FS S5900-24S4T2Q Ethernet Switch Security Configuration

Chapter 1 AAA Configuration

Access control is the method used to control access to networks and services. Authentication, authorization, and accounting (AAA) network security services provide the primary framework for setting up access control on your OLT or access server.

1.1 AAA Overview

AAA is an architectural framework for configuring a set of three independent security functions in a consistent manner. It provides a modular way of performing the following services:

• Authentication: A method of identifying users, including username/password inquiry and encryption according to the chosen security protocol. AAA authentication can be configured by defining an authentication method list and applying it to all interfaces. The default authentication method list is 'default'.
• Authorization: A remote access control method to limit user permissions. AAA authorization takes effect through a group of features compared with user information in a database. This database can be on the local server, switch, or a remote RADIUS/TACACS+ server.
• Accounting: A method to collect user information and send it to the security server. This information can be used for account sheets, auditing, and form reports, including user ID, start/end time, execution commands, and packet/byte counts.

1.1.1 AAA Security Service

AAA provides the following benefits:

• Increased flexibility and control of access configuration
• Scalability
• Standardized authentication methods (RADIUS, TACACS+, Kerberos)
• Multiple backup systems

1.1.2 AAA Principles

AAA allows dynamic configuration of authentication and authorization types on a per-line or per-service basis. This is achieved by creating method lists and applying them to specific services or interfaces.

1.1.3 AAA Method List

To configure AAA, define a named method list and apply it to a service or interface. The method list defines the running AAA type and sequence. Any defined method list must be applied before running, except for the default method list which is applied automatically to all interfaces. A method list is a sequential list of authentication methods. If one method fails or does not respond, the software attempts the next method in the list.

1.1.4 AAA Configuration Process

To configure AAA security on switches or access servers, follow these steps:

1. Assess security risks and decide on appropriate measures to prevent unauthorized entry and attacks.
2. If using a security server, configure security protocol parameters (RADIUS, TACACS+, Kerberos).
3. Define method lists for authentication using an AAA authentication command.
4. Apply the method lists to specific interfaces or lines if required.
5. Optionally, configure authorization using the aaa authorization command.
6. Optionally, configure accounting using the aaa accounting command.

1.1.5 AAA Configuration Example

The following example shows a typical AAA network configuration with RADIUS and TACACS+ servers:

(Diagram description: A network diagram shows a Remote PC connected to a NAS (Network Access Server). The NAS is connected to two RADIUS servers (R1, R2) and two TACACS+ servers (T1, T2). A Workstation is also shown.)

In this example, the default method list is applied to all interfaces. When a remote user attempts to log in, the network access server queries R1 for authentication. If R1 authenticates, a PASS response is sent. If R1 fails, the user is denied access. If R1 does not respond (ERROR), the server queries R2. A FAIL response means the user did not meet authentication criteria, while an ERROR means the server did not respond.

1.2 Authentication Configuration

1.2.1 AAA Authentication Configuration Task List

• Configuring Login Authentication Using AAA
• Enabling Password Protection at the Privileged Level
• Configuring Message Banners for AAA Authentication
• Modifying the Notification Character String for Username Input
• Modifying AAA authentication password-prompt
• Creating the Authentication Database with the Local Privilege

1.2.2 AAA Authentication Configuration Task

To configure AAA authentication:

1. If using a separate security server, configure security protocol parameters (RADIUS, TACACS+).
2. Configure Authentication Method List Using aaa authentication.
3. Apply the accounting method list to a specific interface or line, if necessary.

1.2.2.1 Configuring Login Authentication Using AAA

The aaa authentication login command enables AAA authentication. You can create one or more lists of authentication methods that are tried at login. These lists are applied using the login authentication line configuration command.

Commands:

• aaa authentication login {default | list-name} method1 [method2...]: Enables AAA globally.
• line [console | vty ] line-number [ending-line-number]: Enters the configuration mode of a line.
• login authentication {default | list-name}: Applies the authentication list to a line or set of lines.

Supported login authentication methods:

Example using local password:

aaa authentication login default local

Example using RADIUS:

aaa authentication login default group radius

1.2.2.2 Enabling Password Protection at the Privileged Level

The aaa authentication enable default command creates a series of authentication methods for accessing the privileged EXEC command level. You can specify up to four methods.

Command:

• aaa authentication enable default method1 [method2...]: Enables user ID and password checking for users requesting privileged EXEC level.

Supported enable authentication methods are similar to login authentication methods (enable, group name, group radius, group tacacs+, line, none).

1.2.2.3 Configuring Message Banners for AAA Authentication

You can configure personal logon or failed logon banners. When AAA authentication fails, the configured message banner is displayed.

To configure the registration banner:

aaa authentication banner delimiter text-string delimiter

To configure the banner of failed logon:

aaa authentication fail-message delimiter text-string delimiter

Usage Guidelines: Use a delimiter to indicate the start and end of the banner text string.

1.2.2.4 Modifying the Notification Character String for Username Input

Use the aaa authentication username-prompt command to modify the default username input prompt text. Use no aaa authentication username-prompt to revert to the default.

1.2.2.5 Modifying AAA authentication password-prompt

Use the aaa authentication password-prompt text-string command to change the password prompt text. Use no aaa authentication password-prompt to revert to the default.

1.2.2.6 Creating the Authentication Database with the Local Privilege

Use the enable password { [encryption-type] encrypted-password} [level level] command to create the enable password database with local privilege. Use no enable password [level level] to cancel it.

1.2.3 AAA Authentication Configuration Example

1.2.3.1 RADIUS Authentication Example

Example configuration to authenticate and authorize using RADIUS:

aaa authentication login radius-login group radius local
aaa authorization network radius-network group radius line vty 3
login authentication radius-login

Explanation:

• aaa authentication login radius-login group radius local: Configures the switch to use RADIUS for authentication. If RADIUS returns an error, the user is authenticated using the local database.
• aaa authorization network radius-network group radius: Queries RADIUS for network authorization, address assignment, and access lists.
• login authentication radius-login: Enables the radius-login method list for line 3.

1.3 Authorization Configuration

1.3.1 AAA Authorization Configuration Task List

• Configuring EXEC authorization through AAA

1.3.2 AAA Authorization Configuration Task

To configure AAA authorization:

1. If using a separate security server, configure security protocol parameters (RADIUS, TACACS+).
2. Run aaa authorization to define the authorization method list.
3. Apply the accounting method list to a specific interface or line, if necessary.

1.3.2.1 Configuring EXEC authorization through AAA

The aaa authorization exec command creates authorization method lists to determine if users can run the EXEC shell and their privilege level.

Commands:

• aaa authorization exec {default | list-name} method1 [method2...]: Creates the global authorization list.
• line [console | vty ] line-number [ending-line-number]: Enters the configuration mode of a line.
• login authorization {default | list-name}: Applies the authorization list to a line or set of lines.

Supported EXEC authorization methods:

Example of Local EXEC Authorization:

aaa authentication login default local aaa
authorization exec default local
!
localauthor a1
exec privilege default 15
!
local author-group a1
!
username exec1 password 0 abc
username exec2 password 0 abc author-group a1 username
exec3 password 0 abc maxlinks 10
username exec4 password 0 abc autocommand telnet 172.16.20.1

Explanation:

• aaa authentication login default local: Defines the default login-authentication method list.
• authorization exec default local: Defines the default EXEC authorization method list.
• localauthor a1: Defines a local authority policy named 'a1'.
• exec privilege default 15: Sets the default privilege level for EXEC login users to 15.
• local author-group a1: Applies the local authorization policy 'a1' to the global configuration.
• username exec1 password 0 abc: Defines user 'exec1' with password 'abc'.
• username exec2 password 0 abc author-group a1: Defines user 'exec2' with password 'abc' and applies policy 'a1'.
• username exec3 password 0 abc maxlinks 10: Defines user 'exec3' with password 'abc' and sets max concurrent links to 10.
• username exec4 password 0 abc autocommand telnet 172.16.20.1: Defines user 'exec4' with password 'abc' and sets an autocommand to run telnet 172.16.20.1 upon login.

1.4 AAA Accounting Configuration

1.4.1 AAA Accounting Configuration Task List

• Configuring Connection Accounting using AAA
• Configuring Network Accounting using AAA
• Configuring Accounting Update Through AAA
• Limiting User Accounting Without Username

1.4.2 AAA Accounting Configuration Task

To configure AAA accounting:

1. If using a separate security server, configure security protocol parameters (RADIUS, TACACS+).
2. Apply the method lists to a particular interface or line, if required.
3. If necessary, apply the accounting method list to a specific interface or line.

1.4.2.1 Configuring Connection Accounting using AAA

Use the aaa accounting connection command to provide accounting information about outbound connections (Telnet, PAD, H323, rlogin). Only H323 is currently supported.

Command:

• aaa accounting connection {default | list-name} {{{start-stop | stop-only} group groupname} | none}: Establishes the global accounting list.

Supported connection accounting methods:

1.4.2.2 Configuring Network Accounting using AAA

Use the aaa accounting network command to establish accounting method lists for PPP/SLIP sessions, providing information on packets, bytes, and time.

Command:

• aaa accounting network {default | list-name} {{{start-stop | stop-only} group groupname} | none}: Establishes the global accounting list.

Supported network accounting methods are similar to connection accounting methods.

1.4.2.3 Configuring Accounting Update Through AAA

Use the aaa accounting update [newinfo] [periodic number] command to enable AAA accounting updates. The newinfo keyword sends temporary accounting records when new information is available. The periodic keyword sends records periodically based on the specified number.

1.4.2.4 Limiting User Accounting Without Username

Use the aaa accounting suppress null-username command to prevent the AAA system from sending accounting records for users with null usernames.

1.5 Local Account Policy Configuration

1.5.1 Local Account Policy Configuration Task List

• Local authentication policy configuration
• Local authorization policy configuration
• Local password policy configuration
• Local policy group configuration

1.5.2 Local Account Policy Configuration Task

1.5.2.1 Local authentication policy configuration

Use the localauthen WORD command to enter local authentication configuration.

• login max-tries <1-9> try-duration 1d2h3m4s: Sets the maximum login attempts within a specified duration.

1.5.2.2 Local authorization policy configuration

Use the localauthor WORD command to enter local authorization configuration.

• exec privilege {default | console | ssh | telnet} <1-15>: Authorizes priority for login users based on privilege level.

1.5.2.3 Local password policy configuration

Use the localpass WORD command to enter local password configuration.

• Password Complexity:
• non-user: Password cannot be the same as the username.
• non-history: New password cannot be the same as the previous 20 passwords.
• element [number] [lower-letter] [upper-letter] [special-character]: Specifies password components.
• min-length <1-127>: Sets the minimum password length.
• validity 1d2h3m4s: Sets the password validity period.

1.5.2.4 Local policy group configuration

Use the localgroup WORD command to configure local policy groups.

• local authen-group WORD: Applies local authentication policy to the policy group.
• local author-group WORD: Applies local authorization policy to the policy group.
• local pass-group WORD: Applies local password policy to the policy group.
• local user {{maxlinks <1-255>} | { freeze WORD }}: Sets maxlinks and freeze for the policy group.
• username username [password password | {encryption-type encrypted-password}] [maxlinks number] [authen-group WORD] [author-group WORD] [pass-group WORD] [autocommand command]: Configures accounts and establishes the local database.

1.5.3 Local Account Policy Example

Example configuration for local authentication and authorization:

aaa authentication login default local aaa
authorization exec default local
!
localpass a3 non-user
non-history
element number lower-letter upper-letter special-character min-length 10
validity 2d
!
localauthen a1
login max-tries 4 try-duration 2m
!
localauthor a2
exec privilege default 15
!
local pass-group a3 local authen-
group a1 local author-group a2
!

Explanation:

• aaa authentication login default local: Defines the default login-authentication method list.
• authorization exec default local: Defines the default EXEC authorization method list.
• localpass a3: Defines the password policy named 'a3'.
• localauthen a1: Defines the authentication policy named 'a1'.
• localauthor a2: Defines the authorization policy named 'a2'.
• local pass-group a3 local authen-group a1 local author-group a2: Applies password policy 'a3', authentication policy 'a1', and authorization policy 'a2' to the default policy group.

Chapter 2 Configuring RADIUS

This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system, its operation, and suitable network environments for its use. It covers RADIUS configuration using the AAA command set and provides examples.

2.1 Overview

2.1.1 RADIUS Overview

RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients on switches send authentication requests to a central RADIUS server containing user authentication and network service access information. RADIUS is implemented in environments requiring high security while maintaining network access for remote users.

Use RADIUS in the following environments:

• Networks with multiple-vendor access servers supporting RADIUS.
• Networks where a user accesses only a single service (e.g., Telnet, PPP).
• Networks requiring resource accounting, tracking usage time, packets, and bytes.

RADIUS is not suitable for:

• Protocols like AppleTalk Remote Access (ARA), NetBIOS Frame Control Protocol (NBFCP), NetWare Asynchronous Services Interface (NASI), and X.25 PAD connections.
• Switch-to-switch situations, as RADIUS does not provide two-way authentication.
• Networks using a variety of services, as RADIUS generally binds a user to one service model.

2.1.2 RADIUS Operation

When a user logs in using RADIUS:

1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent to the RADIUS server.
3. The RADIUS server responds with ACCEPT (authenticated), REJECT (not authenticated, prompt again or deny access), or CHALLENGE (request for additional data).

The ACCEPT or REJECT response may include data for EXEC or network authorization, such as services the user can access and connection parameters.

2.2 RADIUS Configuration Steps

To configure RADIUS on your switch or access server:

1. Use the aaa authentication global configuration command to define method lists for RADIUS authentication.
2. Use line and interface commands to enable the defined method lists.

Optional tasks:

• Run aaa authorization to authorize the user's service request.
• Run aaa accounting to record the service procedure.

2.3 RADIUS Configuration Task List

• Configuring Switch to RADIUS Server Communication
• Configuring Switch to Use Vendor-Specific RADIUS Attributes
• Specifying RADIUS Authentication
• Specifying RADIUS Authorization
• Specifying RADIUS Accounting

2.4 RADIUS Configuration Task

2.4.1 Configuring Switch to RADIUS Server Communication

Use the radius-server host command to specify the RADIUS server's IP address or hostname and port numbers. Use the radius-server key command to set the shared secret text string.

To configure global communication settings:

• radius-server retransmit retries: Specifies the number of times the switch transmits a RADIUS request before giving up.
• radius-server timeout seconds: Specifies the wait time for a RADIUS reply before retransmitting.
• radius-server deadtime minutes: Specifies the time a non-responding RADIUS server is bypassed.

2.4.2 Configuring Switch to Use Vendor-Specific RADIUS Attributes

Use the radius-server vsa send [authentication] command to enable the network access server to recognize and use vendor-specific attributes (VSAs) as defined by RADIUS IETF attribute 26.

2.4.3 Specifying RADIUS Authentication

Define method lists for RADIUS authentication using the aaa authentication command, specifying RADIUS as the authentication method.

2.4.4 Specifying RADIUS Authorization

Use the aaa authorization command, specifying RADIUS as the authorization method, to set parameters that restrict a user's network access.

2.4.5 Specifying RADIUS Accounting

Use the aaa accounting command, specifying RADIUS as the accounting method, to track user services and network resource consumption.

2.5 RADIUS Configuration Examples

2.5.1 RADIUS Authentication Example

Example configuration for switch authentication and authorization using RADIUS:

aaa authentication login use-radius group radius local

Explanation:

• aaa authentication login use-radius group radius local: Configures the switch to use RADIUS for authentication. If RADIUS returns an error, the user is authenticated using the local database.

2.5.2 RADIUS Application in AAA

Example of general RADIUS configuration with AAA:

radius-server host 1.2.3.4
radius-server key myRaDiUSpassWoRd
aaa authentication login admins group radius local line vty 1 16
login authentication admins

Explanation:

• radius-server host: Defines the IP address of the RADIUS server.
• radius-server key: Defines the shared key between the network access server and RADIUS server.
• aaa authentication login admins group radius local: Defines the authentication method list 'admins', specifying RADIUS and then local authentication for serial lines using PPP.
• login authentication admins: Designates the application of the 'admins' method list during login.

Chapter 3 TACACS+ Configuration

TACACS+ provides centralized verification of network access rights for users, ensuring communication safety through encrypted information exchange.

3.1 TACACS+ Overview

Before using TACACS+, the TACACS+ server must be accessed and configured. TACACS+ supports independent modularized authentication, authorization, and accounting.

• Authentication: Supports various methods (ASCII, PAP, CHAP) and allows processing of user conversations, including prompting for information like family address, service type, and ID number. It can also notify users about password changes due to aging policies.
• Authorization: Provides detailed control over user service limitations, including automatic commands, access control, and dialog duration. It can also limit the commands a user can execute.
• Accounting: Collects and sends information for billing, auditing, and tracking network resource usage. It records user authentication, start/end times, executed commands, and packet/byte quantities.

3.1.1 The Operation of TACACS+ Protocol

3.1.1.1 Authentication in ASCII Form

When logging in via ASCII form with TACACS+:

1. The network access server prompts for a username.
2. After the username is entered, the server prompts for a password.
3. The password is sent to the TACACS+ service program.

TACACS+ allows dialogues between the server program and the user until enough information is collected to identify the user.

3.1.1.2 Authentication in PAP and CHAP Ways

PAP login is similar to ASCII login, but the username and password are sent in a PAP message, not entered by the user. CHAP login is similar, requiring user authorization after authentication if requested by the server.

If TACACS+ authorization is needed, it contacts the TACACS+ server again for ACCEPT or REJECT responses, potentially including attribute-value (AV) data for EXEC or NETWORK dialogue confirmation.

3.2 TACACS+ Configuration Process

To configure TACACS+ support:

1. Use the tacacs-server command to assign IP addresses of TACACS+ servers and the tacacs key command to set the encrypted secret key for information exchange.
2. Use the global configuration command aaa authentication to define method tables using TACACS+ for authentication.
3. Use line and interface commands to apply the defined method tables.

3.3 TACACS+ Configuration Task List

• Assigning TACACS+ server
• Setting up TACACS+ encrypted secret key
• Assigning to use TACACS+ for authentication
• Assigning to use TACACS+ for authorization
• Assigning to use TACACS+ for accounting

3.4 TACACS+ Configuration Task

3.4.1 Assigning TACACS+ server

Use the tacacs-server host ip-address [single-connection | multi-connection] [port integer] [timeout integer] [key string] command to assign the IP address of the TACACS+ server and configure related features. This is useful for servers configured with different priorities.

Additional configurations:

• single-connection: Allows the server program to handle more TACACS+ operations efficiently.
• multi-connection: Enables multiple TCP connections.
• port integer: Assigns the TCP interface number (default is 49).
• timeout integer: Assigns the upper limit (in seconds) for waiting for a response from the server.
• key string: Assigns the encrypted and decrypted secret keys for messages.

3.4.2 Setting up TACACS+ encrypted secret key

Use the tacacs-server key keystring command to set the encrypted secret key for TACACS+ messages. The same secret key must be configured on the TACACS+ server program for successful encryption.

3.4.3 Assigning to use TACACS+ for authentication

Define method tables for TACACS+ authentication using the aaa authentication command, specifying TACACS+ as the authentication way.

3.4.4 Assigning to use TACACS+ for authorization

Use the aaa authorization command, specifying TACACS+ as the authorization way, to set parameters for user network access limitations.

3.4.5 Assigning to use TACACS+ for accounting

Use the aaa accounting command, specifying TACACS+ as the accounting way, to track user service and network resource consumption.

3.5 TACACS+ Configuration Example

3.5.1 TACACS+ authentication example

Example of configuring login authentication using TACACS+:

aaa authentication login test group tacacs+ local aaa
authorization exec test group tacacs+ tacacs-server host
1.2.3.4
tacacs-server key testkey

Explanation:

• aaa authentication: Defines the authentication method table 'test'. 'tacacs+' specifies TACACS+ processing, and 'local' indicates using the local database if TACACS+ fails.
• tacacs-server host: Marks the TACACS+ server's IP address as 1.2.3.4.
• tacacs-server key: Defines the shared encrypted secret key as 'testkey'.
• aaa authorization: Ensures permission to log in after successful authentication.

3.5.2 TACACS+ Authorization Examples

Example configuration for TACACS+ authorization:

aaa authentication login default group tacacs+ local aaa
authorization exec default group tacacs+ tacacs-server host
10.1.2.3
tacacs-server key goaway

Explanation:

• aaa authentication: Defines the default login authentication method table. 'tacacs+' means authentication by TACACS+, and 'local' indicates using the local database if TACACS+ fails.
• aaa authorization: Performs network service authorization by TACACS+.
• tacacs-server host: Marks the TACACS+ server's IP as 10.1.2.3.
• tacacs-server key: Defines the shared encrypted secret key as 'goaway'.

3.5.3 TACACS+ Accounting Example

Example of configuring login authentication method table using TACACS+ for accounting:

aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+ tacacs-server
host 10.1.2.3
tacacs-server key goaway

Explanation:

• aaa authentication: Defines the default login authentication method table. 'tacacs+' means authentication by TACACS+, and 'local' indicates using the local database if TACACS+ fails.
• aaa accounting: Performs accounting of network services by TACACS+. Starting and beginning time information is accounted and sent to the TACACS+ server.
• tacacs-server host: Marks the TACACS+ server's IP address as 10.1.2.3.
• tacacs-server key: Defines the shared encrypted secret key as 'goaway'.