Accessing the switch 14Secure access to the switchSecure switch management is needed for environments that perform significant management functions across theInternet. The following are some of the functions for secured management:• Limiting management users to a specific IP address range. See the “Setting allowable source IP addressranges” section in this chapter.• Authentication and authorization of remote administrators. See the “RADIUS authentication and authorization”section or the “TACACS+ authentication” section, both later in this chapter.• Encryption of management information exchanged between the remote administrator and the switch. See the“Secure Shell and Secure Copy” section later in this chapter.Setting allowable source IP address rangesTo limit access to the switch without having to configure filters for each switch port, you can set a source IP address(or range) that will be allowed to connect to the switch IP interface through Telnet, SSH, SNMP, or the switchbrowser-based interface (BBI).When an IP packet reaches the application switch, the source IP address is checked against the range ofaddresses defined by the management network and management mask. If the source IP address of the host orhosts is within this range, it is allowed to attempt to log in. Any packet addressed to a switch IP interface with asource IP address outside this range is discarded.Configuring an IP address range for the management networkConfigure the management network IP address and mask from the System Menu in the CLI. For example:>> Main# /cfg/sys/access/mgmt/addEnter Management Network Address: 192.192.192.0Enter Management Network Mask: 255.255.255.128In this example, the management network is set to 192.192.192.0 and management mask is set to255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to 192.192.192.127.The following source IP addresses are granted or not granted access to the switch:• A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed toaccess the switch.• A host with a source IP address of 192.192.192.192 falls outside the defined range and is not granted access.To make this source IP address valid, you would need to shift the host to an IP address within the valid rangespecified by the mnet and mmask or modify the mnet to be 192.192.192.128 and the mmask to be255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the mnet andmmask (192.192.192.128-255).RADIUS authentication and authorizationThe switch supports the Remote Authentication Dial-in User Service (RADIUS) method to authenticate andauthorize remote administrators for managing the switch. This method is based on a client/server model. TheRemote Access Server (RAS) — the switch — is a client to the back-end database server. A remote user (theremote administrator) interacts only with the RAS, not the back-end server and database.RADIUS authentication consists of the following components:• A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request ForComments (RFC) 2138 and 2866• A centralized server that stores all the user authorization information• A client, in this case, the switchThe switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize aremote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between theclient and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition,the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-endRADIUS server.