FS S5900-24S4T2Q Security Configuration Manual
Hide thumbs
Also See for S5900-24S4T2Q:
- Manual (22 pages) ,
- Configuration (11 pages) ,
- Configuration manual (6 pages)
Table of Contents
Advertisement
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for FS S5900-24S4T2Q
Summary of Contents for FS S5900-24S4T2Q
-
Page 1: Security Configuration
Security Configuration Security Configuration S5900-24S4T2Q Ethernet Switch... -
Page 2: Table Of Contents
Security Configuration Contents Chapter 1 AAA Configuration..........................1 1.1 AAA Overview..............................1 1.1.1 AAA Security Service......................... 1 1.1.2 Benefits of Using AAA........................2 1.1.3 AAA Principles.............................2 1.1.4 AAA Method List..........................2 1.1.5 AAA Configuration Process.......................3 1.2 Authentication Configuration......................... 4 1.2.1 AAA Authentication Configuration Task List...................4 1.2.1 AAA Authentication Configuration Task..................4 1.2.3 AAA Authentication Configuration Example................... - Page 3 Security Configuration 2.1.2 RADIUS Operation........................... 19 2.2 RADIUS Configuration Steps........................19 2.3 RADIUS Configuration Task List........................20 2.4 RADIUS Configuration Task........................20 2.5 RADIUS Configuration Examples......................21 2.5.1 RADIUS Authentication Example....................21 2.5.2 RADIUS Application in AAA......................22 Chapter 3 TACACS+ Configuration........................23 3.1 TACACS+ Overview.............................23 3.1.1 The Operation of TACACS+ Protocol...................
-
Page 4: Chapter 1 Aaa Configuration
Security Configuration Chapter 1 AAA Configuration 1.1 AAA Overview Access control is the way to control access to the network and services. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your OLT or access server. -
Page 5: Benefits Of Using Aaa
Security Configuration 1.1.2 Benefits of Using AAA AAA provides the following benefits: Increased flexibility and control of access configuration Scalability Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos Multiple backup systems 1.1.3 AAA Principles AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. -
Page 6: Aaa Authentication Configuration Task List
Security Configuration Figure 1- 1 Typical AAA Network Configuration In this example, default is the name of the method list, including the protocol in the method list and the request sequence of the method list follows the name. The default method list is automatically applied to all interfaces. When a remote user attempts to dial in to the network, the network access server first queries R1 for authentication information. -
Page 7: Authentication Configuration
Security Configuration (Optional) Configure authorization using the aaaauthorization command. (Optional) Configure accounting using the aaa accountingcommand. 1.2 Authentication Configuration 1.2.1 AAA Authentication ConfigurationTask List Configuring Login Authentication Using AAA Enabling Password Protection at the Privileged Level Configuring Message Banners for AAA Authentication ... - Page 8 Security Configuration The list-name is a character string used to name the list you are creating. The key word method specifies the actual method of the authentication method. The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
- Page 9 Security Configuration Using the local password to carry on the login authentication: When you run aaa authentication login, you can use the keyword “local” to designate the local database as the login authentication method. For example, if you want to specify the local username database as the user authentication method and not define any other method, run the following command: aaa authentication login default local For information about adding users into the local username database, refer to the section "Establishing...
-
Page 10: Aaa Authentication Configuration Example
Security Configuration Uses RADIUS for enable authentication: The user name for authentication is $ENABLElevel$; level is the privileged level the user enters, that is, the number of the privileged level after enable command. For instance, if the user wants to enter the privileged level 7, enter command enable 7;... - Page 11 Security Configuration Command Purpose authentication username- Modifies the default text of the username prompt input prompt. text-string 1.2.2.5 Modifying AAA authentication password-prompt To change the text displayed when users are prompted for a password, use the aaa authentication password- prompt command. To return to the default password prompt text, use the no form of this command. You can run no aaa authentication username-prompt to resume the password input prompt.
-
Page 12: Authorization Configuration
Security Configuration The aaa authorization network radius-network group radius command queries RADIUS for network authorization, address assignment, and other access lists. The login authentication radius-login command enables the radius-login method list for line 3. 1.3 Authorization Configuration 1.3.1 AAA Authorization Configuration TaskList Configuring EXEC authorization through AAA ... -
Page 13: Aaa Authorization Examples
Security Configuration the command line. The default parameter can create a default authentication list, which will be automatically applied to all interfaces. For example, you can run the following command to designate RADIUS as the default authorization method of EXEC: aaa authorization exec default group radius Note: If the authorization method list cannot be found during authorization, the authorization will be directly passed... -
Page 14: Aaa Accounting Configuration
Security Configuration The command is used to define the default EXEC authorization method list, which will be automatically applied to all users requiring to enter the EXECshell. Command localauthor al defines a local authority policy named al. Command exec privilege default 15 ... -
Page 15: Configuring Network Accounting Usingaaa
Security Configuration Command Purpose aaa accounting connection {default | list- name} {{{start-stop | stop-only} group Establishes the global accounting list. groupname} | none} The list-name is a character string used to name the list you are creating. The method keyword is used to designate the real method for the accounting process. -
Page 16: Configuring Accounting Update Throughaaa
Security Configuration Keyword Notes group WORD Uses the named server group to conduct accounting. group radius Uses the RADIUS for accounting. group tacacs+ Uses the TACACS+ for accounting. none Disables accounting services for the specified line or interface. Sends a "stop" record accounting notice at the end of the requested user stop-only process. -
Page 17: Local Account Policy Configuration
Security Configuration 1.5 Local Account Policy Configuration 1.5.1 Local Account Policy Configuration Task List Local authentication policy configuration Local authorization policy configuration Local password policy configuration Local policy group configuration 1.5.2 Local Account Policy Configuration Task 1.5.2.1 Local authentication policy configuration To enter local authentication configuration, run command localauthen WORD in global configuration mode. -
Page 18: Local Policy Group Configuration
Security Configuration Specify the components of the password (complicate the password) min-length <1-127> password validity period (the validity of the password) validity 1d2h3m4s The configured local authorization policy can be applied to a local policy group or directly applied to a local account. - Page 19 Security Configuration localpass non-user non-history element number lower-letter upper-letter special-character min-length 10 validity 2d localauthen a1 login max-tries 4 try-duration 2m localauthor a2 exec privilege default 15 local pass-group a3 local authen- group a1 local author-group a2 The meaning of each command line is shown below: The aaa authentication login default local command is used to define the default login-authentication ...
-
Page 20: Chapter 2 Configuring Radius
Security Configuration Chapter 2 Configuring RADIUS This chapter describes the Remote Authentication Dial-In User Service (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. -
Page 21: Radius Operation
Security Configuration Switch-to-switch situations. RADIUS does not provide two-way authentication. On the switch only incoming call authentication is available when running RADIUS. The outbound call is impossible. Networks using a variety of services. RADIUS generally binds a user to one service model. ... -
Page 22: Radius Configuration Task List
Security Configuration 2.3 RADIUS Configuration Task List Configuring Switch to RADIUS Server Communication Configuring Switch to Use Vendor-Specific RADIUS Attributes Specifying RADIUS Authentication Specifying RADIUS Authorization Specifying RADIUS Accounting 2.4 RADIUS Configuration Task 2.4.1 Configuring Switch to RADIUS Server Communication The RADIUS host is normally a multiuser system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. -
Page 23: Radius Configuration Examples
Security Configuration 2.4.2 Configuring Switch to Use Vendor-Specific RADIUS Attributes The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor- specific information between the network access server and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use. -
Page 24: Radius Application In Aaa
Security Configuration 2.5.2 RADIUS Application in AAA The following example shows a general configuration using RADIUS with the AAA command set: radius-server host 1.2.3.4 radius-server myRaDiUSpassWoRd username root password AlongPassword aaa authentication login admins group radius local line vty 1 16 login authentication admins The meaning of each command line is shown below: radius-server host is used to define the IP address of the RADIUS server. -
Page 25: Chapter 3 Tacacs+ Configuration
Security Configuration Chapter 3 TACACS+ Configuration 3.1 TACACS+ Overview As an access security control protocol, TACACS+ provides the centralized verification of acquiring the network access server’s access right for users. . The communication’s safety is guaranteed because the information exchange between network access server and TACACS+ service program is encrypted Before using TACACS+ configured on network access server, TACACS+’s server has to be accessed and configured. -
Page 26: Authentication In Pap And Chap Ways
Security Configuration Network access server finally gets one of the following responses from TACACS+ server: ACCEPT User passes authentication, and service begins. If network access server is configured as requiring service authorization, authorization begins at this moment. REJECT User does not pass authentication. User might be rejected for further access or prompted to access again. -
Page 27: Tacacs+ Configuration Task List
Security Configuration 3.3 TACACS+ Configuration Task List Assigning TACACS+ server Setting up TACACS+ encrypted secret key Assigning to use TACACS+ for authentication Assigning to use TACACS+ for authorization Assigning to use TACACS+ for accounting 3.4 TACACS+ Configuration Task 3.4.1 Assigning TACACS+ server Command Tacacs-server could help to assign the IP address of TACACSC+ server. -
Page 28: Setting Up Tacacs+ Encrypted Secret Key
Security Configuration 3.4.2 Setting up TACACS+ encrypted secret key In order to set up the encrypted secret key of TACACS+ message, use the following command under the global configuration mode: Command Purpose tacacs-server key keystring To set up the encrypted secret key matched with the encrypted secret key used by TACACS+ server. -
Page 29: Tacacs+ Authorization Examples
Security Configuration In this example: Command aaa authentication defines the authentication method table test used on vty0. Key word tacacs+ means the authentication is processed by TACACS+, and if TACACS+ does not respond during authentication, key word local indicates to use the local database on the network access server to do authentication. Command tacacs-server host marks TACACS+ server’s IP address as 1.2.3.4. - Page 30 Security Configuration Command aaa accounting does accounting of network service by TACACS+. In this example, the relative information of starting and beginning time is accounted and sent to TACACS+ server. Command tacacs-server host marks TACACS+ server’s IP address as 10.1.2.3. command Command tacacs- server key defines the shared encrypted secret key as goaway.
Need help?
Do you have a question about the S5900-24S4T2Q and is the answer not in the manual?
Questions and answers