Overview of Authentication Modes and User Levels
Authentication Modes for User Interfaces
Authentication modes for console port login, MiniUSB port login, and Telnet login depend on those configured for user interfaces. There are three authentication modes for user interfaces:
- AAA authentication: Users must enter a correct user name and password for login. A user can log in to a device only when both the entered AAA user name and password are correct.
- Password authentication: Users must enter a correct password for login. A user can log in to a device only when the user-entered password is the same as the authentication password configured on the device.
None authentication: Users can directly log in to a switch without entering any information.
If none authentication is used, any user can be successfully authenticated without entering the user name and password. Therefore, you are not advised to use none authentication for device or network security purposes.
To prevent brute force attacks, the system uses a delayed login mechanism regardless of the authentication mode. This mechanism prevents login for 5 seconds if the first login fails. Each subsequent failure increases the delay by a further 5 seconds.
Authentication Modes for SSH Users
STelnet login requires user interfaces to support SSH. Therefore, the user interfaces must use AAA authentication. Authentication modes for SSH users depend on those supported by SSH. SSH supports eight authentication modes, namely, password, RSA, DSA, ECC, Password-RSA, Password-DSA, Password-ECC, all.
- Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
- Revest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key in the client-generated RSA key pair to the server. The server then uses the public key to encrypt data.
- Digital Signature Algorithm (DSA): is similar to RSA authentication. DSA uses the digital signature algorithm to encrypt data.
- Elliptic Curve Cryptography (ECC) authentication: Compared with RSA authentication, ECC authentication provides a shorter key, lighter calculation workload, and faster processing speed, and requires smaller storage space and lower bandwidth on the basis of the same security performance.
- Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
- Password-DSA authentication: The SSH server implements both password and DSA authentication on login users. The users must pass both authentication modes to log in.
- Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
- All authentication: The SSH server implements public key or private key authentication on login users. Users only need to pass either of them to log in.
User Levels
The system can perform hierarchical management over login users. Levels of commands that a user can use depend on the user level. The user level is determined by the authentication mode for the user interface or the local AAA user. For details, see Table 1.
Login Method |
Authentication Mode for User Access |
Factor for Determining the User Level |
Command |
|---|---|---|---|
Console port login Mini USB port login Telnet login |
User interface: AAA authentication |
Level of a local AAA user |
local-user user-name privilege level level |
User interface: password authentication |
User interface level |
user privilege level level |
|
User interface: none authentication |
User interface level |
user privilege level level |
|
STelnet login |
Authentication mode for SSH users: password authentication |
Level of a local AAA user |
local-user user-name privilege level level |
Authentication mode for SSH users: RSA, DSA, and ECC authentication |
User interface level |
user privilege level level |
|
Authentication mode for SSH users: password-rsa, password-dsa, and password-ecc authentication |
Level of a local AAA user |
local-user user-name privilege level level |
|
Authentication mode for SSH users: all authentication |
Deploy the authentication mode as required. NOTE:
If an SSH user uses all authentication mode and an AAA user with the same name as the SSH user exists, user levels may be different in password, RSA, DSA and ECC authentication modes. Configure the user level based on actual authentication requirements. |
- |
Relationships Between User Levels and Command Levels
User Level |
Command Level |
Name |
Description |
|---|---|---|---|
0 |
0 |
Visit level |
Commands of this level include commands used for network diagnosis such as ping and tracert commands, and commands that are used to access a remote device such as a Telnet client. |
1 |
0 and 1 |
Monitoring level |
Commands of this level are used for system maintenance, including display commands. NOTE:
Some display commands are not at this level. For example, the display current-configuration and display saved-configuration commands are at level 3. |
2 |
0, 1, and 2 |
Configuration level |
Commands of this level are used for service configuration. |
3 to 15 |
0, 1, 2, and 3 |
Management level |
Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis. |