-
Catalyst 6500 Series Software Configuration Guide, 7.6
-
Preface
-
Product Overview
-
Command-Line Interfaces
-
Configuring the Switch IP Address and Default Gateway
-
Configuring Ethernet, Fast Ethernet, Gigabit Ethernet, and 10-Gigabit Ethernet Switching
-
Configuring Ethernet VLAN Trunks
-
Configuring EtherChannel
-
Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
-
Configuring Spanning Tree
-
Configuring Spanning Tree PortFast, UplinkFast, BackboneFast, and Loop Guard
-
Configuring VTP
-
Configuring VLANs
-
Configuring InterVLAN Routing
-
Configuring CEF for PFC2
-
Configuring MLS
-
Configuring NDE
-
Configuring Access Control
-
Configuring GVRP
-
Configuring Dynamic Port VLAN Membership with VMPS
-
Checking Status and Connectivity
-
Administering the Switch
-
Configuring Switch Access Using AAA
-
Configuring Redundancy
-
Modifying the Switch Boot Configuration
-
Working with the Flash File System
-
Working with System Software Images
-
Working with Configuration Files
-
Configuring System Message Logging
-
Configuring DNS
-
Configuring CDP
-
Configuring UDLD
-
Configuring NTP
-
Configuring Broadcast Suppression
-
Configuring Layer 3 Protocol Filtering
-
Configuring the IP Permit List
-
Configuring Port Security
-
Configuring 802.1x Authentication
-
Configuring Unicast Flood Blocking
-
Configuring SNMP
-
Configuring RMON
-
Configuring SPAN and RSPAN
-
Using Switch TopN Reports
-
Configuring Multicast Services
-
Configuring QoS
-
Configuring Automatic QoS
-
Configuring ASLB
-
Configuring the Switch Fabric Module
-
Configuring a VoIP Network
-
Acronyms
-
Table Of Contents
Configuring the Switch Access Using AAA
Understanding How Authentication Works
Understanding How Login Authentication Works
Understanding How Local Authentication Works
Understanding How Local User Authentication Works
Understanding How TACACS+ Authentication Works
Understanding How RADIUS Authentication Works
Understanding How Kerberos Authentication Works
Using a Kerberized Login Procedure
Using a Non-Kerberized Login Procedure
Configuring Authentication on the Switch
Authentication Default Configuration
Authentication Configuration Guidelines
Configuring Login Authentication
Setting Authentication Login Attempts on the Switch
Setting Authentication Login Attempts for the Privileged Mode
Configuring Local Authentication
Disabling Local Authentication
Configuring Local User Authentication
Enabling Local User Authentication
Disabling Local User Authentication
Configuring TACACS+ Authentication
Enabling TACACS+ Authentication
Specifying the TACACS+ Timeout Interval
Specifying the TACACS+ Login Attempts
Enabling TACACS+ Directed Request
Disabling TACACS+ Directed Request
Disabling TACACS+ Authentication
Configuring RADIUS Authentication
Enabling RADIUS Authentication
Specifying the RADIUS Timeout Interval
Specifying the RADIUS Retransmit Count
Specifying the RADIUS Dead Time
Specifying Optional Attributes for RADIUS Servers
Disabling RADIUS Authentication
Configuring Kerberos Authentication
Defining the Kerberos Local Realm
Mapping a Kerberos Realm to a Host Name or DNS Domain
Enabling Credentials Forwarding
Disabling Credentials Forwarding
Defining and Clearing a Private DES Key
Displaying and Clearing Kerberos Configurations
Understanding How Authorization Works
TACACS+ Primary Options and Fallback Options
Configuring Authorization on the Switch
TACACS+ Authorization Default Configuration
TACACS+ Authorization Configuration Guidelines
Configuring TACACS+ Authorization
Enabling TACACS+ Authorization
Disabling TACACS+ Authorization
Configuring RADIUS Authorization
Disabling RADIUS Authorization
Understanding How Accounting Works
Specifying When to Create Accounting Records
Configuring Accounting on the Switch
Accounting Default Configuration
Accounting Configuration Guidelines
Configuring the Switch Access Using AAA
This chapter describes how to configure authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6500 series switches.
Note
For complete syntax and usage information for the commands used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.
Note
Note
This chapter consists of these sections:
•
•
•
•
•
•
Understanding How Authentication Works
These sections describe how the different authentication methods work:
•
•
•
•
•
•
Authentication Overview
You can configure any combination of these authentication methods to control access to the switch:
•
•
•
•
•
Note
When you enable local authentication with one or more other authentication methods, local authentication is always attempted last. However, you can specify different authentication methods
for console and Telnet connections. For example, you might use local authentication for console connections and RADIUS authentication for Telnet connections.Understanding How Login Authentication Works
Login authentication increases the security of the system by keeping unauthorized users from guessing the password. The user is limited to a specific number of attempts to successfully log in to the switch. If the user fails to authorize the password, the system delays accesses and captures the user ID and the IP address of the station in the syslog and in the SNMP trap.
The maximum number of login attempts is configurable from the CLI and SNMP through the set authentication login attempt count command. Use the set authentication enable attempt count command to set login limits for accessing enable mode. The configurable range is three (default) to ten tries. Setting the login authentication limit to zero (0) disables this function.
All authentication methods are supported (RADIUS, TACACS+, Kerberos, or local).
You can configure the lockout (delay) time from the CLI and SNMP through the set authentication login lockout time command. Use the set authentication enable lockout time command to set a delay time for accessing enable mode. The configurable range is 30-43200 seconds. Setting the lockout time to zero (0) disables this function.
If you are locked out at the console, the console does not allow you to log in during that lockout time. If you are locked out with a Telnet session, the connection closes when the time limit is reached. The switch closes any subsequent access from that station during the lockout time and provides an appropriate notice.
Understanding How Local Authentication Works
Local authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to individual usernames.
By default, local authentication is enabled. You can disable local authentication only after enabling one or more of the other authentication methods. However, when local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.
You can enable local authentication and one or more of the other authentication methods at the same time. The switch attempts local authentication only if the other authentication methods fail.
Understanding How Local User Authentication Works
Local user authentication uses local user accounts and passwords that you create to validate the login attempts of local users. Each switch can have a maximum of 25 local user accounts. Before you can enable local user authentication, you must define at least one local user account.
You set up local user accounts by creating a unique username and password combination for each local user. Each username must be fewer than 65 characters and can be any alphanumeric character (at least one character must be alphabetic).
You configure each local user account with a privilege level; the valid privilege levels are 0 or 15. The privilege level assigned to a username and password combination designates whether a user will be logged in to normal or privileged mode after successful authentication. A user with a privilege level of 0 is automatically logged in to normal mode, and a user with a privilege level of 15 is logged in to privileged mode. A user with a privilege level of 0 can still access privileged mode by entering the enable command and password combination.Once a local user is logged in, only the commands that are available for that privilege level can be displayed.
Note
Understanding How TACACS+ Authentication Works
TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or an entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol that is specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances:
•
•
When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use any or all of the three services.
When the TACACS+ server receives the packet, it does the following:
•
•
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all transmitted TACACS+ packets. If you do not configure a TACACS+ key, packets are not encrypted.
You can configure the following TACACS+ parameters on the switch:
•
•
•
•
•
•
•
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time.
When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.
Understanding How RADIUS Authentication Works
RADIUS is a client-server authentication and authorization access protocol that is used by the NAS to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the client, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all transmitted RADIUS packets. If you do not configure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network.
Note
You can configure the following RADIUS parameters on the switch:
•
•
•
•
•
•
•
RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword.
When local authentication is disabled, if you disable all other authentication methods, local authentication is reenabled automatically.
Understanding How Kerberos Authentication Works
Kerberos is a client-server based secret-key network authentication method that uses a trusted Kerberos server to verify secure access to both services and users. In Kerberos, this trusted server is called the key distribution center (KDC). The KDC issues tickets to validate users and services. A ticket is a temporary set of electronic credentials that verifies the identity of a client for a particular service.
These tickets have a limited life span and can be used in place of the standard user password pair authentication mechanism if a service trusts the Kerberos server that issued the ticket. If the standard user password method is used, Kerberos encrypts user passwords into the tickets, ensuring that passwords are not sent on the network in clear text. When you use Kerberos, passwords are not stored on any machine, other than the Kerberos server, for more than a few seconds. Kerberos also guards against intruders who might pick up the encrypted tickets from the network.
Table 21-1 defines the Kerberos terms.
In the Catalyst 6500 series switches, Telnet clients and servers through both the console and in-band management port can be Kerberized.
Note
Note
Using a Kerberized Login Procedure
You can use a Kerberized Telnet session if you are logging in through the in-band management port. When the Telnet client and services have been Kerberized, you will follow this process when attempting to access the switch through Telnet:
1.
2.
3.
4.
5.
6.
Figure 21-1 shows the Kerberos Telnet connection process.
Figure 21-1 Kerberized Telnet Connection
Using a Non-Kerberized Login Procedure
If you use a non-Kerberized login procedure to log in to the switch, the switch takes care of authentication to the KDC on behalf of the login client. However, the user password is now
transferred in clear text from the login client to the switch.
Note
If you launch a non-Kerberized login, the following process takes place:
1.
2.
3.
4.
5.
Figure 21-2 shows the non-Kerberized login process.
Figure 21-2 Non-Kerberized Telnet Connection
Configuring Authentication on the Switch
These sections describe how to configure the different authentication methods:
•
•
•
•
•
•
•
•
Authentication Default Configuration
Table 21-2 shows the default authentication configuration.
Authentication Configuration Guidelines
This section describes the guidelines for configuring authentication on the switch:
•
•
•
•
•
•
•
•
Configuring Login Authentication
These sections describe how to configure login authentication on the switch:
•
•
Setting Authentication Login Attempts on the Switch
To set up login authentication on the switch, perform this task in privileged mode:
This example shows how to limit login attempts to 5, set the lockout time for both console and Telnet connections to 50 seconds, and verify the configuration:
Console> (enable) set authentication login attempt 5Login authentication attempts for console and telnet logins set to 5.Console> (enable) set authentication login lockout 50Login lockout time for console and telnet logins set to 50.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session Http Session--------------------- ---------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal enabled(primary) enabled(primary) enabled(primary)attempt limit 5 5 -lockout timeout (sec) 50 50 -Enable Authentication: Console Session Telnet Session Http Session---------------------- ----------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal enabled(primary) enabled(primary) enabled(primary)attempt limit 3 3 -lockout timeout (sec) disabled disabled -Console> (enable)Setting Authentication Login Attempts for the Privileged Mode
To set up login authentication for privileged mode, perform this task in privileged mode:
This example shows how to limit enable mode login attempts to5, set the enable mode lockout time for both console and Telnet connections to 50 seconds, and verify the configuration:
Console> (enable) set authentication enable attempt 5Enable mode authentication attempts for console and telnet logins set to 5.Console> (enable) set authentication enable lockout 50Enable mode lockout time for console and telnet logins set to 50.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session Http Session--------------------- ---------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal enabled(primary) enabled(primary) enabled(primary)attempt limit 5 5 -lockout timeout (sec) 50 50 -Enable Authentication: Console Session Telnet Session Http Session---------------------- ----------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal enabled(primary) enabled(primary) enabled(primary)attempt limit 5 5 -lockout timeout (sec) 50 50 -Console> (enable)Configuring Local Authentication
These sections describe how to configure local authentication on the switch:
•
•
Enabling Local Authentication
Note
To enable local authentication on the switch, perform this task in privileged mode:
This example shows how to enable local login, how to enable authentication for both console and Telnet connections, and how to verify the configuration:
Console> (enable) set authentication login local enablelocal login authentication set to enable for console and telnet session.Console> (enable) set authentication enable local enablelocal enable authentication set to enable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledkerberos disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledkerberos disabled disabledlocal enabled(primary) enabled(primary)Console> (enable)Setting the Login Password
The login password controls access to the user mode CLI. Passwords are case sensitive, contain up to 19 characters, and use any printable character including a space.
Note
To set the login password for local authentication, perform this task in privileged mode:
Set the login password for access. Enter your old password (press Return on a switch with no password configured), enter your new password, and reenter your new password.
set password
This example shows how to set the login password on the switch:
Console> (enable) set passwordEnter old password: <old_password>Enter new password: <new_password>Retype new password: <new_password>Password changed.Console> (enable)Setting the Enable Password
The login password controls access to the user mode CLI. Passwords are case sensitive, contain up to 19 characters, and use any printable character including a space.
Note
To set the enable password for local authentication, perform this task in privileged mode:
This example shows how to set the enable password on the switch:
Console> (enable) set enablepassEnter old password: <old_password>Enter new password: <new_password>Retype new password: <new_password>Password changed.Console> (enable)Disabling Local Authentication
Caution
To disable local authentication on the switch, perform this task in privileged mode:
Note
This example shows how to disable local login authentication, how to enable authentication for both console and Telnet connections, and how to verify the configuration:
Console> (enable) set authentication login local disablelocal login authentication set to disable for console and telnet session.Console> (enable) set authentication enable local disablelocal enable authentication set to disable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)kerberos disabled disabledlocal disabled disabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)kerberos disabled disabledlocal disabled disabledConsole> (enable)Recovering a Lost Password
Use the following procedure to recover a lost local authentication password. You must complete Steps 3 through 7 within 30 seconds of a power cycle or the recovery will fail. If you lost both the login and enable passwords, repeat the process for each password.
To recover a lost password, perform these steps in privileged mode:
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Configuring Local User Authentication
These sections describe how to configure local user authentication on the switch:
•
•
•
•
Creating a Local User Account
Local user accounts and passwords must be fewer than 65 characters in length and can consist of any alphanumeric characters. Local user accounts must also contain at least one alphabetic character.
To create a local user account on the switch, perform this task in privileged mode:
Step 1
Create a new local user account.
set localuser user username password pwd privilege privilege_level
Step 2
Verify the local user account.
show localusers
This example shows how to create a local user account and password, set the privilege level, and verify the configuration:
Console> (enable) set localuser user picard password captain privilege 15Added local user picard.Console> (enable) show localusersLocal User Authentication: disabledUsername Privilege Level--------- -------------picard 15Console> (enable)Enabling Local User Authentication
To enable local user authentication on the switch, perform this task in privileged mode:
Step 1
Enable local user authentication.
set localuser authentication enable
Step 2
Verify the local user authentication configuration.
show authentication
This example shows how to create a local user account, enable local user authentication, and verify the configuration:
Console> (enable) set localuser authentication enableLocal User Authentication enabled.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session Http Session--------------------- ---------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal * enabled(primary) enabled(primary) enabled(primary)attempt limit 3 3 -lockout timeout (sec) disabled disabled -Enable Authentication: Console Session Telnet Session Http Session---------------------- ----------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal * enabled(primary) enabled(primary) enabled(primary)attempt limit 3 3 -lockout timeout (sec) disabled disabled -* Local User Authentication enabled.Console> (enable)Disabling Local User Authentication
To disable local user authentication on the switch, perform this task in privileged mode:
Step 1
Disable local user authentication.
set localuser authentication disable
Step 2
Verify the local authentication configuration.
show authentication
This example shows how to disable local user authentication for the switch and how to verify the configuration:
Console> (enable) set localuser authentication disablelocal user authentication set to disable.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session Http Session--------------------- ---------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal * enabled(primary) enabled(primary) enabled(primary)attempt limit 3 3 -lockout timeout (sec) disabled disabled -Enable Authentication: Console Session Telnet Session Http Session---------------------- ----------------- ---------------- ----------------tacacs disabled disabled disabledradius disabled disabled disabledkerberos disabled disabled disabledlocal * enabled(primary) enabled(primary) enabled(primary)attempt limit 3 3 -lockout timeout (sec) disabled disabled -* Local User Authentication disabled.Console> (enable)Deleting a Local User Account
To delete a local user account on the switch, perform this task in privileged mode:
Step 1
Delete a local user account.
clear localuser picard
Step 2
Verify that the local user account has been deleted.
show localusers
This example shows how to delete local user authentication for the switch and how to verify the configuration:
Console> (enable) clear localuser number1Local user cleared.Console> (enable) show localusersLocal User Authentication: enabledUsername Privilege Level--------- -------------picard 15number1 0worf 15troy 0Console> (enable)Configuring TACACS+ Authentication
These sections describe how to configure TACACS+ authentication on the switch:
•
•
•
•
•
•
Specifying TACACS+ Servers
Specify one or more TACACS+ servers before you enable TACACS+ authentication on the switch. The first server you specify is the primary server, unless you explicitly make one server the primary using the primary keyword.
To specify one or more TACACS+ servers, perform this task in privileged mode:
Step 1
Specify the IP address of one or more TACACS+ servers.
set tacacs server ip_addr [primary]
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to specify TACACS+ servers and verify the configuration:
Console> (enable) set tacacs server 172.20.52.3172.20.52.3 added to TACACS server table as primary server.Console> (enable) set tacacs server 172.20.52.2 primary172.20.52.2 added to TACACS server table as primary server.Console> (enable) set tacacs server 172.20.52.10172.20.52.10 added to TACACS server table as backup server.Console> (enable)Console> (enable) show tacacsLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Tacacs key:Tacacs login attempts: 3Tacacs timeout: 5 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------172.20.52.3172.20.52.2 primary172.20.52.10Console> (enable)Enabling TACACS+ Authentication
Note
You can enable TACACS+ authentication for login and enable access to the switch. If desired, you can use the console and telnet keywords to specify that TACACS+ authentication be used only on console or Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword to force the switch to try TACACS+ authentication first.
To enable TACACS+ authentication, perform this task in privileged mode:
This example shows how to enable TACACS+ authentication for console and Telnet connections and how to verify the configuration:
Console> (enable) set authentication login tacacs enabletacacs login authentication set to enable for console and telnet session.Console> (enable) set authentication enable tacacs enabletacacs enable authentication set to enable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs enabled(primary) enabled(primary)radius disabled disabledlocal enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs enabled(primary) enabled(primary)radius disabled disabledlocal enabled enabledConsole> (enable)Specifying the TACACS+ Key
Note
To specify the TACACS+ key, perform this task in privileged mode:
Step 1
Specify the key that is used to encrypt packets.
set tacacs key key
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to specify the TACACS+ key and verify the configuration:
Console> (enable) set tacacs key Secret_TACACS_keyThe tacacs key has been set to Secret_TACACS_key.Console> (enable) show tacacsTacacs key: Secret_TACACS_keyTacacs login attempts: 3Tacacs timeout: 5 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------172.20.52.3172.20.52.2 primary172.20.52.10Console> (enable)Specifying the TACACS+ Timeout Interval
You can specify the timeout interval between retransmissions to the TACACS+ server. The default timeout is 5 seconds.
To specify the TACACS+ timeout interval, perform this task in privileged mode:
Step 1
Specify the TACACS+ timeout interval.
set tacacs timeout seconds
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to specify the server timeout interval and verify the configuration:
Console> (enable) set tacacs timeout 30Tacacs timeout set to 30 seconds.Console> (enable) show tacacsTacacs key: Secret_TACACS_keyTacacs login attempts: 3Tacacs timeout: 30 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------172.20.52.3172.20.52.2 primary172.20.52.10Console> (enable)Specifying the TACACS+ Login Attempts
You can specify the number of failed login attempts allowed.
To specify the number of login attempts allowed, perform this task in privileged mode:
Step 1
Specify the number of allowed login attempts.
set tacacs attempts number
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to specify the number of login attempts and verify the configuration:
Console> (enable) set tacacs attempts 5Tacacs number of attempts set to 5.Console> (enable) show tacacsTacacs key: Secret_TACACS_keyTacacs login attempts: 5Tacacs timeout: 30 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------172.20.52.3172.20.52.2 primary172.20.52.10Console> (enable)Enabling TACACS+ Directed Request
When TACACS+ directed request is enabled, you can optionally specify the host name of a configured TACACS+ server to direct the TACACS+ authentication request to that particular TACACS+ server. Authentication will fail if the server that the switch contacts does not have an account for the user that is attempting to login.
To enable TACACS+ directed request, perform this task in privileged mode:
Step 1
Enable TACACS+ directed request on the switch.
set tacacs directedrequest enable
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to enable TACACS+ directed request and verify the configuration:
Console> (enable) set tacacs directedrequest enableTacacs direct request has been enabled.Console> (enable) show tacacsTacacs key: Secret_TACACS_keyTacacs login attempts: 5Tacacs timeout: 30 secondsTacacs direct request: enabledTacacs-Server Status---------------------------------------- -------172.20.52.3172.20.52.2 primary172.20.52.10Console> (enable)Disabling TACACS+ Directed Request
To disable TACACS+ directed request, perform this task in privileged mode:
Step 1
Disable TACACS+ directed request on the switch.
set tacacs directedrequest disable
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to disable TACACS+ directed request:
Console> (enable) set tacacs directedrequest disableTacacs direct request has been disabled.Console> (enable)Clearing TACACS+ Servers
To clear one or more TACACS+ servers, perform this task in privileged mode:
This example shows how to clear a specific TACACS+ server from the configuration:
Console> (enable) clear tacacs server 172.20.52.3172.20.52.3 cleared from TACACS tableConsole> (enable)This example shows how to clear all TACACS+ servers from the configuration:
Console> (enable) clear tacacs server allAll TACACS servers clearedConsole> (enable)Clearing the TACACS+ Key
To clear the TACACS+ key, perform this task in privileged mode:
Step 1
Clear the TACACS+ key.
clear tacacs key
Step 2
Verify the TACACS+ configuration.
show tacacs
This example shows how to clear the TACACS+ key:
Console> (enable) clear tacacs keyTACACS server key cleared.Console> (enable)Disabling TACACS+ Authentication
When local authentication is disabled and only TACACS+ authentication is enabled, if you disable TACACS+ authentication, local authentication is reenabled automatically.
To disable TACACS+ authentication, perform this task in privileged mode:
This example shows how to disable TACACS+ authentication for console and Telnet connections and how to verify the configuration:
Console> (enable) set authentication login tacacs disabletacacs login authentication set to disable for console and telnet session.Console> (enable) set authentication enable tacacs disabletacacs enable authentication set to disable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Console> (enable)Configuring RADIUS Authentication
These sections describe how to configure RADIUS authentication on the switch:
•
•
•
•
•
•
Specifying RADIUS Servers
To specify one or more RADIUS servers, perform this task in privileged mode:
This example shows how to specify a RADIUS server and verify the configuration:
Console> (enable) set radius server 172.20.52.3172.20.52.3 with auth-port 1812 added to radius server table as primary server.Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Radius Deadtime: 0 minutesRadius Key:Radius Retransmit: 2Radius Timeout: 5 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Specifying the RADIUS Key
Note
The RADIUS key is used to encrypt and authenticate all communication between the RADIUS client and server. You must configure the same key on the client and the RADIUS server.
The length of the key is limited to 65 characters. It can include any printable ASCII characters except tabs.
To specify the RADIUS key, perform this task in privileged mode:
Step 1
Specify the RADIUS key that is used to encrypt packets sent to the RADIUS server.
set radius key key
Step 2
Verify the RADIUS configuration.
show radius
This example shows how to specify the RADIUS key and verify the configuration (in normal mode, the RADIUS key value is hidden):
Console> (enable) set radius key Secret_RADIUS_keyRadius key set to Secret_RADIUS_keyConsole> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledRadius Deadtime: 0 minutesRadius Key: Secret_RADIUS_keyRadius Retransmit: 2Radius Timeout: 5 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Enabling RADIUS Authentication
Note
You can enable RADIUS authentication for login and enable access to the switch. If desired, you can enter the console or telnet keyword to specify that RADIUS authentication be used only on console or Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword to force the switch to try RADIUS authentication first.
To set up the RADIUS username and enable RADIUS authentication, perform this task in privileged mode:
Note
If your RADIUS server does not support the $enab15$ username, you can set the service-type attribute (attribute 6) to Administrative (value 6) for a RADUIS user to directly launch the user into enable mode without asking for a separate enable password.This example shows how to enable RADIUS authentication and verify the configuration:
Console> (enable) set authentication login radius enableradius login authentication set to enable for console and telnet session.Console> (enable) set authentication enable radius enableradius enable authentication set to enable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledConsole> (enable)Specifying the RADIUS Timeout Interval
You can specify the timeout interval between retransmissions to the RADIUS server. The default timeout is 5 seconds.
To specify the RADIUS timeout interval, perform this task in privileged mode:
Step 1
Specify the RADIUS timeout interval.
set radius timeout seconds
Step 2
Verify the RADIUS configuration.
show radius
This example shows how to specify the RADIUS timeout interval and verify the configuration:
Console> (enable) set radius timeout 10Radius timeout set to 10 seconds.Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledRadius Deadtime: 0 minutesRadius Key: Secret_RADIUS_keyRadius Retransmit: 2Radius Timeout: 10 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Specifying the RADIUS Retransmit Count
You can specify the number of times the switch will attempt to contact a RADIUS server before the next configured server is tried. By default, each RADIUS server is tried two times.
To specify the RADIUS retransmit count, perform this task in privileged mode:
Step 1
Specify the RADIUS server retransmit count.
set radius retransmit count
Step 2
Verify the RADIUS configuration.
show radius
This example shows how to specify the RADIUS retransmit count and verify the configuration:
Console> (enable) set radius retransmit 4Radius retransmit count set to 4.Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledRadius Deadtime: 0 minutesRadius Key: Secret_RADIUS_keyRadius Retransmit: 4Radius Timeout: 10 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Specifying the RADIUS Dead Time
You can configure the switch so that, when a RADIUS server does not respond to an authentication request, the switch marks that server as dead for the length of time that is specified by the dead time. Any authentication requests that are received during the dead time interval (such as other users attempting to log in to the switch) are not sent to a RADIUS server that is marked dead. Configuring a dead time speeds up the authentication process by eliminating timeouts and retransmissions to the dead RADIUS server.
If you configure only one RADIUS server, or if all of the configured servers are marked dead, the dead time is ignored because no alternate servers are available.
To set the RADIUS dead time, perform this task in privileged mode:
Step 1
Specify the RADIUS server dead time interval.
set radius deadtime minutes
Step 2
Verify the RADIUS configuration.
show radius
This example shows how to specify the RADIUS dead time interval and verify the configuration:
Console> (enable) set radius deadtime 5Radius deadtime set to 5 minute(s)Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledEnable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius enabled(primary) enabled(primary)local enabled enabledRadius Deadtime: 5 minutesRadius Key: Secret_RADIUS_keyRadius Retransmit: 4Radius Timeout: 10 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812172.20.52.2 1812Console> (enable)Specifying Optional Attributes for RADIUS Servers
You can specify optional attributes in the RADIUS ACCESS_REQUEST packet. The set radius attribute command allows you to specify the transmission of certain optional attributes such as Framed-IP address, NAS-Port, Called-Station-Id, Calling-Station-Id and so on. You can set attribute transmission by either the attribute number or the attribute name. Transmission of the attributes is disabled by default.
Note
To specify optional attributes for the RADIUS server, perform this task in privileged mode:
This example shows how to specify and enable the Framed-IP address attribute by number:
Console> (enable) set radius attribute 8 include-in-access-req enableTransmission of Framed-ip address in access-request packet is enabled.Console> (enable) show radiusRADIUS Deadtime: 0 minutesRADIUS Key: 123456RADIUS Retransmit: 2RADIUS Timeout: 5 secondsFramed-Ip Address Transmit: EnabledRADIUS-Server Status Auth-port Acct-port----------------------------- ------- ------------ ------------10.6.140.230 primary 1812 1813Console> (enable)This example shows how to specify and disable the Framed-IP address attribute by name:
Console> (enable) set radius attribute framed-ip-address include-in-access-req disableTransmission of Framed-ip address in access-request packet is disabled.Console> (enable)Clearing RADIUS Servers
To clear one or more RADIUS servers, perform this task in privileged mode:
This example shows how to clear a single RADIUS server from the configuration:
Console> (enable) clear radius server 172.20.52.3172.20.52.3 cleared from radius server table.Console> (enable)This example shows how to clear all RADIUS servers from the configuration:
Console> (enable) clear radius server allAll radius servers cleared from radius server table.Console> (enable)Clearing the RADIUS Key
To clear the RADIUS key, perform this task in privileged mode:
Step 1
Clear the RADIUS key.
clear radius key
Step 2
Verify the RADIUS configuration.
show radius
This example shows how to clear the RADIUS key and verify the configuration:
Console> (enable) clear radius keyRadius key cleared.Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Radius Deadtime: 0 minutesRadius Key:Radius Retransmit: 2Radius Timeout: 5 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Disabling RADIUS Authentication
When local authentication is disabled and only RADIUS authentication is enabled, if you disable RADIUS authentication, local authentication is reenabled automatically.
To disable RADIUS authentication, perform this task in privileged mode:
This example shows how to disable RADIUS authentication:
Console> (enable) set authentication login radius disableradius login authentication set to disable for console and telnet session.Console> (enable) set authentication enable radius disableradius enable authentication set to disable for console and telnet session.Console> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Console> (enable)Configuring Kerberos Authentication
These sections describe how to configure Kerberos authentication on the switch:
•
•
•
•
•
•
•
Configuring a Kerberos Server
Before you can use Kerberos as an authentication method on the switch, you need to configure the Kerberos server. You will need to create a database for the KDC and add the switch to the database.
Note
To configure the Kerberos server, perform these steps:
Step 1
/usr/local/sbin/kdb5_util create -r CISCO.EDU -sStep 2
ank host/Cat6509.cisco.edu@CISCO.EDUStep 3
ank user1@CISCO.EDUStep 4
ank user1/admin@CISCO.EDUStep 5
ktadd host/Cat6509.cisco.edu@CISCO.EDUStep 6
Step 7
/usr/local/sbin/krb5kdc/usr/local/sbin/kadmind
Enabling Kerberos
To enable Kerberos authentication, perform this task in privileged mode:
This example shows how to enable Kerberos as the login authentication method for Telnet and verify the configuration:
kerberos> (enable) set authentication login kerberos enable telnetkerberos login authentication set to enable for telnet session.kerberos> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledkerberos disabled enabled(primary)local enabled(primary) enabledEnable Authentication:Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledkerberos disabled enabled(primary)local enabled(primary) enabledkerberos> (enable)This example shows how to enable Kerberos as the login authentication method for the console and verify the configuration:
kerberos> (enable) set authentication login kerberos enable consolekerberos login authentication set to enable for console session.kerberos> (enable) show authenticationLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledkerberos enabled(primary) enabled(primary)local enabled enabledEnable Authentication:Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledkerberos enabled(primary) enabled(primary)local enabled enabledkerberos> (enable)Defining the Kerberos Local Realm
The Kerberos realm is a domain consisting of users, hosts, and network services that are registered to a Kerberos server. To authenticate a user defined in the Kerberos database, the switch must know the host name or IP address of the host running the KDC and the name of the Kerberos realm.
To configure the switch to authenticate to the KDC in a specified Kerberos realm, perform this task in privileged mode:
Note
This example shows how to define a local realm and how to verify the configuration:
kerberos> (enable) set kerberos local-realm CISCO.COMKerberos local realm for this switch set to CISCO.COM.kerberos> (enable) show kerberosKerberos Local Realm:CISCO.COMKerberos server entries:Realm:CISCO.COM, Server:187.0.2.1, Port:750Kerberos Domain<->Realm entries:Domain:cisco.com, Realm:CISCO.COMKerberos Clients NOT MandatoryKerberos Credentials Forwarding EnabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesSrvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 01;;8>00>50;0=0=0kerberos> (enable)Specifying a Kerberos Server
You can specify to the switch which KDC to use in a specific Kerberos realm. Optionally, you can also specify the port number that the KDC is monitoring. The Kerberos server information that you enter is maintained in a table with one entry for each Kerberos realm. The maximum number of entries in the table is 100.
To specify the Kerberos server, perform this task in privileged mode:
This example shows how to specify which Kerberos server will serve as the KDC for the specified Kerberos realm and how to clear the entry:
kerberos> (enable) set kerberos server CISCO.COM 187.0.2.1 750Kerberos Realm-Server-Port entry set to:CISCO.COM - 187.0.2.1 - 750kerberos> (enable)Console> (enable) clear kerberos server CISCO.COM 187.0.2.1 750Kerberos Realm-Server-Port entry CISCO.COM-187.0.2.1-750 deletedConsole> (enable)Mapping a Kerberos Realm to a Host Name or DNS Domain
Optionally, you can map a host name or domain name system (DNS) domain to a Kerberos realm.
To map a Kerberos realm to either a host name or DNS domain, perform this task in privileged mode:
This example shows how to map a Kerberos realm to a DNS domain and how to clear the entry:
Console> (enable) set kerberos realm CISCO CISCO.COMKerberos DnsDomain-Realm entry set to CISCO - CISCO.COMConsole> (enable)Console> (enable) clear kerberos realm CISCO CISCO.COMKerberos DnsDomain-Realm entry CISCO - CISCO.COM deletedConsole> (enable)Copying SRVTAB Files
To allow remote users to authenticate to the switch using Kerberos credentials, the switch must share a key with the KDC. You must give the switch a copy of the file stored in the KDC that contains the key. These files are called SRVTAB files on the switch and KEYTAB files on the servers.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB files to a switch that does not have a physical media drive, you must transfer the files through the network by using the Trivial File Transfer Protocol (TFTP).
When you copy the SRVTAB file from the switch to the KDC, the switch parses the information in this file and stores it in the running configuration in the Kerberos SRVTAB entry format. If you enter the SRVTAB directly into the switch, create an entry for each Kerberos principal (service) on the switch. The entries are maintained in the SRVTAB table. The maximum size of the table is 20 entries.
To retrieve SRVTAB files to the switch from the KDC, perform this task in privileged mode:
This example shows how to retrieve an SRVTAB file from the KDC, enter an SRVTAB directly into the switch, and verify the configuration:
kerberos> (enable) set kerberos srvtab remote 187.20.32.10 /users/jdoe/krb5/ninerskeytab kerberos> (enable)kerberos> (enable) set kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0Kerberos SRVTAB entry set toPrincipal:host/niners.cisco.com@CISCO.COMPrincipal Type:0Timestamp:932423923Key version number:1Key type:1Key length:8Encrypted key tab:03;;5>00>50;0=0=0kerberos> (enable) show kerberosKerberos Local Realm:CISCO.COMKerberos server entries:Realm:CISCO.COM, Server:187.0.2.1, Port:750Realm:CISCO.COM, Server:187.20.2.1, Port:750Kerberos Domain<->Realm entries:Domain:cisco.com, Realm:CISCO.COMKerberos Clients NOT MandatoryKerberos Credentials Forwarding EnabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesSrvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9Console> (enable)Deleting an SRVTAB Entry
To delete an SRVTAB entry, perform this task in privileged mode:
Delete the SRVTAB entry for a particular Kerberos principal.
clear kerberos srvtab entry kerberos_principal principal_type
This example shows how to delete an SRVTAB entry:
kerberos> (enable) clear kerberos srvtab entry host/niners.cisco.com@CISCO.COM 0kerberos> (enable)Enabling Credentials Forwarding
A user authenticated to a Kerberized switch has a TGT and can use it to authenticate to a host on the network. However, if forwarding is not enabled and a user tries to list credentials after authenticating to a host, the output will show that no Kerberos credentials are present.
To enable credentials forwarding, configure the switch to forward user TGTs when they authenticate from the switch to Kerberized remote hosts on the network using Kerberized Telnet.
As an additional layer of security, you can configure the switch so that after users authenticate to it, these users can authenticate only to other services on the network with Kerberized clients. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service. For example, Telnet prompts for a password.
To configure clients to forward user credentials as they connect to other hosts in the Kerberos realm, perform this task in privileged mode:
This example shows how to configure clients to forward user credentials and verify the configuration:
kerberos> (enable) set kerberos credentials forwardKerberos credentials forwarding enabledkerberos> (enable) show kerberosKerberos Local Realm:CISCO.COMKerberos server entries:Realm:CISCO.COM, Server:187.0.2.1, Port:750Realm:CISCO.COM, Server:187.20.2.1, Port:750Kerberos Domain<->Realm entries:Domain:cisco.com, Realm:CISCO.COMKerberos Clients NOT MandatoryKerberos Credentials Forwarding EnabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesSrvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?91:107:423=:;9kerberos> (enable)This example shows how to configure the switch so that Kerberos clients are mandatory for users to authenticate to other network services:
Console> (enable) set kerberos clients mandatoryKerberos clients set to mandatoryConsole> (enable)Disabling Credentials Forwarding
To disable the credentials forwarding, perform this task in privileged mode:
This example shows how to disable the credentials forwarding and verify the change:
Console> (enable) clear kerberos credentials forwardKerberos credentials forwarding disabledConsole> (enable) show kerberosKerberos Local Realm not configuredKerberos server entries:Kerberos Domain<->Realm entries:Kerberos Clients NOT MandatoryKerberos Credentials Forwarding DisabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesConsole> (enable)To clear the Kerberos clients mandatory configuration, perform this task in privileged mode:
This example shows how to clear the clients mandatory configuration and verify the change:
Console> (enable) clear kerberos clients mandatoryKerberos clients mandatory clearedConsole> (enable) show kerberosKerberos Local Realm not configuredKerberos server entries:Kerberos Domain<->Realm entries:Kerberos Clients NOT MandatoryKerberos Credentials Forwarding DisabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesConsole> (enable)Kerberos server entries:Kerberos Domain<->Realm entries:Kerberos Clients MandatoryKerberos Credentials Forwarding DisabledKerberos Pre Authentication Method set to Encrypted Unix Time StampKerberos config key:Kerberos SRVTAB EntriesConsole> (enable)Defining and Clearing a Private DES Key
You can define a private DES key for the switch. You can use the private DES key to encrypt the secret key that the switch shares with the KDC so that when the show kerberos command is executed, the secret key is not displayed in clear text. The key length should be eight characters or less.
To define a DES key, perform this task in privileged mode:
This example shows how to define a DES key and verify the configuration:
kerberos> (enable) set key config-key abcdKerberos config key set to abcdkerberos> (enable) show kerberosKerberos Local Realm:CISCO.COMKerberos server entries:Realm:CISCO.COM, Server:170.20.2.1, Port:750Realm:CISCO.COM, Server:172.20.2.1, Port:750Kerberos Domain<->Realm entries:Domain:cisco.com, Realm:CISCO.COMKerberos Clients MandatoryKerberos Credentials Forwarding DisabledKerberos Pre Authentication Method set to Encrypted Unix Time StampKerberos config key:abcdKerberos SRVTAB EntriesSrvtab Entry 1:host/aspen-niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 12151><88?=>>3>11kerberos> (enable)To clear the DES key, perform this task in privileged mode:
This example shows how to clear the DES key:
Console> (enable) clear key config-keyKerberos config key clearedConsole> (enable)Encrypting a Telnet Session
After a user authenticates to the switch using Kerberos and wants to Telnet to another switch or host, whether or not this will be a Kerberized Telnet depends on the authentication method that the Telnet server uses. If the Telnet server uses Kerberos for authentication, you can choose to have all the application data packets encrypted for the duration of the Telnet session. To encrypt the Telnet session, select the encrypt kerberos option in the telnet command.
To encrypt a Telnet session, perform this task:
This example shows how to configure a Telnet session for Kerberos authentication and encryption:
Console> (enable) telnet encrypt kerberosDisplaying and Clearing Kerberos Configurations
Use these commands to display and clear Kerberos configurations on the switch:
•
•
•
To display the Kerberos configuration, perform this task in privileged mode:
This example shows how to display the Kerberos configuration:
kerberos> (enable) show kerberosKerberos Local Realm:CISCO.COMKerberos server entries:Realm:CISCO.COM, Server:187.0.2.1, Port:750Realm:CISCO.COM, Server:187.20.2.1, Port:750Kerberos Domain<->Realm entries:Domain:cisco.com, Realm:CISCO.COMKerberos Clients NOT MandatoryKerberos Credentials Forwarding EnabledKerberos Pre Authentication Method set to NoneKerberos config key:Kerberos SRVTAB EntriesSrvtab Entry 1:host/niners.cisco.com@CISCO.COM 0 932423923 1 1 8 03;;5>00>50;0=0=0Srvtab Entry 2:host/niners.cisco.edu@CISCO.EDU 0 933974942 1 1 8 00?58:127:223=:;9kerberos> (enable)To display the Kerberos credentials, perform this task in privileged mode:
This example shows how to display the Kerberos credentials:
Console> (enable) show kerberos credsNo Kerberos credentials.Console> (enable)To clear all Kerberos credentials, perform this task in privileged mode:
This example shows how to clear all Kerberos credentials from the switch:
Console> (enable) clear kerberos credsConsole> (enable)Authentication Example
Figure 21-3 shows a simple network topology using TACACS+.
In this example, TACACS+ authentication is enabled and local authentication is disabled for both login and enable access to the switch for all Telnet connections. When Workstation A attempts to connect to the switch, the user is challenged for a TACACS+ username and password.
However, only local authentication is enabled for both login and enable access on the console port. Any user with access to the directly connected terminal can access the switch using the login and enable passwords.
Figure 21-3 TACACS+ Example Network Topology
This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet connections, local authentication is enabled for console connections, and a TACACS+ encryption key is specified:
Console> (enable) show tacacsTacacs key:Tacacs login attempts: 3Tacacs timeout: 5 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------Console> (enable) set tacacs server 172.20.52.10172.20.52.10 added to TACACS server table as primary server.Console> (enable) set tacacs key tintin_et_milouThe tacacs key has been set to tintin_et_milou.Console> (enable) set authentication login tacacs enable telnettacacs login authentication set to enable for telnet session.Console> (enable) set authentication enable tacacs enable telnettacacs enable authentication set to enable for telnet session.Console> (enable) set authentication login local disable telnetlocal login authentication set to disable for telnet session.Console> (enable) set authentication enable local disable telnetlocal enable authentication set to disable for telnet session.Console> (enable) show tacacsTacacs key: tintin_et_milouTacacs login attempts: 3Tacacs timeout: 5 secondsTacacs direct request: disabledTacacs-Server Status---------------------------------------- -------172.20.52.10 primaryConsole> (enable)Understanding How Authorization Works
These sections describe how authorization works:
•
•
Authorization Overview
Catalyst 6500 series switches support TACACS+ and RADIUS authorization. Authorization limits access to specified users using a dynamically applied access list (or user profile) that is based on the username and password pair. The access list resides on the host running the TACACS+ or RADIUS server. The server responds to the user password information with an access list number that causes the specific list to be applied.
Authorization Events
You can enable authorization for the following:
•
•
•
TACACS+ Primary Options and Fallback Options
You can specify the primary options and the fallback options that are used in the authorization process. Available options and fallback options include the following:
•
•
•
•
TACACS+ Command Authorization
You can require authorization for all commands or for configuration (enable mode) commands only. Configuration commands include the following:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following TACACS+ authorization process occurs for every command that you enter:
•
•
•
RADIUS Authorization
RADUIS has limited authorization. There is one attribute, Service-Type, in the authentication protocol that provides authorization information. This attribute is part of the user-profile.
When you log in using RADIUS authentication and you do not have Administrative/Shell (6) Service-Type access, the network access server (NAS) authenticates you and logs you in to the EXEC mode. If you have Administrative/Shell (6) Service-Type access, the NAS authenticates you and logs you in to the privileged mode.
Configuring Authorization on the Switch
These sections describe how to configure authorization:
•
•
•
•
TACACS+ Authorization Default Configuration
Table 21-3 shows the TACACS+ default authorization configuration.
TACACS+ Authorization Configuration Guidelines
This section describes the guidelines for configuring TACACS+ authorization on the switch:
•
•
•
•
•
Configuring TACACS+ Authorization
These sections describe how to configure TACACS+ authorization on the switch:
•
•
Enabling TACACS+ Authorization
To enable TACACS+ authorization on the switch, perform this task in privileged mode:
This example shows how to enable TACACS+ EXEC mode authorization for both console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny.
Console> (enable) set authorization exec enable tacacs+ deny bothSuccessfully enabled enable authorization.Console>This example shows how to enable TACACS+ enable mode authorization for console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny.
Console> (enable) set authorization enable enable tacacs+ deny bothSuccessfully enabled enable authorization.Console>This example shows how to enable TACACS+ command authorization for both console and Telnet connections. Authorization is configured with the tacacs+ option. The fallback option is deny.
Console> (enable) set authorization commands enable config tacacs+ deny bothSuccessfully enabled commands authorization.Console> (enable)This example shows how to verify the configuration:
Console> (enable) show authorizationTelnet:-------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console:--------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console> (enable)Disabling TACACS+ Authorization
To disable TACACS+ authorization on the switch, perform this task in privileged mode:
This example shows how to disable TACACS+ EXEC mode authorization for both console and Telnet connections and how to verify the configuration:
Console> (enable) set authorization exec disable bothSuccessfully disabled enable authorization.Console> (enable)This example shows how to disable TACACS+ enable mode authorization for both console and Telnet connections and how to verify the configuration:
Console> (enable) set authorization enable disable bothSuccessfully disabled enable authorization.Console> (enable)This example shows how to disable TACACS+ command authorization for both console and Telnet connections and how to verify the configuration:
Console> (enable) set authorization commands disable bothSuccessfully disabled commands authorization.Console> (enable)This example shows how to verify the configuration:
Console> (enable) show authorizationTelnet:-------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console:--------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console> (enable)Configuring RADIUS Authorization
These sections describe how to configure RADIUS authorization on the switch:
•
•
Enabling RADIUS Authorization
To enable RADIUS authorization and authentication on the switch, perform these steps in privileged mode:
Step 1
Step 2
Disabling RADIUS Authorization
Enter the set authentication login radius disable command in privileged mode to disable RADIUS authorization.Authorization Example
Figure 21-4 shows a simple network topology using TACACS+.
When Workstation A initiates a command on the switch, the switch registers a request with the TACACS+ daemon. The TACACS+ daemon determines if the user is authorized to use the feature and sends a response either executing the command or denying access.
Figure 21-4 TACACS+ Example Network Topology
In this example, TACACS+ authorization is enabled for enable mode access and for configuration commands to be entered on the switch over Telnet and console connections:
Console> (enable) set authorization enable enable tacacs+ deny bothSuccessfully enabled enable authorization.Console> (enable) set authorization commands enable config tacacs+ deny bothSuccessfully enabled commands authorization.Console> (enable) show authorizationTelnet:-------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console:--------Primary Fallback------- --------exec: tacacs+ denyenable: tacacs+ denycommands:config: tacacs+ denyall: - -Console> (enable)Understanding How Accounting Works
These sections describe how the different accounting methods work:
•
Accounting Overview
You can configure these accounting methods to monitor access to the switch:
•
•
Accounting allows you to track user activity to a specified host, suspicious connection attempts in the network, and unauthorized changes to the NAS configuration itself. The accounting information is sent to the accounting server where it is saved as a record. Accounting information typically consists of the user's action and the duration for which the action lasted. You can use the accounting feature for security, billing, and resource allocation purposes.
The accounting protocol operates in a client-server model using TCP for transport. The NAS acts as the client and the accounting server acts as the daemon. The NAS sends accounting information to the server. The server, after successfully processing the information, sends a response to the NAS, acknowledging the request. All transactions between the NAS and server are authenticated using a key.
Once accounting has been enabled and an accountable event occurs on the system, the accounting information is gathered dynamically in memory. When the event ends, an accounting record is created and sent to the NAS, and then the system deletes the record from memory. The amount of memory that is used by the NAS for accounting varies depending on the number of concurrent accountable events.
Accounting Events
You can configure accounting for these event types:
•
•
Note
•
•
Specifying When to Create Accounting Records
You configure the switch to gather accounting information to create records. When you configure accounting (using the set accounting commands), the switch can generate two types of records:
•
•
Accounting records are created and sent to the server at two events:
•
•
Note
Specifying RADIUS Servers
To specify one or more RADIUS servers, perform this task in privileged mode:
This example shows how to specify a RADIUS server and verify the configuration:
Console> (enable) set radius server 172.20.52.3172.20.52.3 with auth-port 1812 added to radius server table as primary server.Console> (enable) show radiusLogin Authentication: Console Session Telnet Session--------------------- ---------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Enable Authentication: Console Session Telnet Session---------------------- ----------------- ----------------tacacs disabled disabledradius disabled disabledlocal enabled(primary) enabled(primary)Radius Deadtime: 0 minutesRadius Key:Radius Retransmit: 2Radius Timeout: 5 secondsRadius-Server Status Auth-port----------------------------- ------- ------------172.20.52.3 primary 1812Console> (enable)Updating the Server
You can configure the switch to send accounting information to the TACACS+ server. There are two options:
•
•
Suppressing Accounting
You can configure the system to suppress accounting when an unknown user with no username accesses the switch by using the set accounting suppress null-username enable command.
Note
Configuring Accounting on the Switch
These sections describe how to configure accounting for both TACACS+ and RADIUS:
•
•
Accounting Default Configuration
Table 21-4 shows the accounting default configuration.
Table 21-4 Accounting Default Configuration
Accounting
Disabled
Accounting events (EXEC, system, commands, and connect)
Disabled
Accounting records
Stop-only
Accounting Configuration Guidelines
This section describes the guidelines for configuring accounting on the switch:
•
•
Note
Configuring Accounting
These sections describe how to configure RADIUS and TACACS+ accounting on the switch:
Enabling Accounting
To enable accounting on the switch, perform this task in privileged mode:
This example shows how to enable stop-only TACACS+ accounting events:
Console> (enable) set accounting connect enable stop-only tacacs+Accounting set to enable for connect events in stop-only mode.Console> (enable)Console> (enable) set accounting exec enable stop-only tacacs+Accounting set to enable for exec events in stop-only mode.Console> (enable)Console> (enable) set accounting system enable stop-only tacacs+Accounting set to enable for system events in stop-only mode.Console> (enable)Console> (enable) set accounting commands enable all stop-only tacacs+Accounting set to enable for commands-all events in stop-only mode.Console> (enable)This example shows how to suppress accounting of unknown users:
Console> (enable) set accounting suppress null-username enableAccounting will be suppressed for user with no username.Console> (enable)This example shows how to update the server periodically:
Console> (enable) set accounting update periodic 120Accounting updates will be periodic at 120 minute intervals.Console> (enable)This example shows how to verify the configuration:
Console> (enable) show accountingEvent Method Mode----- ------- ----exec: tacacs+ stop-onlyconnect: tacacs+ stop-onlysystem: tacacs+ stop-onlycommands:config: - -all: tacacs+ stop-onlyTACACS+ Suppress for no username: enabledUpdate Frequency: periodic, Interval = 120Accounting information:-----------------------Active Accounted actions on tty0, User (null) Priv 0Active Accounted actions on tty288091924, User (null) Priv 0Overall Accounting Traffic:Starts Stops Active----- ----- ------Exec 0 0 0Connect 0 0 0Command 0 0 0System 1 0 0Console> (enable)Disabling Accounting
To disable RADIUS accounting on the switch, perform this task in privileged mode:
This example shows how to disable stop-only accounting:
Console> (enable) set accounting connect disableAccounting set to disable for connect events.Console> (enable)Console> (enable) set accounting exec disableAccounting set to disable for exec events.Console> (enable)Console> (enable) set accounting system disableAccounting set to disable for system events.Console> (enable)Console> (enable) set accounting commands disableAccounting set to disable for commands-all events.Console> (enable)This example shows how to disable suppression of unknown users:
Console> (enable) set accounting suppress null-username disableAccounting will be not be suppressed for user with no username.Console> (enable)This example shows how to verify the configuration:
Console> (enable) show accountingEvent Method Mode----- ------- ----exec: - -connect: - -system: - -commands:config: - -all: - -TACACS+ Suppress for no username: disabledUpdate Frequency: new-infoAccounting information:-----------------------Active Accounted actions on tty0, User (null) Priv 0Active Accounted actions on tty288091924, User (null) Priv 0Overall Accounting Traffic:Starts Stops Active----- ----- ------Exec 0 0 0Connect 0 0 0Command 0 0 0System 1 2 0Console> (enable)Accounting Example
Figure 21-5 shows a simple network topology using TACACS+.
When Workstation A initiates an accountable event on the switch, the switch gathers event information and forwards the information to the server at the conclusion of the event. Accounting information is gathered at the conclusion of the event. Accounting is suspended for unknown users, and the system is updated every 120 minutes.
Figure 21-5 TACACS+ Example Network Topology
In this example, TACACS+ accounting is enabled for connection, EXEC, system, and all command accounting:
Console> (enable) set accounting connect enable stop-only tacacs+Accounting set to enable for connect events in stop-only mode.Console> (enable) set accounting exec enable stop-only tacacs+Accounting set to enable for exec events in stop-only mode.Console> (enable) set accounting commands enable all stop-only tacacs+Accounting set to enable for commands-all events in stop-only mode.Console> (enable) set accounting update periodic 120Accounting updates will be periodic at 120 minute intervals.Console> (enable) show accountingEvent Method Mode----- ------- ----exec: tacacs+ stop-onlyconnect: tacacs+ stop-onlysystem: tacacs+ stop-onlycommands:config: - -all: tacacs+ stop-onlyTACACS+ Suppress for no username: enabledUpdate Frequency: periodic, Interval = 120Accounting information:-----------------------Active Accounted actions on tty0, User (null) Priv 0Active Accounted actions on tty288091924, User (null) Priv 0Overall Accounting Traffic:Starts Stops Active----- ----- ------Exec 0 0 0Connect 0 0 0Command 0 0 0System 1 0 0Console> (enable)
