Cisco SN 5420 Storage Router Software Configuration Guide, Release�2.1
Chapter 8 - Configuring Authentication
Downloads: This chapterpdf (PDF - 218.0KB) The complete bookPDF (PDF - 4.58MB) | Feedback

Configuring Authentication

Table Of Contents

Configuring Authentication

Prerequisite Tasks

Using iSCSI Authentication

AAA Security Services

Configuration Tasks

Configuring Security Services

Building the AAA Authentication List

Testing iSCSI Authentication

Enabling iSCSI Authentication

Verifying and Saving Configuration


Configuring Authentication


This chapter explains how to configure AAA authentication methods on the SN 5420 Storage Router and how to enable iSCSI authentication, which uses the AAA authentication methods.

The following tasks are covered:

Prerequisite Tasks

Using iSCSI Authentication

Configuration Tasks

Configuring Security Services

Building the AAA Authentication List

Testing iSCSI Authentication

Enabling iSCSI Authentication

Verifying and Saving Configuration

iSCSI authentication is available on storage routers configured for SCSI routing or transparent SCSI routing. The AAA authentication function is always enabled for the storage router; it cannot be disabled. Authentication parameters can be configured using CLI commands, as described in this chapter, or via the web-based GUI. To access the web-based GUI, point your browser to the storage router's management interface IP address. After logging on, click the Help link to access online help for the GUI.


Note The web-based GUI is not available for storage routers deployed for transparent SCSI routing.


Prerequisite Tasks

Before performing AAA and iSCSI authentication configuration tasks on the storage router, make sure you have configured system parameters as described in "First-Time Configuration," or "Configuring System Parameters."

You should also configure SCSI routing instances as described in "Configuring SCSI Routing," and/or FC server instances as described in "Configuring iSCSI SAN Interconnect," before proceeding. See the iSCSI driver readme file for details on configuring IP hosts for iSCSI authentication.


Note AAA and iSCSI authentication configuration settings are system-wide parameters and are not shared across a cluster. However, you may prefer to configure all storage routers in a cluster with the same authentication settings.


Using iSCSI Authentication

iSCSI authentication provides a mechanism to authenticate all IP hosts and FC server instances that request access to storage devices via a SCSI routing instance. When enabled, iSCSI drivers and FC server instances provide user name and password information each time an iSCSI TCP connection is established. iSCSI authentication uses the iSCSI CHAP (Challenge Handshake Authentication Protocol) authentication method. Authentication services are provided by the AAA subsystem configured for each storage router.

Authentication, authorization and accounting (AAA) is Cisco's architectural framework for configuring a set of three independent security functions in a consistent, modular manner. The SN 5420 Storage Router implements the authentication function.

Authentication provides a method of identifying users (including login and password dialog, challenge and response, and messaging support) prior to receiving access to the requested object, function, or network service. AAA authentication is configured by defining a list of authentication services. iSCSI authentication, which uses the AAA authentication services list, can be enabled for specific SCSI routing instances.

AAA Security Services

iSCSI authentication uses AAA security services to administer its security functions. If you are using remote security servers, AAA is the means through which you establish communications between the storage router and the remote RADIUS or TACACS+ security server.

This chapter describes how to configure the following AAA security services:

RADIUS—A distributed client/server system implemented through AAA that secures networks against unauthorized access. In this implementation, the storage router sends authentication requests to a central RADIUS server that contains all user authentication and network service access information.

TACACS+—A security application implemented through AAA that provides centralized validation of users attempting to gain access to storage targets through specified SCSI routing instances. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.

Local or local-case—Uses a local username database on the storage router for authentication. Local-case indicates that the user name authentication is case-sensitive. Passwords authentication is always case-sensitive.

Configuration Tasks

To configure iSCSI authentication and the associated AAA authentication services on the storage router, perform the following steps:


Step 1 Configure the desired security services, such as RADIUS, TACACS+, or the local username database.

Step 2 Build the AAA authentication list.

Step 3 Test the iSCSI authentication services.

Step 4 Enable iSCSI authentication for individual SCSI routing instances.

Step 5 Verify and save AAA and iSCSI authentication configuration.


Figure 8-1 illustrates AAA authentication configuration elements and Figure 8-2 illustrates the example configuration of iSCSI authentication and AAA authentication services used in this chapter.

Figure 8-1 iSCSI Authentication Configuration Elements

Figure 8-2 iSCSI Authentication Example Configuration

Configuring Security Services

Configuring security services consists of setting the appropriate parameters for the various service options that can be used by the storage router. A storage router can use any or all of the supported security services.

Use the procedures that follow to configure the storage router to use the appropriate security services:

RADIUS

TACACS+

Local username database


Note See the iSCSI driver readme file for details on configuring user names and passwords for iSCSI authentication. See the section "Configuring User Name and Password" in "Configuring iSCSI SAN Interconnect," for details on configuring an FC server instance with a user name and password for authentication purposes.


RADIUS Servers

Use the commands in the following procedure to configure RADIUS security services.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

radius-server host 10.5.0.53

Specify the RADIUS server to be used for AAA authentication services. For example, specify the RADIUS server at 10.5.0.53 for use by the storage router. Because no port is specified, the authentication requests use the default UDP port 1645. Global timeout and retransmit values are also used. See the radius-server host command in "Command Line Interface Reference,"for additional details.

Step 3 

radius-server host 10.6.0.61

Specify a secondary RADIUS server. RADIUS servers are accessed in the order in which they are defined. For example, specify the RADIUS server at 10.6.0.61 as the second RADIUS server to be used for AAA authentication services.

Step 4 

radius-server key rad123SN

Configure the global authentication and encryption key to be used for all RADIUS communications between the storage router and the RADIUS daemon. For example, set the key to rad123SN. This key must match the key used on the RADIUS daemon.

TACACS+ Hosts

Use the commands in the following procedure to configure TACACS+ security services.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

tacacs-server host 10.7.0.22

Specify the TACACS+ server to be used for AAA authentication services. For example, specify the TACACS+ server at 10.7.0.22 for use by the storage router. Because no port is specified, the authentication requests use the default port 49. The global timeout value is also used. See the tacacs-server host command in "Command Line Interface Reference," for additional details.

Step 3 

tacacs-server key tacacs123SN

Configure the global authentication and encryption key to be used for all TACACS+ communications between the storage router and the TACACS+ server. For example, set the key to tacacs123SN. This key must match the key used by the TACACS+ daemon.

Local Username Database

Use the commands in the following procedure to configure a local username database.


Note Passwords are entered in clear text, but are changed to "XXXXX" in the CLI command history cache, and are stored in the local username database in encrypted format.


 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

username labserver password foo

username labserver2 password foo2

username iscsiclient3 password foo3

Enter a user name and password for each device requiring authentication prior to access to storage. For example, add the following user name and password combinations:

labserver and foo

labserver2 and foo2

iscsiclient3 and foo3

These user name and password pairs must match the user name and password pairs configured for iSCSI drivers and FC server instances that require access to storage via the SCSI routing instances that have iSCSI authentication enabled. If other authentication services are also used (such as RADIUS or TACACS+), these user name and password pairs must also be configured within the databases those services use for authentication purposes.

The following rules apply to passwords:

Passwords are entered in clear text. However, they are stored in an encrypted format.

If the password contains embedded spaces, enclose it with single or double quotes.

After initial entry, passwords display in their encrypted format. Use the show aaa command to display the local username database entries. The following is an example display:

username "foo" password "9 ea9bb0c57ca4806d3555f3f78a4204177a"

The initial "9" in the example display indicates that the password is encrypted.

You can re-enter an encrypted password using the normal username password command. Enter the encrypted password in single or double quotes, starting with 9 and a single space. For example, copying and pasting password "9 ea9bb0c57ca4806d3555f3f78a4204177a" from the example above into the username pat command would create an entry for pat in the username database. The user named pat would have the same password as the user named foo. This functionality allows user names and passwords to be restored from saved configuration files.

When entering a password, a zero followed by a single space indicates that the following string is not encrypted; 9 followed by a single space indicates that the following string is encrypted. To enter a password that starts with 9 or zero, followed by one or more spaces, enter a zero and a space and then enter the password string. For example, to enter the password "0 123" for the user named pat, enter this command:

username pat password "0 0 123"

To enter the password "9 73Zjm 5" for user name lab1, use this command:

username lab1 password `0 9 73Zjm 5'

Building the AAA Authentication List

iSCSI authentication uses a list of defined AAA authentication services to administer its security functions. The list that is created must be named default.

Use the commands in the following procedure to build a list of AAA authentication services to be used for iSCSI authentication.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

aaa authentication iscsi default local group radius group tacacs+

Create a list (named default) of authentication services. For example, build a list so that AAA first tries to perform authentication using the local username database. If AAA fails to find a user name match, an attempt is made to contact a RADIUS server. If no RADIUS server is found, RADIUS returns an error and AAA tries to use a TACACS+ server. If no TACACS+ server is found, TACACS+ returns an error and AAA authentication fails. If a RADIUS or TACACS+ server does not find a user name and password match, authentication fails and no other methods are attempted.


Note If local or local-case is the first service in the authentication list and a user name match is not found, the next service in the list will be tried. If local or local-case is not the first service, authentication fails if a user name match is not found. Authentication always fails if a RADIUS or TACACS+ server fails to find a user name match.


Testing iSCSI Authentication

Before enabling iSCSI authentication for a SCSI routing instance, you can test iSCSI authentication from the storage router. The user name and password are passed to AAA authentication, which performs authentication using the iSCSI default authentication list. The command response indicates a pass or fail status.

Use the commands in the following procedure to test iSCSI authentication.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

aaa test authentication iscsi default labserver foo

aaa test authentication iscsi default labserver2 foo2

aaa test authentication iscsi default iscsiclient foo3

Test the user names and passwords listed in the username database. AAA authentication uses the services in the default list for authentication (Example 8-1).

Example 8-1 Testing Authentication

*[SN5420-MG1]# aaa test authentication iscsi default labserver foo
Sep 02 14:37:00:aaa:AS_NOTICE :Auth test request being queued

Sep 02 14:37:00:aaa:AS_NOTICE :Auth test request complete, status = pass

Enabling iSCSI Authentication

iSCSI authentication is enabled for specific SCSI routing instances. By default, iSCSI authentication is not enabled.

Use the commands in the following procedure to enable iSCSI authentication using the AAA authentication methods configured in the default AAA authentication list.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

scsirouter zeus authenticate yes

scsirouter mars authenticate yes

Enable authentication for the named SCSI routing instance. For example, enable authentication for the SCSI routing instances named zeus and mars.

Note The FC server instance defaultFC, which uses the services of the SCSI routing instance mars to provide FC hosts access to storage devices on a remote Fibre Channel network, must have a user name and password properly configured. See the "Configuring User Name and Password" section in "Configuring iSCSI SAN Interconnect," for details on configuring the FC server instance user name and password for authentication purposes.

Verifying and Saving Configuration

You can save the configuration at any time using either the save aaa bootconfig or save all bootconfig commands. You must save the authentication configuration for it to be retained in the storage router when it is rebooted.

Use the following procedure to verify and save authentication settings.

 
Command
Description

Step 1 

enable

Enter Administrator mode.

Step 2 

show aaa

Display AAA authentication configuration (Example 8-2).

Step 3 

show scsirouter zeus

show scsirouter mars

Verify that iSCSI authentication is enabled for SCSI routing instances zeus and mars (Example 8-3).

Step 4 

save aaa bootconfig

Save authentication settings.

Step 5 

save scsirouter zeus bootconfig

save scsirouter mars bootconfig

Save the SCSI routing instances.

Step 6 

save all bootconfig

(Optional) Save all configuration settings. This command may be used in place of individual save aaa bootconfig and save scsirouter bootconfig commands described in Steps 4 and 5.

Example 8-2 Verify AAA Authentication Configuration

[SN5420-MG1]# show aaa
aaa new-model
aaa authentication iscsi default local group radius group tacacs+
username "LabServer" password "9 3b7e1560943b2c3df73ae16dd8c21406ad"
username "LabServer2" password "9 5a034dba7085f7628852db4637787b3f9e"
username "iSCSIClient3" password "9 5a034dba7133ab0b9d141cb5ba17503f30"
radius-server key "9 4f5e3deda858731566fa8c7fa23d8a5b4d"
radius-server timeout 100
radius-server retransmit 3
radius-server host 10.5.0.53 auth-port 1645
radius-server host 10.6.0.61 auth-port 1645
tacacs-server key "9 10d2a453d607e75f36ca96dfc5d36b4495"
tacacs-server host 10.7.0.22 auth-port 49

Example 8-3 Verify iSCSI Authentication for SCSI Routing Instances

[SN5420-MG1]# show scsirouter zeus
zeus description "(not set)"
zeus authentication "yes"
zeus primary "none"
zeus target naming authority "none"
zeus serverif ge2 10.1.0.45/24
zeus deviceif fc1
zeus target chimaera_email description "(not set)"
zeus target chimaera_email enabled "TRUE"
zeus target chimaera_email accesslist "aegis"
zeus target chimaera_email lun 23 loopid "15" lun "0"
zeus target chimaera_apps description "(not set)"
zeus target chimaera_apps enabled "TRUE"
zeus target chimaera_apps accesslist "none"
zeus target chimaera_apps lun 24 wwpn "22:00:00:20:37:19:15:05" lun "0"
zeus target chimaera_eng description "(not set)"
zeus target chimaera_eng enabled "TRUE"
zeus target chimaera_eng accesslist "aegis"
zeus target chimaera_eng lun 17 wwnn "22:00:00:20:37:19:12:9d"
zeus target pegasus_dbase description "(not set)"
zeus target pegasus_dbase enabled "TRUE"
zeus target pegasus_dbase accesslist "hris-mgmt"
zeus target pegasus_dbase loopid "8"
zeus target pegasus_email description "(not set)"
zeus target pegasus_email enabled "TRUE"
zeus target pegasus_email accesslist "all"
zeus target pegasus_email wwpn "22:00:00:20:37:19:12:da"

[SN5420-MG1]# show scsirouter mars
mars description "(not set)"
mars authentication "yes"
mars primary "none"
mars target naming authority "none"
mars serverif ge2 10.1.0.47/24
mars deviceif fc1
mars target backup_dbase description "(not set)"
mars target backup_dbase enabled "TRUE"
mars target backup_dbase accesslist "all"
mars target backup_dbase loopid 9