2.9. Configuring Security with CLI

This section provides information to configure security using the command line interface.

2.9.1. Setting Up Security Attributes

This section provides a brief overview of the tasks that must be performed to configure security and provides the CLI commands. Table 10 describes the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 10:  Security Configuration Requirements 

Authentication

Authorization

Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local

TACACS+

2.9.1.1. Configuring Authentication

Refer to the following sections to configure authentication:

  1. Local authentication
    1. Configuring Password Management Parameters
    2. Configuring Profiles
    3. Configuring Users
  2. RADIUS authentication (only)
    By default, authentication is enabled locally. Perform the following tasks to configure security on each participating router:
    1. Configuring Profiles
    2. Configuring RADIUS Authentication
    3. Configuring Users
  3. RADIUS authentication
    To implement only RADIUS authentication, with authorization, perform the following tasks on each participating router:
    1. Configuring RADIUS Authentication
    2. Configuring RADIUS Authorization
  4. TACACS+ authentication
    To implement only TACACS+ authentication, perform the following tasks on each participating router:
    1. Configuring Profiles
    2. Configuring Users
    3. Enabling TACACS+ Authentication

2.9.1.2. Configuring Authorization

Refer to the following sections to configure authorization.

  1. Local authorization
    For local authorization, configure these tasks on each participating router:
    1. Configuring Profiles
    2. Configuring Users
  2. RADIUS authorization (only)
    For RADIUS authorization (without authentication), configure these tasks on each participating router:
    1. Configuring RADIUS Authorization
    2. Configuring Profiles
    For RADIUS authorization, VSAS must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAS).
  3. RADIUS authorization
    For RADIUS authorization (with authentication), configure these tasks on each participating router:
    1. Configuring RADIUS Authorization
    For RADIUS authorization, VSAS must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAS).
    1. Configuring RADIUS Authentication
    2. Configuring Profiles
  4. TACACS+ authorization (only)
    For TACACS+ authorization (without authentication), configure these tasks on each participating router:
    1. Configuring TACACS+ Authorization
  5. TACACS+ authorization
    For TACACS+ authorization (with authentication), configure these tasks on each participating router:
    1. Enabling TACACS+ Authentication
    2. Configuring TACACS+ Authorization

2.9.1.3. Configuring Accounting

Refer to the following sections to configure accounting.

  1. Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI
  2. Configuring RADIUS Accounting
  3. Configuring TACACS+ Accounting

2.9.2. Security Configurations

This section provides information to configure security and configuration examples of configuration tasks.

To implement security features, configure the following components:

  1. Management access filters
  2. Profiles
  3. User access parameters
  4. Password management parameters
  5. Enable RADIUS and/or TACACS+
    1. One to five RADIUS and/or TACACS+ servers
    2. RADIUS and/or TACACS+ parameters

The following are sample default values for security parameters.

A:ALA-1>config>system>security# info detail
----------------------------------------------
no hash-control
telnet-server
no telnet6-server
no ftp-server
management-access-filter
exit
profile "default"
default-action none
no li
entry 10
no description
match “exec”
action permit
...
password
authentication-order radius tacplus local
no aging
minimum-length 6
attempts 3 time 5 lockout 10
complexity
exit
user "admin"
password "./3kQWERTYn0Q6w" hash
access console
no home-directory
no restricted-to-home
console
no login-exec
no cannot-change-password
no new-password-at-login
member "administrative"
exit
exit
snmp
view iso subtree 1
mask ff type included
exit
...
access group snmp-ro security-model snmpv1 security-level no-auth-no\
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
attempts 20 time 5 lockout 10
exit
no ssh

2.9.3. Security Configuration Procedures

2.9.3.1. Configuring Management Access Filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CPM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7210 SAS router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router. These filters also apply to the management Ethernet port.

The 7210 SAS implementation exits the filter when the first match is found and execute the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the one keyword to be considered complete. Entries without the action keyword are considered incomplete and will be rendered inactive.

Use the following syntax to configure a management access filter. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

CLI Syntax:
config>system
security
management-access-filter
default-action {permit|deny|deny-host-unreachable}
renum old-entry-number new-entry-number
no shutdown
entry entry-id
description description-string
src-port {port-id cpm|laglag-id}
src-ip {ip-prefix/mask | ip-prefix netmask}
protocol protocol-id
dst-port port [mask]
action {permit|deny|deny-host-unreachable}
log

2.9.3.2. Configuring Password Management Parameters

Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can enter a password.

Depending on the your authentication requirements, password parameters are configured locally.

Use the following syntax to configure password support.

CLI Syntax:
config>system>security
password
admin-password password [hash|hash2]
aging days
attempts count [time minutes1] [lockout minutes2]
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
complexity [numeric] [special-character] [mixed-case]
health-check
minimum-length value

The following is a sample password configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
password
authentication-order radius tacplus local
aging 365
minimum-length 8
attempts 5 time 5 lockout 20
exit
----------------------------------------------
A:ALA-1>config>system>security#

2.9.3.3. Configuring Profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of sixteen user profiles can be defined. A user can participate in up to sixteen profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.

Use the following syntax to configure user profiles.

CLI Syntax:
config>system>security
profile user-profile-name
default-action {deny-all|permit-all|none}
renum old-entry-number new-entry-number
entry entry-id
description description-string
match command-string
action {permit|deny}

The following is sample user profile output.

A:ALA-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

2.9.3.4. Configuring Users

Configure access parameters for individual users. For user, define the login name for the user and, optionally, information that identifies the user. Use the following syntax to configure RADIUS support.

CLI Syntax:
config>system>security
user-template template-name
user user-name
access [ftp] [snmp] [console]
console
cannot-change-password
login-exec url-prefix:source-url
member user-profile-name [user-profile-name...(up to 8 max)]
new-password-at-login
home-directory url-prefix [directory][directory/directory ..]
password [password] [hash|hash2]
restricted-to-home
snmp
authentication {[none]|[[hash] {md5 key-1|sha key-1} privacy {none|des-key key-2}]}
group group-name

The following is a sample user configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
...
            user "49ers"
                password "qQbnuzLd7H/VxGdUqdh7bE" hash2
                access console ftp snmp
                restricted-to-home
                console
                    member "default"
                    member "ghost"
                exit
            exit
...
--------------------------------------------
A:ALA-1>config>system>security#

2.9.3.5. Configuring Keychains

The following is a sample keychain configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
...
            keychain "abc"
                direction
                    bi
                        entry 1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg
orithm aes-128-cmac-96
                            begin-time 2006/12/18 22:55:20
                        exit
                    exit
                exit
            exit
            keychain "baSASd"
                direction
                    uni
                        receive
                            entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2
 algorithm aes-128-cmac-96
                                tolerance forever
                            exit
                        exit
                    exit
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

2.9.3.6. Copying and Overwriting Users and Profiles

You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified or an error occurs if the destination profile or username already exists.

2.9.3.6.1. User

Use the following syntax to configure copied users.

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy user testuser to testuserA
MINOR: CLI User "testuserA" already exists - use overwrite flag.
config>system>security#
config>system>security# copy user testuser to testuserA overwrite
config>system>security#

The following is a sample copied user configuration output.

A:ALA-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "F6XjryaATzM" hash
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "" hash2
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
A:ALA-12>config>system>security# info

The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.

A:ALA-12>config>system>security>user# info
----------------------------------------------
password "F6XjryaATzM" hash
access snmp
console
cannot-change-password 
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user# exit
A:ALA-12>config>system>security# user testuserA
A:ALA-12>config>system>security>user# info
----------------------------------------------
password "" hash2
access snmp
console
new-password-at-login
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user#

2.9.3.6.2. Profile

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy profile default to testuser

The following is a sample copied profile output.

A:ALA-49>config>system>security# info
----------------------------------------------
...
A:ALA-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...
----------------------------------------------
A:ALA-12>config>system>security#

2.9.3.7. Enabling SSH

Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2 (SSH version 2). This command should only be enabled or disabled when the SSH server is disabled. This setting should not be changed while the SSH server is running since the actual change only takes place after SSH is disabled or enabled.

CLI Syntax:
config>system>security
ssh
preserve-key
no server-shutdown
version ssh-version

The following is a sample SSH server configuration output as both SSH and SSH2 using a host-key.

A:sim1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
                version 1-2
----------------------------------------------
A:sim1>config>system>security>ssh# 
 

2.9.4. RADIUS Configurations

2.9.4.1. Configuring RADIUS Authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key.

The system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Router Configuration Guide.

The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

On the local router, use the following syntax to configure RADIUS authentication.

CLI Syntax:
config>system>security
radius
port port
retry count
server server-index address ip-address secret key
timeout seconds
no shutdown

The following is a sample RADIUS authentication configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
A:ALA-1>config>system>security#

2.9.4.2. Configuring RADIUS Authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS Authentication.

In addition to the local configuration requirements, VSAS must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAS).

On the local router, use the following syntax to configure RADIUS authorization.

CLI Syntax:
config>system>security
radius
authorization

The following is a sample RADIUS authorization configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

2.9.4.3. Configuring RADIUS Accounting

On the local router, use the following syntax to configure RADIUS accounting:

CLI Syntax:
config>system>security
radius
accounting

The following is a sample RADIUS accounting configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
A:ALA-1>config>system>security#

2.9.4.4. Configuring 802.1x RADIUS Policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. Refer to the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Interface Configuration Guide.

To configure generic parameters for 802.1x authentication, enter the following syntax.

CLI Syntax:
config>system>security
dot1x
radius-plcy policy-name
server server-index address ip-address secret key [port port]
source-address ip-address
no shutdown

The following is a sample 802.1x configuration output.

A:ALA-1>config>system>security# info
----------------------------------------------
            dot1x
                radius-plcy "dot1x_plcy" create
                   server 1 address 10.1.1.1 port 65535 secret "a"
                   server 2 address 10.1.1.2 port 6555 secret "a"
                   source-address 10.1.1.255
                no shutdown
...
----------------------------------------------

2.9.5. TACACS+ Configurations

2.9.5.1. Enabling TACACS+ Authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following syntax to configure profiles.

CLI Syntax:
config>system>security
tacplus
server server-index address ip-address secret key
timeout seconds
no shutdown

The following is a sample TACACS+ authentication configuration output.

A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

2.9.5.2. Configuring TACACS+ Authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ Authentication.

On the local router, use the following syntax to configure RADIUS authorization.

CLI Syntax:
config>system>security
tacplus
authorization
no shutdown

The following is a sample TACACS+ authorization configuration output.

A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus# 

2.9.5.3. Configuring TACACS+ Accounting

On the local router, use the following syntax to configure TACACS+ accounting.

CLI Syntax:
config>system>security
tacplus
accounting

The following is a sample TACACS+ accounting configuration output.

A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

2.9.6. Configuring Login Controls

Configure login control parameters for console, Telnet, and FTP sessions.

Use the following syntax to configure login controls.

CLI Syntax:
config>system
login-control
exponential-backoff
ftp
inbound-max-sessions value
telnet
inbound-max-sessions value
outbound-max-sessions value
idle-timeout {minutes |disable}
pre-login-message login-text-string [name]
login-banner
motd {url url-prefix: source-url|text motd-text-string}

The following is a sample login control configuration output.

A:ALA-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           telnet
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
 no exponential-backoff
...
----------------------------------------------
A:ALA-1>config>system#