Fs S5900-24s4t2q User manual

Security Configuration

S5900-24S4T2Q Ethernet Switch

Security Configuration

Contents

Chapter 1 AAA Configuration.............................................................................................................................. 1

1.1 AAA Overview................................................................................................................................................. 1

1.1.1 AAA Security Service......................................................................................................................... 1

1.1.2 Benefits of Using AAA........................................................................................................................2

1.1.3 AAA Principles.....................................................................................................................................2

1.1.4 AAA Method List................................................................................................................................. 2

1.1.5 AAA Configuration Process...............................................................................................................3

1.2 Authentication Configuration......................................................................................................................... 4

1.2.1 AAA Authentication Configuration Task List...................................................................................4

1.2.1 AAA Authentication Configuration Task..........................................................................................4

1.2.3 AAA Authentication Configuration Example................................................................................... 8

1.2.3.1 RADIUS Authentication Example.........................................................................................8

1.3 Authorization Configuration.........................................................................................................................10

1.3.1 AAA Authorization Configuration Task List.................................................................................. 10

1.3.2 AAA Authorization Configuration Task..........................................................................................10

1.3.2.1 Configuring EXEC authorization through AAA......................................................................... 10

1.3.3 AAA Authorization Examples..........................................................................................................11

1.3.3.1 Example of Local EXECAuthorization...............................................................................11

1.4 AAA Accounting Configuration................................................................................................................... 12

1.4.1 AAA Accounting Configuration Task List......................................................................................12

1.4.2 AAA Accounting Configuration Task............................................................................................. 12

1.4.2.1 Configuring Connection Accounting using AAA.............................................................. 12

1.4.2.2 Configuring Network Accounting usingAAA..................................................................... 13

1.4.2.3 Configuring Accounting Update Through AAA................................................................ 14

1.4.2.4 Limiting User Accounting WithoutUsername................................................................... 14

1.5 Local Account Policy Configuration........................................................................................................... 15

1.5.1 Local Account Policy Configuration Task List.............................................................................. 15

1.5.2 Local Account Policy Configuration Task..................................................................................... 15

1.5.2.1 Local authentication policy configuration..........................................................................15

1.5.2.2 Local authorization policy configuration............................................................................15

1.5.2.3 Local password policy configuration..................................................................................15

1.5.2.4 Local policy group configuration........................................................................................ 16

1.5.3 Local Account Policy Example....................................................................................................... 16

Chapter 2 Configuring RADIUS........................................................................................................................ 18

2.1 Overview........................................................................................................................................................ 18

2.1.1 RADIUS Overview............................................................................................................................ 18

Security Configuration

2.1.2 RADIUS Operation........................................................................................................................... 19

2.2 RADIUS Configuration Steps......................................................................................................................19

2.3 RADIUS Configuration Task List................................................................................................................20

2.4 RADIUS Configuration Task....................................................................................................................... 20

2.5 RADIUS Configuration Examples.............................................................................................................. 21

2.5.1 RADIUS Authentication Example...................................................................................................21

2.5.2 RADIUS Application in AAA............................................................................................................22

Chapter 3 TACACS+ Configuration..................................................................................................................23

3.1 TACACS+ Overview.....................................................................................................................................23

3.1.1 The Operation of TACACS+ Protocol........................................................................................... 23

3.1.1.1 Authentication in ASCII Form............................................................................................. 23

3.1.1.2 Authentication in PAP and CHAP Ways...........................................................................24

3.2 TACACS+ Configuration Process..............................................................................................................24

3.3 TACACS+ Configuration Task List............................................................................................................ 25

3.4 TACACS+ Configuration Task....................................................................................................................25

3.4.1 Assigning TACACS+ server............................................................................................................25

3.4.2 Setting up TACACS+ encrypted secret key................................................................................. 26

3.4.3 Assigning to use TACACS+ for authentication............................................................................ 26

3.4.4 Assigning to use TACACS+ for authorization.............................................................................. 26

3.4.5 Assigning to use TACACS+ for accounting..................................................................................26

3.5 TACACS+ Configuration Example.............................................................................................................26

3.5.1 TACACS+ authentication example................................................................................................ 26

3.5.2 TACACS+ Authorization Examples............................................................................................... 27

3.5.3 TACACS+ Accounting Example.....................................................................................................27

Security Configuration

Chapter 1 AAA Configuration

1.1 AAA Overview

Access control is the way to control access to the network and services. Authentication, authorization, and

accounting (AAA) network security services provide the primary framework through which you set up access

control on your OLT or access server.

1.1.1 AAA Security Service

AAA is an architectural framework for configuring a set of three independent security functions in a consistent

manner. AAA provides a modular way of performing the following services:

Authentication: It is a method of identifying users, including username/password inquiry and encryption

according to the chosen security protocol.

Authentication is a method to distinguish the user’s identity before users access the network and enjoy

network services. AAA authentication can be configured through the definition of an authentication method

list and then application of this method list on all interfaces. This method list defines the authentication

type and the execution order; any defined authentication method list must be applied on a specific

interface before it is executed. The only exception is the default authentication method list (which is named

default). If there are no other authentication method lists, the default one will be applied on all interfaces

automatically. If any one is defined, it will replace the default one. For how to configure all authentications,

see “Authentication Configuration”.

Authorization: it is a remote access control method to limit user’s permissions.

AAA authorization takes effect through a group of features in which a user is authorized with some

permissions. Firstly, the features in this group will be compared with the information about a specific user

in the database, then the comparison result will be returned to AAA to confirm the actual permissions of

this user. This database can be at the accessed local server or switch, or remote Radius/TACACS+ server.

The Radius or TACACS+ server conducts user authorization through a user-related attribute-value peer.

The attribute value (AV) defines the allowably authorized permissions. All authorization methods are

defined through AAA. Like authentication, an authorization method list will be first defined and then this list

will be applied on all kinds of interfaces. For how to carry on the authorization configuration, see

“Authorization Configuration”.

Accounting: it is a method to collect user’s information and send the information to the security server.

The collected information can be used to open an account sheet, make auditing and form report lists,

such as the user ID, start/end time, execution commands, and the number of packets or bytes.

The accounting function can track the services that users access, and at the same time track the service-

consumed network resource number. When AAA accounting is activated, the access server can report user’s

activities to the TACACS+ or Radius server in way of accounting. Each account contains an AV peer, which is

stored on the security server. The data can be used for network management, client's accounting analysis or

audit. Like authentication and authorization, an accounting method list must be first defined and then applied on

different interfaces. For how to carry on the accounting configuration, see “Accounting Configuration”.

Security Configuration

1.1.2 Benefits of Using AAA

AAA provides the following benefits:

Increased flexibility and control of access configuration

Scalability

Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos

Multiple backup systems

1.1.3 AAA Principles

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want

on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of

authentication and authorization you want by creating method lists, then applying those method lists to specific

services or interfaces.

1.1.4 AAA Method List

To configure AAA, define a named method list first and then apply it to the concrete service or interface. This

method list defines the running AAA type and their running sequence. Any defined method list must be applied

to a concrete interface or service before running. The only exception is the default method list. The default

method list is automatically applied to all interfaces or services. Unless the interface applies other method list

explicitly, the method list will replace the default method list.

A method list is a sequential list that defines the authentication methods used to authenticate a user. In AAA

method list you can specify one or more security protocols. Thus, it provides with a backup authentication

system, in case the initial method is failed. Our software uses the first method listed to authenticate users; if

that method does not respond, the software selects the next authentication method in the method list. This

process continues until there is successful communication with a listed authentication method or the

authentication method list is exhausted, in which case authentication fails.

It is important to notice that the software attempts authentication with the next listed authentication method only

when there is no response from the previous method. If authentication fails at any point in this cycle—meaning

that the security server or local user name database responds by denying the user access—the authentication

process stops and no other authentication methods are attempted.

The following figures shows a typical AAA network configuration that includes four security servers: R1 and R2

are RADIUS servers, and T1 and T2 are TACACS+ servers. Take the authentication as an example to

demonstrate the relation between AAA service and AAA method list.

Security Configuration

Figure 1- 1 Typical AAA Network Configuration

In this example, default is the name of the method list, including the protocol in the method list and the request

sequence of the method list follows the name. The default method list is automatically applied to all interfaces.

When a remote user attempts to dial in to the network, the network access server first queries R1 for

authentication information. If R1 authenticates the user, it issues a PASS response to the network access server

and the user is allowed to access the network. If R1 returns a FAIL response, the user is denied access and the

session is terminated. If R1 does not respond, then the network access server processes that as an ERROR

and queries R2 for authentication information. This pattern continues through the remaining designated

methods until the user is either authenticated or rejected, or until the session is terminated.

A FAIL response is significantly different from an ERROR. A FAIL means that the user has not met the criteria

contained in the applicable authentication database to be successfully authenticated. Authentication ends with

a FAIL response. An ERROR means that the security server has not responded to an authentication query.

Only when an ERROR is detected will AAA select the next authentication method defined in the authentication

method list.

Suppose the system administrator wants to apply the method list to a certain or a specific port. In such case,

the system administrator should create a non-default method list and then apply the list of this name to an

appropriate port.

1.1.5 AAA Configuration Process

You must first decide what kind of security solution you want to implement. You need to assess the security

risks in your particular network and decide on the appropriate means to prevent unauthorized entry and attack.

Before you configure AAA, you need know the basic configuration procedure. To do AAA security configuration

on switches or access servers, perform the following steps:

If you decide to use a security server, configure security protocol parameters first, such as RADIUS,

TACACS+, or Kerberos.

Define the method lists for authentication by using an AAA authentication command.

Apply the method lists to a particular interface or line, if required.

Security Configuration

(Optional) Configure authorization using the aaaauthorization command.

(Optional) Configure accounting using the aaa accountingcommand.

1.2 Authentication Configuration

1.2.1 AAA Authentication ConfigurationTask List

Configuring Login Authentication Using AAA

Enabling Password Protection at the Privileged Level

Configuring Message Banners for AAA Authentication

Modifying the Notification Character String for Username Input

Modifying AAA authentication password-prompt

Creating the Authentication Database with the Local Priviledge

1.2.1 AAA Authentication ConfigurationTask

General configuration process of AAA authentication

To configure AAA authentication, perform the following configuration processes:

(1) If you decide to use a separate security server, configure security protocol parameters, such as RADIUS,

or TACACS+. Refer to the relevant section for the concrete configuration methods.

(2) Configuring Authentication Method List Using aaa authentication

(3) If necessary, apply the accounting method list to a specific interface or line.

1.2.2.1 Configuring Login Authentication Using AAA

The AAA security services facilitate a variety of login authentication methods. Use the aaa authentication login

command to enable AAA authentication no matter which of the supported login authentication methods you

decide to use. With the aaa authentication login command, you create one or more lists of authentication

methods that are tried at login. These lists are applied using the login authentication line configuration command.

After the authentication method lists are configured, you can apply these lists by running login authentication.

You can run the following command in global configuration mode to start the configuration:

Command

Purpose

aaa authentication login {default |

list-name}method1 [method2...]

Enables AAA globally.

line [console |vty ]line-number

[ending-line-number]

Enter the configuration mode of a line.

Applies the authentication list to a line or set

of lines. (In the line configuration mode)

Security Configuration

The list-name is a character string used to name the list you are creating. The key word method specifies the

actual method of the authentication method. The additional methods of authentication are used only if the

previous method returns an error, not if it fails. To specify that the authentication should succeed even if all

methods return an error, specify none as the final method in the command line.

The default parameter can create a default authentication list, which will be automatically applied to all

interfaces. For example, to specify that authentication should succeed even if (in this example) the TACACS+

server returns an error, enter the following command:

aaa authentication login default group radius

Note:

Because the none keyword enables any user logging in to successfully authenticate, it should be used only as a

backup method of authentication.

If you cannot find the authentication method list, you can only login through the console port. Any other way of

The following table lists the supported login authentication methods:

Keyword

Notes

enable

Uses the enable password for authentication.

group name

Uses named server group for authentication.

group radius

Uses RADIUS for authentication.

group tacacs+

Uses group tacacs+ for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

localgroup

Uses the local strategy group username database for authentication.

local-case

Uses case-sensitive local user name authentication.

none

Passes the authentication unconditionally.

(1) Using the enable password to carry on the login authentication:

To specify the enable password as the user authentication method, run the following command:

aaa authentication login default enable

(2) Using the line password to login

Use the aaa authentication login command with the line method keyword to specify the line password as the

aaa authentication login default line

Before you can use a line password as the login authentication method, you need to define a line password.

Security Configuration

(3) Using the local password to carry on the login authentication:

When you run aaa authentication login, you can use the keyword “local” to designate the local database as the

authentication method and not define any other method, run the following command:

aaa authentication login default local

For information about adding users into the local username database, refer to the section "Establishing

Username Authentication" in this chapter.

(4) Login Authentication Using RADIUS

Use the aaa authentication login command with the group radius method to specify RADIUS as the login

authentication method. For example, to specify RADIUS as the method of user authentication at login when no

other method list has been defined, enter the following command:

aaa authentication login default group radius

Before you can use RADIUS as the login authentication method, you need to enable communication with the

RADIUS security server. For more information about establishing communication with a RADIUS server, refer

to the chapter "Configuring RADIUS."

1.2.2.2 Enabling Password Protection at the Privileged Level

Use the aaa authentication enable default command to create a series of authentication methods that are used

to determine whether a user can access the privileged EXEC command level. You can specify up to four

authentication methods. The additional methods of authentication are used only if the previous method returns

an error, not if it fails. To specify that the authentication should succeed even if all methods return an error,

specify none as the final method in the command line. Use the following command in global configuration mode:

Command

Purpose

aaa authentication enable default method1

[method2...]

Enables user ID and password checking for

users requesting privileged EXEC level.

The method argument refers to the actual list of methods the authentication algorithm tries, in the sequence

entered.

The following table lists the supported enable authentication methods:

Keyword

Notes

enable

Uses the enable password for authentication.

group group-name

Uses named server group for authentication.

group radius

Uses RADIUS authentication.

group tacacs+

Uses tacacs+ for authentication.

line

Uses the line password for authentication.

none

Passes the authentication unconditionally.

When configuring enable authentication method as the remote authentication, use RADIUS for authentication.

Do as follows:

Security Configuration

(1) Uses RADIUS for enable authentication:

The user name for authentication is $ENABLElevel$; level is the privileged level the user enters, that is, the

number of the privileged level after enable command. For instance, if the user wants to enter the privileged

level 7, enter command enable 7; if configuring RADIUS for authentication, the user name presenting to

Radius-server host is $ENABLE7$; the privileged level of enable is 15 by default, that is, the user name

presenting to Radius-server host in using RADIUS for authentication is $ENABLE15$. The user name and the

password need to configured on Radius-server host in advance. The point is that in user database of Radius-

server host, the Service-Type of the user specifying the privileged authentication is 6, that is, Admin-User.

1.2.2.3 Configuring Message Banners for AAA Authentication

The banner of configurable, personal logon or failed logon is supported. When AAA authentication fails during

system login, the configured message banner will be displayed no matter what the reason of the failed

authentication is.

Configuring the registration banner

Run the following command in global configuration mode.

Command

Purpose

aaa authentication

text-string delimiter

banner

delimiter

Configures

banner.

personal

logon

registration

Configuring the banner of failed logon

Run the following command in global configuration mode.

Command

Purpose

aaa authentication fail-message delimiter

text-string delimiter

Configures a personal banner about failed

logon.

Usage Guidelines

When creating a banner, you need to configure a delimiter and then to configure the text string itself. The

delimiter is to notify that the following text string will be displayed as the banner. The delimiter appears

repeatedly at the end of the text character string, indicating that the banner is ended.

1.2.2.4 Modifying the Notification Character String for Username Input

To modify the default text of the username input prompt, run aaa authentication username-prompt. You can run

no aaa authentication username-prompt to resume the password input prompt.

username：

The aaa authentication username-prompt command does not change any prompt information provided by the

remote TACACS+ server or the RADIUS server. Run the following command in global configuration mode:

Other manuals for S5900-24S4T2Q

Table of contents

Other FS Network Router manuals

FS AP-S300 User manual

FS S800-24T4F User manual

FS TA1910-4GVC-W User manual

FS AC-7072 User manual

FS S5900-24S4T2Q Instruction sheet

FS ONU1910-1GF-W User manual

FS TA1910-1GF-W User manual

Popular Network Router manuals by other brands

TRENDnet

TRENDnet TEW-435BRM - 54MBPS 802.11G Adsl Firewall M Quick installation guide

Siemens

Siemens SIMOTICS CONNECT 400 manual

Alfa Network

Alfa Network ADS-R02 Specifications

Barracuda Networks

Barracuda Networks Link Balancer quick start guide

ZyXEL Communications

ZyXEL Communications ES-2024PWR Support notes

HPE

HPE FlexNetwork 5510 HI Series Openflow configuration guide

Allied Telesis

Allied Telesis AT-AR236E quick start guide

ADTRAN

ADTRAN NetVanta 3458-PoE quick start

C&H Technologies

C&H Technologies EM405-8 manual

Huawei

Huawei WiFi Mesh 3 Product description

Addonics Technologies

Addonics Technologies ISC8P2G-S Quick install guide

Atel

Atel W02 Arch+ Faqs

Allnet

Allnet ALL0333AU user guide

Sercomm

Sercomm Genesis OC3505D Quick installation guide

Billion

Billion BIPAC 5102 Series user manual

TP-Link

TP-Link TD-8817 QIG

Motorola

Motorola MR1900 user guide

Cisco

Cisco SOHO Series Regulatory compliance and safety information

FS S5900-24S4T2Q User manual

Popular Network Router manuals by other brands