Aaa Services - Enterasys Security Router X-PeditionTM User Manual

• If you must enable PPP on the WAN, use CHAP authentication
• Disable all unnecessary router services (e.g., HTTP, if not used)
• Write strict ACLs to limit HTTP, Telnet and SNMP access
• Write ACLs to limit the type of ICMP messages
• Create ACLs to direct services to appropriate servers only
• Enable packet filtering and attack prevention mechanisms
• All only packets with valid source addresses to exit the network
• If using SNMP, use strong community names and set read-only access
• Minimize console logging to limit unnecessary CPU cycles
• Use OSPF rather than RIP to take advantage of MD5 authentication
• Control which router interfaces can be used to manage the XSR
• Use an SNTP server on the DMZ to synchronize XSR clocks
• Use syslog to send messages to a designated syslog server

AAA Services

The XSR provides Authentication, Authorization and Accounting (AAA) services to validate and
display data for AAA usergroups, users, and methods. Telnet, Console and SSH users can utilize
the following two authentication mechanisms:
• CLI database authentication - This non-AAA authentication mode for Telnet and SSH users
authenticates against the CLI database created by the
system default user-validation method and does not authenticate via RADIUS.
• AAA user database authentication - This mechanism allows Telnet and SSH avails users of the
AAA module which provides additional authentication by various AAA methods including
RADIUS. The
AAA user database while
A few restrictions apply when switching Telnet, Console and SSH users to authenticate via this
mechanism, as follows:
• No pre-existing privilege-15 admin user exists in the AAA database.
• Before switching over to AAA for Telnet or SSH, at least one privilege 15 user with a Telnet/
SSH policy must exist in the AAA database.
• Deleting the only privilege-15 user with Telnet or SSH policy is disallowed to prevent any
accidental loss of access to the XSR.
The XSR offers two types of default AAA methods:
• The default AAA method for AAA service. Although the local method is the factory default,
you can set this using the
• The default AAA method for grouped clients. This is set on a per client basis via the
{telnet | ssh | console | firewall | vpn | ppp}
Note that PPP uses only AAA when acting as the authenticator (when validating the peer);
PPP is authenticated by the peer when acting as the authenticatee (client-side).
If the latter default method is not specified for a client, the former default applies.
aaa client telnet command switches all Telnet users to authenticate via the
aaa client ssh
aaa method [local | pki | radius] default
username command. This is the base,
switches all SSH users to do the same.
sub-command under
AAA Services
command.
client
aaa method .
XSR User's Guide 16-5