENABLE—Uses the enable password for authentication.• IAS—Uses the Internal Authentication Server database for 801X port-based authentication.• LINE-—Uses the Line password for authentication.• LOCAL— Uses the ID and password in the Local User Database forauthentication.• RADIUS-—Sends the user's ID and password will be authenticated usingthe RADIUS server instead of locally• TACACS+— Sends the user's ID and password to the configuredTACACS+ server to be authenticated.• NONE-—No authentication is used.You can use the same Authentication Profile for all access types, or select orcreate a variety of profiles based on how a user attempts to access the switchmanagement interface. Profiles can be applied to each of the following accesstypes:• Login—Autnenticates all attempts to login to the switch.• Enable—Authenticates all attempts to enter Privileged EXEC mode (CLIonly).
