3.6. Configuring Security with CLI

This section provides information to configure security using the command line interface. Topics in this section include:

  1. Setting Up Security Attributes
  2. Security Configurations
  3. Security Configuration Procedures

3.7. Setting Up Security Attributes

Table 4 depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 4:  Security Configuration Requirements 

Authentication

Authorization

Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local and TACACS+

TACACS+

3.7.1. Configuring Authentication

Refer to the following sections to configure authentication:

  1. Local authentication
    1. Configuring Password Management Parameters
    2. Configuring Profiles
    3. Configuring Users
  2. RADIUS authentication (with local authorization)
    By default, authentication is enabled locally. Perform the following tasks to configure security on each participating 7705 SAR router:
    1. Configuring Profiles
    2. Configuring RADIUS Authentication
    3. Configuring Users
  3. RADIUS authentication (with RADIUS authorization)
    To implement RADIUS authentication with authorization, perform the following tasks on each participating 7705 SAR router:
    1. Configuring RADIUS Authentication
    2. Configuring RADIUS Authorization
  4. TACACS+ authentication
    To implement TACACS+ authentication, perform the following tasks on each participating 7705 SAR router:
    1. Configuring Profiles
    2. Configuring Users
    3. Enabling TACACS+ Authentication

3.7.2. Configuring Authorization

Refer to the following sections to configure authorization:

  1. Local authorization
    For local authorization, configure these tasks on each participating 7705 SAR router:
    1. Configuring Profiles
    2. Configuring Users
  2. RADIUS authorization with authentication
    For RADIUS authorization with authentication, configure these tasks on each participating 7705 SAR router:
    1. Configuring RADIUS Authorization
      For RADIUS authorization, VSAs must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAs).
    2. Configuring RADIUS Authentication
    3. Configuring Profiles
  3. TACACS+ authorization (only)
    For TACACS+ authorization without authentication, configure these tasks on each participating 7705 SAR router:
    1. Configuring TACACS+ Authorization
  4. TACACS+ authorization
    For TACACS+ authorization with authentication, configure these tasks on each participating 7705 SAR router:
    1. Enabling TACACS+ Authentication
    2. Configuring TACACS+ Authorization

3.7.3. Configuring Accounting

Refer to the following sections to configure accounting.

  1. Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI.
  2. Configuring RADIUS Accounting
  3. Configuring TACACS+ Accounting

3.8. Security Configurations

This section provides information on configuring security and examples of configuration tasks.

To implement security features, configure the following components:

  1. management access filters
  2. CPM (CSM) filters
  3. profiles
  4. user access parameters
  5. password management parameters
  6. RADIUS and/or TACACS+
    1. enable one to five RADIUS and/or TACACS+ servers
    2. configure RADIUS and/or TACACS+ parameters

The following example displays default values for security parameters.

ALU-1>config>system>security# info detail
----------------------------------------------
  management-access-filter
        ip-filter
        default-action permit
            entry 1
                 action permit
                 src-ip 10.10.10.xx/32
            exit
            entry 2
                 action permit
                 src-ip 10.10.0.xx/32
            exit
        exit
  cpm-filter
        ip-filter
            shutdown
            entry 2 create
                 action drop
            exit
        exit
  profile "default"
        default-action none
        entry 10
            no description
            match "exec"
            action permit
        exit
...
        entry 70
            no description
            match "show"
            action permit
        exit
  exit
  profile "administrative"
        default-action permit-all
        entry 10
            no description
            match "configure system security"
            action permit
        exit
...
  password
        authentication-order radius tacplus local
        no aging
        minimum-length 6
        attempts 3 time 5 lockout 10
        complexity
  exit
  user "admin"
        password "$2y$10$TQrZlpBDra86.qoexZUzQeBXDY1FcdDhGWdD9lLxMuFyPVSm0OGy6"
        access console
  no home-directory
  no restricted-to-home
        console
            no login-exec
            no cannot-change-password
            no new-password-at-login
            member "administrative"
        exit
  exit
  snmp
        view iso subtree 1
            mask ff type included
        exit
...    
access group snmp-ro security-model snmpv1 security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no-
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no-
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no-
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no-
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
       attempts 20 time 5 lockout 10
    exit
    no ssh
    exit

3.9. Security Configuration Procedures

  1. Configuring IPv4 or IPv6 Management Access Filters
  2. Configuring IPv4 or IPv6 CPM (CSM) Filters
  3. Configuring Password Management Parameters
  4. IPSec Certificate Parameters
  5. Configuring Profiles
  6. Configuring Users
  7. Copying and Overwriting Users and Profiles
  8. Configuring SSH
  9. Configuring SSH Cipher Lists
  10. Configuring SSH KEX Algorithm Lists
  11. Configuring SSH MAC Algorithm Lists
  12. Configuring Login Controls
  13. RADIUS Configurations
  14. TACACS+ Configurations
  15. Configuring Keychains

3.9.1. Configuring IPv4 or IPv6 Management Access Filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7705 SAR router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router.

Management access filters apply to the management Ethernet port, which supports both IPv4 and IPv6 filters.

The 7705 SAR exits the filter when the first match is found and executes the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action to be considered complete. Entries without the action keyword are considered incomplete and will be rendered inactive.

Use the following CLI commands to configure an IPv4 management access filter.

CLI Syntax:
config>system
security
management-access-filter
ip-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
log
protocol protocol-id
router router-instance
src-ip {ip-prefix[/mask][netmask] | ip-prefix-list ip-prefix-list-name}
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdown

Use the following CLI commands to configure an IPv6 management access filter.

CLI Syntax:
config>system
security
management-access-filter
ipv6-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
flow-label value
log
next-header next-header
router router-instance
src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdown

The following example displays an IPv4 management access filter configuration. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

Example:
config>system>security# management-access-filter
config>system>security>mgmt-access-filter# ip-filter default-action deny
config>system>security>mgmt-access-filter# ip-filter entry 1
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.104/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit
config>system>security>mgmt-access-filter# entry 2
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.1/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit

The following example displays the management access filter configuration.

ALU-1>config>system>security# info
----------------------------------------------
            management-access-filter
                ip-filter
                default-action deny
                entry 1
                    action permit
                    src-ip 10.10.10.104/32
                exit
                entry 2
                    action permit
                    src-ip 10.10.0.1/32
                exit
            exit
----------------------------------------------
ALU-1>config>system>security#
Note:

If configuring management access filters via a Telnet session, ensure that data from the host IP address is permitted before setting the default action to deny; otherwise, the session will be dropped. To do this, set the default action to permit, configure an entry with the src-ip address of the host as a permitted match criterion, then set the default action back to deny. Alternatively, use a direct console connection to the node for configuration; in this case, the order of filter configuration does not matter.

3.9.2. Configuring IPv4 or IPv6 CPM (CSM) Filters

CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.

Use the following CLI commands to configure an IPv4 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
default-action {accept | drop}
ip-filter
entry entry-id [create]
action {accept | drop}
description description-string
log log-id
match [protocol protocol-id]
dscp dscp-name
dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
dst-port [tcp/udp port-number] [mask]
fragment {true | false}
icmp-code icmp-code
icmp-type icmp-type
ip-option ip-option-value [ip-option-mask]
multiple-option {true | false}
option-present {true | false}
src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
src-port src-port-number [mask]
tcp-ack {true | false}
tcp-syn {true | false}
   renum old-entry-id new-entry-id

Use the following CLI commands to configure an IPv6 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
default-action {accept | drop}
ipv6-filter
entry entry-id [create]
action {accept | drop}
description description-string
log log-id
match [next-header next-header]
dscp dscp-name
dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
dst-port [tcp/udp port-number] [mask]
icmp-code icmp-code
icmp-type icmp-type
src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
src-port src-port-number [mask]
tcp-ack {true | false}
tcp-syn {true | false}
    renum old-entry-id new-entry-id

The following displays an IPv4 CPM filter configuration example:

A:ALU-49>config>sys>sec>cpm>ip-filter# info
----------------------------------------------
                    entry 10 create
                        action drop
                        description "CPM-Filter 10.4.101.2 #101"
                        log 101
                    exit
                    entry 20 create
                        no action
                        description "CPM-Filter 10.4.101.2 #201"
                        log 101
                    exit
                    no shutdown
----------------------------------------------
A:ALU-49>config>sys>sec>cpm>ip-filter#

3.9.3. Configuring Password Management Parameters

Configuring password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can make to enter a password.

Depending on the authentication requirements, password parameters are configured locally or on the RADIUS or TACACS+ server.

Use the following CLI commands to configure password support:

CLI Syntax:
config>system>security
password
admin-password password [hash | hash2]
aging days
attempts count [time minutes1] [lockout minutes2]
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
complexity [numeric] [special-character] [mixed-case]
health-check
minimum-length value

The following displays an example of the password command usage.

Example:
config>system>security#password
security>password# aging 365
security>password# minimum-length 8
security>password# attempts 5 time 5 lockout 20
security>password# authentication-order radius tacplus
local

The following example displays the password configuration:

ALU-1>config>system>security# info
----------------------------------------------
    password
    authentication-order radius tacplus local
        aging 365
        minimum-length 8
        attempts 5 time 5 lockout 20
    exit
----------------------------------------------
ALU-1>config>system>security#

3.9.4. IPSec Certificate Parameters

The following is an example of importing a certificate from a pem format:

*A:ALU-A# admin certificate import type cert input cf3:/pre-import/
R10cert.pem output R1-0cert.der format pem

The following is an example of exporting a certificate to a pem format:

*A:ALU-A#  admin certificate export type cert input R1-0cert.der output cf3:/
R10cert.pem format pem

The following example displays a profile output:

*A:ALU-A>config>system>security>pki# info
----------------------------------------------
            ca-profile "Root" create
                description "Root CA"
                cert-file "R1-0cert.der"
                crl-file "R1-0crl.der"
                no shutdown
            exit
----------------------------------------------
*A:ALU-A>config>system>security>pki#

The following example displays an ike-policy with cert-auth output:

*A:ALU-A>config>ipsec>ike-policy# info
----------------------------------------------
            auth-method cert-auth
            own-auth-method psk      
----------------------------------------------

The following example displays a static LAN-to-LAN configuration using cert-auth:

         interface "VPRN1" tunnel create
             sap tunnel-1.private:1 create
                  ipsec-tunnel "Sanity-1" create
                      security-policy 1
                      local-gateway-address 192.168.0.0 peer 192.168.0.1 delivery-
                       service 300
                      dynamic-keying
                         ike-policy 1
                         pre-shared-key "Sanity-1"
                         transform 1
                         cert
                           trust-anchor-profile "trustAnchorProfile_1"
                           cert-profile "certProfile_4"
                        exit
                     exit
                  no shutdown
              exit

3.9.5. Configuring Profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.

Use the following CLI commands to configure user profiles:

CLI Syntax:
config>system>security
profile user-profile-name
default-action {deny-all | permit-all | none}
renum old-entry-number new-entry-number
entry entry-id
description description-string
match command-string
action {permit | deny}

The following displays an example of the user profile command usage.

Example:
config>system>security# profile ghost
config>system>security>profile$ default-action permit-all
config>system>security>profile# entry 1
config>system>security>profile>entry$ action permit
config>system>security>profile>entry# match "configure"
config>system>security>profile>entry# exit
config>system>security>profile# entry 2
config>system>security>profile>entry$ match "show"
config>system>security>profile>entry# exit
config>system>security>profile# entry 3
config>system>security>profile>entry$ match "exit"

The following example displays the user profile output:

ALU-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit

3.9.6. Configuring Users

Access parameters are configured for individual users. For each user, the login name and, optionally, information that identifies the user is defined. Use the following CLI syntax to configure access parameters for users. The snmp authentication des-key keyword is not available if the 7705 SAR node is running in FIPS-140-2 mode).

CLI Syntax:
config>system>security
user-template template-name
user user-name
access [ftp] [snmp] [console]
console
cannot-change-password
login-exec url-prefix:source-url
member user-profile-name [user-profile-name...(up to 8 max)]
new-password-at-login
home-directory url-prefix [directory] [directory/directory ..]
password [password]
restricted-to-home
snmp
authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {none | des-key key-2 | aes-128-cfb-key key-2}]}
group group-name

The following displays an example of the command usage.

Example:
config>system>security
config>system>security# user 49ers
config>system>security>user$ access ftp snmp console
config>system>security>user$ console
config>system>security>user>console# member default ghost
config>system>security>user>console# new-password-at-login
config>system>security>user>console# exit
config>system>security>user# password testuser1
config>system>security>user# restricted-to-home
config>system>security>user# exit

The following example displays the user configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
            user "49ers"
                password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLW
Sa"
                access console ftp snmp
                restricted-to-home
                console
                    member "default"
                    member "ghost"
                exit
            exit
...
--------------------------------------------
ALU-1>config>system>security#

3.9.7. Copying and Overwriting Users and Profiles

You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified; otherwise, an error occurs if the destination profile or user name already exists.

3.9.7.1. Copying a User

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy user "testuser" to
"testuserA"
MINOR: CLI User "testuserA" already exists - use overwrite flag.
config>system>security#
config>system>security# copy user "testuser" to "testuserA" overwrite
config>system>security#

The following output displays the copied user configurations:

ALU-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqL 
Sa"
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLW
Sa"
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
ALU-12>config>system>security# info
Note:

The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.

ALU-12>config>system>security>user# info
----------------------------------------------
    password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLWSa"
    access snmp
    console
        cannot-change-password 
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user# exit
ALU-12>config>system>security# user testuserA
ALU-12>config>system>security>user# info
----------------------------------------------
    password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLWSa"
    access snmp
    console
        new-password-at-login
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user#

3.9.7.2. Copying a Profile

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy profile default to testuser

The following output displays the copied profiles:

A:ALU-49>config>system>security# info
----------------------------------------------
...
A:ALU-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...

3.9.8. Configuring SSH

Use the ssh command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2. This command should only be enabled or disabled when the SSH server is disabled. This setting cannot be changed while the SSH server is running.

CLI Syntax:
config>system>security
ssh
preserve-key
no server-shutdown
version ssh-version
Example:
config>system>security# ssh
config>system>security>ssh# preserve-key
config>system>security>ssh# version 1-2

The following example displays the SSH server configuration as both SSH1 and SSH2 using a host-key:

A:ALU-1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
                version 1-2
----------------------------------------------
A:ALU-1>config>system>security>ssh# 

3.9.9. Configuring SSH Cipher Lists

Use the ssh command to configure SSH1 or SSH2 cipher lists. Client cipher lists are used if the 7705 SAR is acting as an SSH client, and server cipher lists are used if the 7705 SAR is acting as an SSH server.

Note:

If a 7705 SAR node is running in FIPS-140-2 mode:

  1. SSH1 is not supported
  2. for SSH2, the following ciphers are not available: blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc
CLI Syntax:
config>system>security
ssh
client-cipher-list protocol-version version
cipher index name cipher-name
server-cipher-list protocol-version version
cipher index name cipher-name
Example:
config>system>security# ssh
config>system>security>ssh# client-cipher-list protocol-version 1
config>system>security>ssh>client-cipher# cipher 10 name 3des
config>system>security>ssh>client-cipher# cipher 20 name blowfish
config>system>security>ssh>client-cipher# cipher 30 name des
config>system>security>ssh>client-cipher# exit
config>system>security>ssh# client-cipher-list protocol-version 2
config>system>security>ssh>client-cipher# cipher 2 name aes256-ctr
config>system>security>ssh>client-cipher# cipher 4 name aes128-ctr
config>system>security>ssh>client-cipher# cipher 6 name aes256-ctr
config>system>security>ssh>client-cipher# cipher 10 name aes128-cbc
config>system>security>ssh>client-cipher# cipher 20 name 3des-cbc
config>system>security>ssh>client-cipher# cipher 30 name blowfish-cbc
config>system>security>ssh>client-cipher# cipher 40 name cast128-cbc
config>system>security>ssh>client-cipher# cipher 50 name arcfour
config>system>security>ssh>client-cipher# cipher 60 name aes192-cbc
config>system>security>ssh>client-cipher# cipher 70 name aes256-cbc
config>system>security>ssh>client-cipher# cipher 80 name rijndael-cbc
config>system>security>ssh>client-cipher# exit
config>system>security>ssh# server-cipher-list protocol-version 1
config>system>security>ssh>server-cipher# cipher 10 name 3des
config>system>security>ssh>server-cipher# cipher 20 name blowfish
config>system>security>ssh>server-cipher# exit
config>system>security>ssh# server-cipher-list protocol-version 2
config>system>security>ssh>server-cipher# cipher 2 name aes256-ctr
config>system>security>ssh>server-cipher# cipher 4 name aes192-ctr
config>system>security>ssh>server-cipher# cipher 6 name aes128-ctr
config>system>security>ssh>server-cipher# cipher 10 name aes128-cbc
config>system>security>ssh>server-cipher# cipher 20 name 3des-cbc
config>system>security>ssh>server-cipher# cipher 30 name blowfish-cbc
config>system>security>ssh>server-cipher# cipher 40 name cast128-cbc
config>system>security>ssh>server-cipher# cipher 50 name arcfour
config>system>security>ssh>server-cipher# cipher 60 name aes192-cbc
config>system>security>ssh>server-cipher# cipher 70 name aes256-cbc
config>system>security>ssh>server-cipher# cipher 80 name rijndael-cbc
config>system>security>ssh>server-cipher# exit
config>system>security>ssh# exit

The following example displays both SSH1 and SSH2 client and server cipher list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-cipher-list protocol-version 1
                    cipher 10 name 3des
                    cipher 20 name blowfish
                    cipher 30 name des
                exit
                client-cipher-list protocol-version 2
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 30 name blowfish-cbc
                    cipher 40 name cast128-cbc
                    cipher 50 name arcfour
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                    cipher 80 name rijndael-cbc
                exit
                server-cipher-list protocol-version 1
                    cipher 10 name 3des
                    cipher 20 name blowfish
                exit
                server-cipher-list protocol-version 2
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 30 name blowfish-cbc
                    cipher 40 name cast128-cbc
                    cipher 50 name arcfour
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                    cipher 80 name rijndael-cbc
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

3.9.10. Configuring SSH KEX Algorithm Lists

Use the ssh command to configure SSH2 client and server KEX algorithm lists. Client KEX algorithm lists are used if the 7705 SAR is acting as an SSH client, and server KEX algorithm lists are used if the 7705 SAR is acting as an SSH server.

Note:

If a 7705 SAR node is running in FIPS-140-2 mode:

  1. SSH1 is not supported
  2. for SSH2, the following KEX algorithm is not available: diffie-hellman-group1-sha1
CLI Syntax:
config>system>security
ssh
client-kex-list
kex index name kex-name
server-kex-list
kex index name kex-name
Example:
config>system>security# ssh
config>system>security>ssh# client-kex-list
config>system>security>ssh>client-kex# kex 200 name diffie-hellman-group16-sha512
config>system>security>ssh>client-kex# kex 210 name diffie-hellman-group14-sha256
config>system>security>ssh>client-kex# kex 215 name diffie-hellman-group14-sha1
config>system>security>ssh>client-kex# kex 220 name diffie-hellman-group-exchange-sha1
config>system>security>ssh>client-kex# kex 225 name diffie-hellman-group1-sha1
config>system>security>ssh>client-kex# exit
config>system>security>ssh# server-kex-list
config>system>security>ssh>server-kex# kex 200 name diffie-hellman-group16-sha512
config>system>security>ssh>server-kex# kex 210 name diffie-hellman-group14-sha256
config>system>security>ssh>server-kex# exit
config>system>security>ssh# exit

The following example displays SSH2 client and server KEX list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
                server-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

3.9.11. Configuring SSH MAC Algorithm Lists

Use the ssh command to configure SSH2 client and server MAC algorithm lists. Client MAC algorithm lists are used if the 7705 SAR is acting as an SSH client, and server MAC algorithm lists are used if the 7705 SAR is acting as an SSH server.

Note:

If a 7705 SAR node is running in FIPS-140-2 mode:

  1. SSH1 is not supported
  2. for SSH2, the following MAC algorithms are not available: hmac-sha1-96, hmac-md5, hmac-ripemd160, hmac-ripemd160-openssh-com, and hmac-mda5-96
CLI Syntax:
config>system>security
ssh
client-mac-list
mac index name mac-name
server-mac-list
mac index name mac-name
Example:
config>system>security# ssh
config>system>security>ssh# client-mac-list
config>system>security>ssh>client-mac# mac 200 name hmac-sha2-512
config>system>security>ssh>client-mac# mac 210 name hmac-sha2-256
config>system>security>ssh>client-mac# mac 215 name hmac-sha1
config>system>security>ssh>client-mac# mac 220 name hmac-sha1-96
config>system>security>ssh>client-mac# mac 225 name hmac-md5
config>system>security>ssh>client-mac# mac 230 name hmac-ripemd160
config>system>security>ssh>client-mac# mac 235 name hmac-ripemd160-openssh-com
config>system>security>ssh>client-mac# mac 240 name hmac-md5-96
config>system>security>ssh>client-mac# exit
config>system>security>ssh# server-mac-list
config>system>security>ssh>server-mac# mac 200 name hmac-sha2-512
config>system>security>ssh>server-mac# mac 210 name hmac-sha2-256
config>system>security>ssh>server-mac# exit
config>system>security>ssh# exit

The following example displays client and server MAC list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 230 name hmac-ripemd160
                    mac 235 name hmac-ripemd160-openssh-com
                    mac 240 name hmac-md5-96
                exit
                server-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 230 name hmac-ripemd160
                    mac 235 name hmac-ripemd160-openssh-com
                    mac 240 name hmac-md5-96
                exit
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

3.9.12. Configuring Login Controls

Use the login-control context to configure parameters for console, FTP, SSH, and Telnet sessions.

CLI Syntax:
config>system
login-control
exponential-backoff
ftp
inbound-max-sessions value
ssh
[no] disable-graceful-shutdown
inbound-max-sessions value
outbound-max-sessions value
ttl-security min-ttl-value
telnet
[no] enable-graceful-shutdown
inbound-max-sessions value
outbound-max-sessions value
ttl-security min-ttl-value
idle-timeout {minutes | disable}
pre-login-message login-text-string [name]
login-banner
motd {url url-prefix:source-url | text motd-text-string}

The following example displays the login control configuration:

Example:
config>system>login-control# ftp inbound-max-sessions 5
config>system>login-control# ssh inbound-max-sessions 12
config>system>login-control# ssh outbound-max-sessions 8
config>system>login-control# ssh ttl-security 100
config>system>login-control# telnet enable-graceful-shutdown
config>system>login-control# telnet inbound-max-sessions 7
config>system>login-control# telnet outbound-max-sessions 2
config>system>login-control# idle-timeout 1440
config>system>login-control# pre-login-message "Property of Service Routing Inc. Unauthorized access prohibited."
config>system>login-control# motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"

The following example displays the login control configuration:

ALU-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           ssh
               no disable-graceful-shutdown
               inbound-max-sessions 12
               outbound-max-sessions 8
               ttl-security  100
           telnet
               enable-graceful-shutdown
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login-
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
     no exponential-backoff
...
----------------------------------------------
ALU-1>config>system#

3.9.13. RADIUS Configurations

  1. Configuring RADIUS Authentication
  2. Configuring RADIUS Authorization
  3. Configuring RADIUS Accounting
  4. Configuring 802.1x RADIUS Policies

3.9.13.1. Configuring RADIUS Authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

Also, the system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7705 SAR Router Configuration Guide.

The other commands are optional.

On the local router, use the following CLI commands to configure RADIUS authentication:

CLI Syntax:
config>system>security
radius
port port
retry count
server server-index address ip-address secret key [hash1 | hash2]
timeout seconds
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
security# radius
security# no shutdown
security>radius# server 1 address A:A:A:A:A:A:A:1 secret test11
security>radius# server 2 address 10.10.0.1 secret test2
security>radius# server 3 address 10.10.0.2 secret test3
security>radius# server 4 address 10.10.0.3 secret test4
security>radius# retry 5
security>radius# timeout 5
config>system>security>radius# exit

The following example displays the RADIUS authentication configuration:

ALU-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address A:A:A:A:A:A:A:1 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
ALU-1>config>system>security#

3.9.13.2. Configuring RADIUS Authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS Authentication.

In addition to the local configuration requirements, VSAs must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAs).

On the local router, use the following CLI commands to configure RADIUS authorization:

CLI Syntax:
config>system>security
radius
authorization

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# authorization

The following example displays the RADIUS authorization configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------

3.9.13.3. Configuring RADIUS Accounting

On the local router, use the following CLI commands to configure RADIUS accounting:

CLI Syntax:
config>system>security
radius
accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# accounting

The following example displays the RADIUS accounting configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
ALU-1>config>system>security#

3.9.13.4. Configuring 802.1x RADIUS Policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured on Ethernet ports. Refer to the 7705 SAR Interface Configuration Guide, “Configuration Command Reference”, for more information on configuring 802.1x parameters on Ethernet ports.

To configure generic parameters for 802.1x authentication, enter the following CLI syntax:

CLI Syntax:
config>system>security
dot1x
radius-plcy name [create]
retry count
server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
no shutdown
source-address ip-address
timeout seconds
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# dot1x
config>system>security>dot1x# radius-plcy dot1x_plcy
create
config>system>security>dot1x>radius-plcy# server 1 address 10.10.10.1 secret abc auth-port 65000
config>system>security>dot1x>radius-plcy# server 2 address 10.10.10.3 secret xyz auth-port 862
config>system>security>dot1x>radius-plcy# source-address 10.10.10.255

The following example displays an 802.1x configuration:

*A:7705_custDoc>config>system>security>dot1x# info
----------------------------------------------
       radius-plcy "dot1x_plcy" create
           server 1 address 10.10.10.1 auth-port 65000 acct-
port 1813 secret "WDoQz6DJf4.0M5dlpwjHbk" hash2 type authorization
           server 2 address 10.10.10.3 auth-port 862 acct-port 1813 secret
 "WDoQz6DJf4.j1WcCeHZwz." hash2 type authorization
           source-address 10.10.10.255
           shutdown
       exit
...
----------------------------------------------
A:ALU-1>config>system#

3.9.14. TACACS+ Configurations

  1. Enabling TACACS+ Authentication
  2. Configuring TACACS+ Authorization
  3. Configuring TACACS+ Accounting

3.9.14.1. Enabling TACACS+ Authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following CLI commands to configure TACACS+ authentication:

CLI Syntax:
config>system>security
tacplus
server server-index address ip-address secret key [hash1 | hash2]
timeout seconds
no shutdown

The following example is configured in the config>system context:

Example:
security# tacplus
security>tacplus# server 1 address A:A:A:A:A:A:A:1 secret test1
security>tacplus# server 2 address 10.10.0.6 secret test2
security>tacplus# server 3 address 10.10.0.7 secret test3
security>tacplus# server 4 address 10.10.0.8 secret test4
security>tacplus# server 5 address 10.10.0.9 secret test5
config>system>security>tacplus# timeout 5
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authentication configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                server 1 address A:A:A:A:A:A:A:1 secret "h6.TeL7YPohbmhlvz0gob."   
          hash2   
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2

3.9.14.2. Configuring TACACS+ Authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ Authentication.

On the local router, use the following CLI commands to configure TACACS+ authorization:

CLI Syntax:
config>system>security
tacplus
authorization
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# authorization
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authorization configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus# 

3.9.14.3. Configuring TACACS+ Accounting

On the local router, use the following CLI commands to configure TACACS+ accounting:

CLI Syntax:
config>system>security
tacplus
accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# accounting

The following example displays the TACACS+ accounting configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus#

3.9.15. Configuring Keychains

The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors; the keychain must include at least one key entry to be valid.

Each key within a keychain must include the following attributes for the authentication of protocol messages:

  1. key identifier
  2. authentication algorithm
  3. authentication key
  4. direction
  5. begin time

Optionally, each key can include an end time and tolerance.

Use the following CLI commands to configure a keychain:

CLI Syntax:
config>system>security
keychain name
description description-string
direction
bi
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]
tolerance {seconds | forever}
uni
receive
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]
tolerance {seconds | forever}
send
entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
begin-time [date] [hours-minutes] [UTC]

The following example displays a keychain configuration:

A:ALU-1>config>system>security># info detail
----------------------------------------------
...
            keychain "ospf-md5"
                description "MD5 keychain for OSPF interfaces"
                tcp-option-number
                    send 254
                    receive 254
                exit
                direction
                    bi
                        entry 0 key "VyScMGuUfEQw9vxb9YWEG8oEeyRxTrGC.aFwWKzlO1E
" hash2 algorithm message-digest
                            no shutdown
                            begin-time 2016/06/01 00:00:00 UTC
                            no option
                        exit
                        entry 1 key "VyScMGuUfEQw9vxb9YWEG6rfIEGa/.sGbxt3BaeWYO.
" hash2 algorithm message-digest
                            no shutdown
                            begin-time 2016/06/09 00:00:00 UTC
                            no option
                            tolerance 600
                        exit
                    exit
                exit
                no shutdown
            exit
            keychain "rsvp-md5"
                description "MD5 keychain for RSVP interfaces"
                tcp-option-number
                    send 254
                    receive 254
                exit
                direction
                    uni
                        send
                            entry 0 key "f4L8216viTz8OMIKEcNfF/0BxU12MaZskrUHlTN
YMwY" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/01 00:00:00 UTC
                            exit
                            entry 1 key "f4L8216viTz8OMIKEcNfF0VmwDJEUYqX1ob50zL
E0HY" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/09 00:00:00 UTC
                            exit
                        exit
                        receive
                            entry 0 key "dE.xAjca3DLqssbdJ8zc8vblBwYsvFXL57dvJEu
RQHE" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/01 00:00:00 UTC
                                tolerance 600
                            exit
                            entry 1 key "dE.xAjca3DLqssbdJ8zc4ty4BxUSFV5xl9ejgfr
YHGG" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/09 00:00:00 UTC
                                tolerance 600
                        exit
                    exit
                exit
----------------------------------------------
A:ALU-1>config>system>security#

In the above example, two separate keychains are created, “ospf-md5” and “rsvp-md5”, each with two possible keys.

For ospf-md5:

  1. entry 0 is valid starting at midnight (UTC) on 2016/06/01
  2. entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
  3. there is an overlap (tolerance) period of 600 seconds in which packets with either key (entry 0 or entry 1) will be accepted

For rsvp-md5:

  1. for transmitted packets:
    1. send key entry 0 is valid starting at midnight (UTC) on 2016/06/01
    2. send key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
  2. for received packets:
    1. receive key entry 0 is valid starting at midnight (UTC) on 2016/06/01
    2. receive key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0
    3. there is an overlap (tolerance) period of 600 seconds in which receive packets with either key (entry 0 or entry 1) will be accepted