Security Configurations

This section provides information on configuring security and examples of configuration tasks.

To implement security features, configure the following components:

• management access filters

• CPM (CSM) filters

• profiles

• user access parameters

• password management parameters

• RADIUS and/or TACACS+

  • enable one to five RADIUS and/or TACACS+ servers

  • configure RADIUS and/or TACACS+ parameters

The following example displays default values for security parameters.

ALU-1>config>system>security# info detail
----------------------------------------------
  management-access-filter
        ip-filter
        default-action permit
            entry 1
                 action permit
                 src-ip 10.10.10.xx/32
            exit
            entry 2
                 action permit
                 src-ip 10.10.0.xx/32
            exit
        exit
  cpm-filter
        ip-filter
            shutdown
            entry 2 create
                 action drop
            exit
        exit
  profile "default"
        default-action none
        entry 10
            no description
            match "exec"
            action permit
        exit
...
        entry 70
            no description
            match "show"
            action permit
        exit
  exit
  profile "administrative"
        default-action permit-all
        entry 10
            no description
            match "configure system security"
            action permit
        exit
...
  password
        authentication-order radius tacplus local
        no aging
        minimum-length 6
        attempts 3 time 5 lockout 10
        complexity
  exit
  user "admin"
        password "$2y$10$TQrZlpBDra86.qoexZUzQeBXDY1FcdDhGWdD9lLxMuFyPVSm0OGy6"
        access console
  no home-directory
  no restricted-to-home
        console
            no login-exec
            no cannot-change-password
            no new-password-at-login
            member "administrative"
        exit
  exit
  snmp
        view iso subtree 1
            mask ff type included
        exit
...    
access group snmp-ro security-model snmpv1 security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no-
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no-
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no-
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no-
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
       attempts 20 time 5 lockout 10
    exit
    no ssh
    exit