Cisco SR224T Administration Guide - Page 257

Secure Sensitive Data SSD Rules 19 SSD Rules and User Authentication SSD grants SSD permission only to authenticated and authorized users and according to the SSD rules. A device depends on its user authentication process to authenticate and authorize management access. To protect a device and its data including sensitive data and SSD configurations from unauthorized access, it is recommended that the user authentication process on a device is secured. To secure the user authentication process, you can use the local authentication database, as well as secure the communication through external authentication servers, such as RADIUS and TACACS servers. The configuration of the secure communication to the external authentication servers are sensitive data and are protected under SSD. NOTE The user credential in the local authenticated database is already protected by a non SSD related mechanism If a user from a channel issues an action that uses an alternate channel, the device applies the read permission and default read mode from the SSD rule that match the user credential and the alternate channel. For example, if a user logs in via a secure channel and starts a TFTP upload session, the SSD read permission of the user on the insecure channel (TFTP) is applied Default SSD Rules The device has the following factory default rules: Table 3 Default SSD Rules Rule Key User Channel Level 15 Level 15 Level 15 All All All Secure XML SNMP Secure Insecure Insecure XML SNMP Secure Insecure Rule Action Read Permission Plaintext Only Both Both Exclude Encrypted Only Encrypted Only Default Read Mode Plaintext Encrypted Encrypted Exclude Encrypted Encrypted The default rules can be modified, but they cannot be deleted. If the SSD default rules have been changed, they can be restored. Cisco Small Business 200 Series Smart Switch Administration Guide 258