20 Using security in your network• Teachers’ offices and classroomsThe PCs that are located in the teachers’ offices and in the classroomsare assigned MAC address-based security that is specific for eachclassroom and office location. The security feature logically locks eachwall jack to the specified station and prevents unauthorized access tothe switch if someone attempts to connect a personal laptop PC into thewall jack. The printer is assigned as a single station and is allowedfull bandwidth on that switch port.It is assumed that all PCs are password protected and that theclassrooms and offices are physically secured.• LibraryThe wall jacks in the library are set up so that the PCs can be connectedto any wall jack in the room. With this arrangement, you can movethe PCs anywhere in the room. The exception is the printer, which isassigned as a single station with full bandwidth to that port.It is assumed that all PCs are password protected and that access tothe library is physically secured.RADIUS-based network securityThe RADIUS-based security feature lets you set up network access controlby using the Remote Authentication Dial-In User Services (RADIUS) securityprotocol. The RADIUS-based security feature uses the RADIUS protocol toauthenticate local console, Telnet, SSH, and Web access login sessions.You need to set up specific user accounts (user names and passwords, andService-Type attributes) on your RADIUS server before you can initiatethe authentication process. These accounts provide you with appropriatelevels of access to the switch.Set the following username attributes on your RADIUS server:• Read-write access—set the Service-Type field value to Administrative.• Read-only access—set the Service-Type field value to NAS-Prompt.For detailed instructions to set up your RADIUS server, see your RADIUSserver documentation.RADIUS password fallback enhancementWith Release 4.1 software, you can configure RADIUS password fallback asan option when using RADIUS authentication for login and password.When RADIUS password fallback is enabled and the RADIUS server isunavailable or unreachable, you can use the local switch password to logon to the switch.Nortel Ethernet Routing Switch 2500 SeriesSecurity — Configuration and ManagementNN47215-505 (323165-B) 02.01 Standard4.1 19 November 2007Copyright © 2007, Nortel Networks.