-
Cisco MDS 9000 Family CLI Configuration Guide, Release 3.3(3)
-
Index
-
New and Changed Information
-
Preface
- Getting Started
- Installation and Switch Management
- Switch Configuration
-
Fabric Configuration
-
Configuring and Managing VSANs
-
SAN Device Virtualization
-
Creating Dynamic VSANs
-
Configuring Inter-VSAN Routing
-
Distributing Device Alias Services
-
Configuring Fibre Channel Routing Services and Protocols
-
Managing FLOGI, Name Server, FDMI, and RSCN Databases
-
Discovering SCSI Targets
-
Configuring FICON
-
Advanced Features and Concepts
-
Configuring and Managing Zones
-
-
Security
-
Configuring FIPS
-
Configuring Users and Common Roles
-
Configuring SNMP
-
Configuring RADIUS and TACACS+
-
Configuring IPv4 and IPv6 Access Control Lists
-
Configuring Certificate Authorities and Digital Certificates
-
Configuring IPsec Network Security
-
Configuring FC-SP and DHCHAP
-
Configuring Port Security
-
Configuring Fabric Binding
-
- IP Services
- Intelligent Storage Services
- Network and Switch Monitoring
- Traffic Management
- Troubleshooting
-
Configuration Limits for Cisco MDS SAN-OS Release 3.x
-
Feedback
Table Of Contents
Configuring RADIUS and TACACS+
Remote Authentication Guidelines
AAA Service Configuration Options
Authentication and Authorization Process
Setting the RADIUS Server Address
About the Default RADIUS Server Encryption Type and Preshared Key
Configuring the Default RADIUS Server Encryption Type and Preshared Key
Setting the RADIUS Server Timeout Interval
Setting Transmission Retry Count for the RADIUS Server
Configuring RADIUS Server Monitoring Parameters
Configuring the Test Idle Timer
Sending RADIUS Test Messages for Monitoring
About Users Specifying a RADIUS Server at Login
Allowing Users to Specify a RADIUS Server at Login
About Vendor-Specific Attributes
Specifying SNMPv3 on AAA Servers
Displaying RADIUS Server Details
Displaying RADIUS Server Statistics
About TACACS+ Server Default Configuration
About the Default TACACS+ Server Encryption Type and Preshared Key
Setting the TACACS+ Server Address
Configuring TACACS+ Server Monitoring Parameters
Configuring the TACACS+ Test Idle Timer
Sending TACACS+ Test Messages for Monitoring
Password Aging Notification through TACACS+ Server
About Users Specifying a TACACS+ Server at Login
Allowing Users to Specify a TACACS+ Server at Login
Defining Custom Attributes for Roles
Supported TACACS+ Server Parameters
Displaying TACACS+ Server Details
Enabling AAA Server Distribution
Starting a Distribution Session on a Switch
Displaying the Pending Configuration
Discarding the Distribution Session
.Merge Guidelines for RADIUS and TACACS+ Configurations
Configuring Accounting Services
Displaying Accounting Configuration
Configuring Cisco Access Control Servers
Configuring RADIUS and TACACS+
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use RADIUS and TACACS+ protocols to provide solutions using remote AAA servers.
Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using a AAA server. A preshared secret key provides security for communication between the switch and AAA servers. This secret key can be configured for all AAA servers or for only a specific AAA server. This security feature provides a central management capability for AAA servers.
This chapter includes the following sections:
•
Configuring Accounting Services
•
Switch Management Security
Management security in any switch in the Cisco MDS 9000 Family provides security to all management access methods, including the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
CLI Security Options
You can access the CLI using the console (serial connection), Telnet, or Secure Shell (SSH). For each management path (console, Telnet, and SSH), you can configure one or more of the following security control options: local, remote (RADIUS or TACACS+), or none.
•
–
–
•
These security features can also be configured for the following scenarios:
•
•
SNMP Security Options
The SNMP agent supports security features for SNMPv1, SNMPv2c, and SNMPv3. Normal SNMP security features apply to all applications that use SNMP (for example, Cisco MDS 9000 Fabric Manager).
SNMP security options also apply to Fabric Manager and Device Manager.
See Chapter 33, "Configuring SNMP".
Refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide for information on Fabric Manager and Device Manager.
Switch AAA Functionalities
Using the CLI or an SNMP application, you can configure AAA switch functionalities on any switch in the Cisco MDS 9000 Family.
This section includes the following topics:
•
•
•
Authentication
Authentication is the process of verifying the identity of the person or device accessing the switch. This identity verification is based on the user ID and password combination provided by the entity trying to access the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Note
Authorization
The following authorization roles exist in all Cisco MDS switches:
•
•
•
These roles cannot be changed or deleted. You can create additional roles and configure the following options:
•
•
Note
Accounting
The accounting feature tracks and maintains a log of every management configuration used to access the switch. This information can be used to generate reports for troubleshooting and auditing purposes. Accounting logs can be stored locally or sent to remote AAA servers.
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
•
•
•
•
Remote Authentication Guidelines
If you prefer using remote AAA servers, follow these guidelines:
•
•
•
•
Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers implementing the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco MDS switch encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA Service Configuration Options
AAA configuration in Cisco MDS 9000 Family switches is service based. You can have separate AAA configurations for the following services:
•
•
•
•
•
In general, server group, local, and none are the three options that can be specified for any service in an AAA configuration. Each option is tried in the order specified. If all the options fail, local is tried.
Caution
Note
Table 34-1 provides the related CLI command for each AAA service configuration option.
.
Error-Enabled Status
When you log in, the login is processed by rolling over to local user database if the remote AAA servers do not respond. In this situation, the following message is displayed on the your screen—if you have enabled the error-enabled feature:
Remote AAA servers unreachable; local authentication done.To enable this message display, use the aaa authentication login error-enable command.
To disable this message display, use the no aaa authentication login error-enable command.
To view the current display status, use the show aaa authentication login error-enable command (see Example 34-1).
Example 34-1 Displays AAA Authentication Login Information
switch# show aaa authentication login error-enableenabledAAA Server Monitoring
An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can periodically monitor an AAA server to check whether it is responding (or alive) to save time in processing AAA requests. The MDS switch marks unresponsive AAA servers as dead and does not send AAA requests to any dead AAA servers. An MDS switch periodically monitors dead AAA servers and brings them to the alive state once they are responding. This monitoring process verifies that an AAA server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP trap is generated and the MDS switch warns the administrator that a failure is taking place before it can impact performance. See Figure 34-1 for AAA server states.
Figure 34-1 AAA Server States
Note
The user name and password to be used in the test packet can be configured.
See the "Configuring RADIUS Server Monitoring Parameters" section and"Displaying RADIUS Server Details" section.
Authentication and Authorization Process
Authentication is the process of verifying the identity of the person managing the switch. This identity verification is based on the user ID and password combination provided by the person managing the switch. The Cisco MDS 9000 Family switches allow you to perform local authentication (using the lookup database) or remote authentication (using one or more RADIUS servers or TACACS+ servers).
The following steps explain the authorization and authentication process:
Step 1
Step 2
•
•
•
Step 3
•
•
•
Step 4
Figure 34-2 shows a flow chart of the authorization and authentication process.
Figure 34-2 Switch Authorization and Authentication Flow
Note
No more servers left = no response from any server within this server group.
Configuring RADIUS
Cisco MDS 9000 Family switches can use the RADIUS protocol to communicate with remote AAA servers. You can configure multiple RADIUS servers and server groups and set timeout and retry counts.
RADIUS is a distributed client/server protocol that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
This section defines the RADIUS operation, identifies its network environments, and describes its configuration possibilities.
Setting the RADIUS Server Address
You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys.
To specify the host RADIUS server IPv4 address and other options, follow these steps:
To specify the host RADIUS server IPv6 address and other options, follow these steps:
To specify the host RADIUS server DNS name and other options, follow these steps:
About the Default RADIUS Server Encryption Type and Preshared Key
You need to configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 64 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch.
You can override this global key assignment by explicitly using the key option in the radius-server host command.
Configuring the Default RADIUS Server Encryption Type and Preshared Key
To configure the RADIUS preshared key, follow these steps:
Setting the RADIUS Server Timeout Interval
You can configure a global timeout value between transmissions for all RADIUS servers.
Note
To specify the timeout values between retransmissions to the RADIUS servers, follow these steps:
Setting Transmission Retry Count for the RADIUS Server
By default, a switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server.To specify the number of times that RADIUS servers should try to authenticate a user, follow these steps:
Configuring RADIUS Server Monitoring Parameters
You can configure parameters for monitoring RADIUS servers. You can configure this option to test the server periodically, or you can run a one-time only test.
This section includes the following topics:
•
Configuring the Test Idle Timer
The test idle timer specifies the interval during which a RADIUS server receives no requests before the MDS switch sends out a test packet.
Note
To configure the idle timer, follow these steps:
Configuring Test User Name
You can configure a username and password for periodic RADIUS server status testing. You do not need to configure the test username and password to issue test messages to monitor RADIUS servers. You can use the default test username (test) and default password (test).
Note
To configure the optional username and password for periodic RADIUS server status testing, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# radius-server host 10.1.1.1 test username testuser
Configures the test user (testuser) with the default password (test). The default user name is test.
switch(config)# no radius-server host 10.1.1.1 test username testuser
Removes the test user name (testuser).
switch(config)# radius-server host 10.1.1.1 test username testuser password Ur2Gd2BH
Configures the test user (testuser) and assigns a strong password.
For guidelines for creating strong passwords, see the "Characteristics of Strong Passwords" section on page 32-11.
Configuring the Dead Timer
The dead timer specifies the interval that the MDS switch waits, after declaring that a RADIUS server is dead, before sending out a test packet to determine if the server is now alive.
Note
Note
To configure the dead timer, follow these steps:
Sending RADIUS Test Messages for Monitoring
You can manually send test messages to monitor a RADIUS server.
To send the test message to the RADIUS server, follow this step:
Step 1
switch# test aaa server radius 10.10.1.1 test test
Sends a test message to a RADIUS server using the default username (test) and password (test).
switch# test aaa server radius 10.10.1.1 testuser Ur2Gd2BH
Sends a test message to a RADIUS server using a configured test username (testuser) and password (Ur2Gd2BH).
Note
About Users Specifying a RADIUS Server at Login
By default, an MDS switch forwards an authentication request to the first server in the RADIUS server group. You can configure the switch to allow the user to specify which RADIUS server to send the authenticate request by enabling the directed request option. If you enable this option, the user can log in as username@hostname, where the hostname is the name of a configured RADIUS server.
Allowing Users to Specify a RADIUS Server at Login
To allow users logging into an MDS switch to select a RADIUS server for authentication, follow these steps:
You can use the show tacacs-server directed-request command to display the RADIUS directed request configuration.
switch# show radius-server directed-requestdisabledAbout Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-avpair. The value is a string with the following format:
protocol : attribute seperator value *Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for mandatory attributes, and * (asterisk) is for optional attributes.
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco SAN-OS software:
•
•
The following attributes are supported by the Cisco SAN-OS software:
•
shell:roles="network-admin vsan-admin"
shell:roles*"network-admin vsan-admin"
When an VSA is specified as shell:roles*"network-admin vsan-admin", this VSA is flagged as an optional attribute, and other Cisco devices ignore this attribute.
•
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute cisco-av-pair can be used to specify user's role mapping using the format:
shell:roles="roleA roleB ..."If the roll option in the cisco-av-pair attribute is not set, the default user role is network-operator.
The VSA format optionally specifies your SNMPv3 authentication and privacy protocol attributes also as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default.
Displaying RADIUS Server Details
Use the show radius-server command to display configured RADIUS parameters as shown in Example 34-2.
Example 34-2 Displays Configured RADIUS Information
switch# show radius-serverGlobal RADIUS shared secret:*******retransmission count:5timeout value:10following RADIUS servers are configured:myradius.cisco.users.com:available for authentication on port:1812available for accounting on port:1813172.22.91.37:available for authentication on port:1812available for accounting on port:1813RADIUS shared secret:******10.10.0.0:available for authentication on port:1812available for accounting on port:1813RADIUS shared secret:******Example 34-3 Displays Configured RADIUS Server-Group Order
switch# show radius-server groupstotal number of groups:4following RADIUS server groups are configured:group radius:server: all configured radius serversgroup Group1:server: Server3 on auth-port 1812, acct-port 1813server: Server5 on auth-port 1812, acct-port 1813group Group5:Displaying RADIUS Server Statistics
You can display RADIUS server statistics using the show radius-server statistics command.
Example 34-4 Displays RADIUS Server Statistics
switch# show radius-server statistics 10.1.3.2Server is not monitoredAuthentication Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Accounting Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Configuring TACACS+
A Cisco MDS switch uses the Terminal Access Controller Access Control System Plus (TACACS+) protocol to communicate with remote AAA servers. You can configure multiple TACACS+ servers and set timeout values.
This section includes the following topics:
•
•
•
•
•
•
•
•
•
•
About TACACS+
TACACS+ is a client/server protocol that uses TCP (TCP port 49) for transport requirements. All switches in the Cisco MDS 9000 Family provide centralized authentication using the TACACS+ protocol. The TACACS+ has the following advantages over RADIUS authentication:
•
•
•
About TACACS+ Server Default Configuration
Fabric Manager allows you to set up a default configuration that can be used for any TACACS+ server that you configure the switch to communicate with. The default configuration includes:
•
•
•
•
•
About the Default TACACS+ Server Encryption Type and Preshared Key
You need to configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 64 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch.
You can override this global key assignment by explicitly using the key option when configuring and individual TACACS+ server.
Enabling TACACS+
By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for fabric authentication. When you disable this feature, all related configurations are automatically discarded.
To enable TACACS+ for a Cisco MDS switch, follow these steps:
Setting the TACACS+ Server Address
If a secret key is not configured for a configured server, a warning message is issued if a global key is not configured. If a server key is not configured, the global key (if configured) is used for that server (see the "Setting the Timeout Value" section).
Note
To configure the TACACS+ server IPv4 address and other options, follow these steps:
To configure the TACACS+ server IPv6 address and other options, follow these steps:
To configure the TACACS+ server DNS name and other options, follow these steps:
Setting the Global Secret Key
You can configure global values for the secret key for all TACACS+ servers.
Note
Note
To set the secret key for TACACS+ servers, follow these steps:
Setting the Timeout Value
You can configure a global timeout value between transmissions for all TACACS+ servers.
Note
To set the global timeout value for TACACS+ servers, follow these steps:
About TACACS+ Servers
By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. Fabric Manager or Device Manager enables the TACACS+ feature automatically when you configure a TACACS+ server.
If a secret key is not configured for a configured server, a warning message is issued if a global key is not configured. If a server key is not configured, the global key (if configured) is used for that server.
Note
You can configure global values for the secret key for all TACACS+ servers.
Note
Configuring TACACS+ Server Monitoring Parameters
You can configure parameters for monitoring TACACS+ servers.
This section includes the following topics:
•
Configuring the TACACS+ Test Idle Timer
The test idle timer specifies the interval during which a TACACS+ server receives no requests before the MDS switch sends out a test packet.
Note
To configure the idle timer, follow these steps:
Configuring Test Username
You can configure a username and password for periodic TACACS+ server status testing. You do not servers. You can use the default test username (test) and default password (test).
To configure the optional username and password for periodic TACACS+ server status testing, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# tacacs-server host 10.1.1.1 test username testuser
Configures the test user (testuser) with the default password (test). The default username is test.
switch(config)# no tacacs-server host 10.1.1.1 test username testuser
Removes the test user (testuser).
switch(config)# tacacs-server host 10.1.1.1 test username testuser password Ur2Gd2BH
Configures the test user (testuser) and assigns a strong password.
For guidelines for creating strong passwords, see the "Characteristics of Strong Passwords" section on page 32-11.
Configuring the Dead Timer
The dead timer specifies the interval that the MDS switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Note
Note
To configure the dead timer, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# tacacs-server deadtime 30
Configures the dead-time interval value in minutes. The valid range is 1 to 1440 minutes.
Step 3
switch(config)# no tacacs-server deadtime 30
Reverts to the default value (0 minutes).
Note
Sending TACACS+ Test Messages for Monitoring
You can manually send test messages to monitor a TACACS+ server.
To send the test message to the TACACS+ server, follow these steps:
switch# test aaa server tacacs+ 10.10.1.1 test test
Sends a test message to a TACACS+ server using the default username (test) and password (test).
switch# test aaa server tacacs+ 10.10.1.1 testuser Ur2Gd2BH
Sends a test message to a TACACS+ server using a configured test username and password.
A configured username and password is optional (see the "Configuring Test Username" section).
Password Aging Notification through TACACS+ Server
Password aging notification is initiated when the user authenticates to a Cisco MDS 9000 switch via a TACACS+ account. The user is notified when a password is about to expire or has expired. If the password has expired, user is prompted to change the password.
Note
Password aging notification facilitates the following:
•
•
•
To enable the password aging option in the AAA server, enter the following command:
aaa authentication login password-aging enableTo determine whether or not password aging notification is enabled or disabled in the AAA server, enter the following command:
show aaa authentication login password-agingAbout Users Specifying a TACACS+ Server at Login
By default, an MDS switch forwards an authentication request to the first server in the TACACS+ server group. You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request. If you enable this feature, the user can log in as username@hostname, where the hostname is the name of a configured TACACS+ server.
Allowing Users to Specify a TACACS+ Server at Login
To allow users logging into an MDS switch to select a TACACS+ server for authentication, follow these steps:
You can use the show tacacs-server directed-request command to display the TACACS+ directed request configuration.
switch# show tacacs-server directed-requestdisabledDefining Custom Attributes for Roles
Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure roles to which a user belongs. TACACS+ attributes are specified in name=value format. The attribute name for this custom attribute is cisco-av-pair. The following example illustrates how to specify roles using this attribute:
cisco-av-pair=shell:roles="network-admin vsan-admin"You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using the same AAA servers.
cisco-av-pair*shell:roles="network-admin vsan-admin"Additional custom attribute shell:roles are also supported:
shell:roles="network-admin vsan-admin"or
shell:roles*"network-admin vsan-admin"
Note
Supported TACACS+ Server Parameters
The Cisco SAN-OS software currently supports the following parameters for the listed TACACS+ servers:
•
cisco-av-pair=shell:roles="network-admin"•
shell:roles="network-admin"shell:roles*"network-admin"cisco-av-pair*shell:roles="network-admin"cisco-av-pair*shell:roles*"network-admin"cisco-av-pair=shell:roles*"network-admin"•
cisco-av-pair*shell:roles="network-admin"cisco-av-pair=shell:roles*"network-admin"Displaying TACACS+ Server Details
Use the show aaa and show tacacs-server commands to display information about TACACS+ server configuration in all switches in the Cisco MDS 9000 Family as shown in Examples 34-5 to 34-10.
Example 34-5 Displays Configured TACACS+ Server Information
switch# show tacacs-serverGlobal TACACS+ shared secret:***********timeout value:30total number of servers:3following TACACS+ servers are configured:171.71.58.91:available on port:2cisco.com:available on port:49171.71.22.95:available on port:49TACACS+ shared secret:*****Example 34-6 Displays AAA Authentication Information
switch# show aaa authenticationdefault: group TacServer local noneconsole: localiscsi: localdhchap: localExample 34-7 Displays AAA Authentication Login Information
switch# show aaa authentication login error-enableenabledExample 34-8 Displays Configured TACACS+ Server Groups
switch# show tacacs-server groupstotal number of groups:2following TACACS+ server groups are configured:group TacServer:server 171.71.58.91 on port 2group TacacsServer1:server ServerA on port 49server ServerB on port 49:Example 34-9 Displays All AAA Server Groups
switch# show aaa groupsradiusTacServerExample 34-10 Displays TACACS+ Server Statistics
switch# show tacacs-server statistics 10.1.2.3Server is not monitoredAuthentication Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Authorization Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Accounting Statisticsfailed transactions: 0sucessfull transactions: 0requests sent: 0requests timed out: 0responses with no matching requests: 0responses not processed: 0responses containing errors: 0Configuring Server Groups
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the same protocol, either RADIUS or TACACS+. The servers are tried in the same order in which you configure them.
The AAA server monitoring feature can mark an AAA server as dead. You can configure a period of time in minutes to elapse before the switch sends requests to a dead AAA server. (See the "AAA Server Monitoring" section.)
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. You configure AAA policies for CLI users or Fabric Manager or Device Manager users.
To configure a RADIUS server group, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# aaa group server radius RadServer
switch(config-radius)#
Creates a server group named RadServer and enters the RADIUS server group configuration submode for that group.
switch(config)# no aaa group server radius RadServer
Deletes the server group called RadServer from the authentication list.
Step 3
switch(config-radius)# server 10.71.58.91
Configures the RADIUS server at IPv4 address 10.71.58.91 to be tried first within the server group RadServer.
TipStep 4
switch(config-radius)# server 2001:0DB8:800:200C::417A
Configures the RADIUS server at IPv6 address 2001:0DB8:800:200C::417A to be tried first within the server group RadServer.
switch(config-radius)# no server 2001:0DB8:800:200C::417A
Removes the RADIUS server at IPv6 address 2001:0DB8:800:200C::417A from the server group RadServer.
Step 5
switch(config-radius)# exit
Returns to configuration mode.
Step 6
switch(config)# aaa group server radius RadiusServer
switch(config-radius)#
Creates a server group named RadiusServer and enters the RADIUS server group configuration submode for that group.
Step 7
switch(config-radius)# server ServerA
Configures ServerA to be tried first within the server group called the RadiusServer1.
TipStep 8
switch(config-radius)# server ServerB
Configures ServerB to be tried second within the server group RadiusServer1.
Step 9
switch(config-radius)# deadtime 30
Configures the monitoring dead time to 30 minutes. The range is 0 through 1440.
Note
switch(config-radius)# no deadtime 30
Reverts to the default value (0 minutes).
Note
To verify the configured server group order, use the show radius-server groups command:
switch# show radius-server groupstotal number of groups:2following RAIDUS server groups are configured:group RadServer:server 10.71.58.91 on port 2group RadiusServer1:server ServerA on port 49server ServerB on port 49:To configure a TACACS+ server group, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# aaa group server tacacs+ TacacsServer1
switch(config-tacacs+)#
Creates a server group named TacacsServer1 and enters the submode for that group.
switch(config)# no aaa group server tacacs+ TacacsServer1
Deletes the server group called TacacsServer1 from the authentication list.
Step 3
switch(config-tacacs+)# server ServerA
Configures ServerA to be tried first within the server group called the TacacsServer1.
TipStep 4
switch(config-tacacs+)# server ServerB
Configures ServerB to be tried second within the server group TacacsServer1.
switch(config-tacacs+)# no server ServerB
Deletes ServerB within the TacacsServer1 list of servers.
Step 5
switch(config-tacacs+)# deadtime 30
Configures the monitoring dead time to 30 minutes. The range is 0 through 1440.
Note
switch(config-tacacs+)# no deadtime 30
Reverts to the default value (0 minutes).
Note
AAA Server Distribution
Configuration for RADIUS and TACACS+ AAA on an MDS switch can be distributed using the Cisco Fabric Services (CFS). The distribution is disabled by default (see Chapter 7, "Using the CFS Infrastructure").
After enabling the distribution, the first server or global configuration starts an implicit session. All server configuration commands entered thereafter are stored in a temporary database and applied to all switches in the fabric (including the originating one) when you explicitly commit the database. The various server and global parameters are distributed, except the server and global keys. These keys are unique secrets to a switch and should not be shared with other switches.
Note
Note
Enabling AAA Server Distribution
Only switches where distribution is enabled can participate in the distribution activity.
To enable RADIUS server distribution, follow these steps:
To enable TACACS+ server distribution, follow these steps:
Starting a Distribution Session on a Switch
A distribution session starts the moment you begin a RADIUS/TACACS+ server or global configuration. For example, the following tasks start an implicit session:
•
•
Note
Displaying the Session Status
Once the implicit distribution session has started, you can check the session status . You see the distribution status on the CFS tabuse the show radius command.
switch# show radius distribution statusdistribution : enabledsession ongoing: yessession owner: adminsession db: existsmerge protocol status: merge activation donelast operation: enablelast operation status: successOnce the implicit distribution session has started, you can check the session status using the show tacacs+ distribution status command.
switch# show tacacs+ distribution statusdistribution : enabledsession ongoing: yessession owner: adminsession db: existsmerge protocol status: merge activation donelast operation: enablelast operation status: successDisplaying the Pending Configuration
To display the RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer use the show radius pending command, follow these steps:
switch(config)# show radius pending-diff+radius-server host testhost1 authentication accounting+radius-server host testhost2 authentication accountingTo display the TACACS+ global and/or server configuration stored in the temporary buffer, use the show tacacs+ pending command.
switch(config)# show tacacs+ pending-diff+tacacs-server host testhost3+tacacs-server host testhost4Committing the Distribution
The RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer can be applied to the running configuration across all switches in the fabric (including the originating switch).
To commit RADIUS configuration changes, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# radius commit
Commits the RADIUS configuration changes to the running configuration.
To commit TACACS+ configuration changes, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# tacacs+ commit
Commits the TACACS+ configuration changes to the running configuration.
Discarding the Distribution Session
Discarding the distribution of a session in progress causes the configuration in the temporary buffer to be dropped. The distribution is not applied.
To discard the RADIUS session-in-progress distribution, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# radius abort
Discards the RADIUS configuration changes to the running configuration.
To discard the TACACS+ session-in-progress distribution, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# tacacs+ abort
Discards the TACACS+ configuration changes to the running configuration.
To clear the ongoing CFS distribution session (if any) and to unlock the fabric for the RADIUS feature, enter the clear radius session command from any switch in the fabric.
switch# clear radius sessionTo clear the ongoing CFS distribution session (if any) and to unlock the fabric for the TACACS+ feature, enterthe clear tacacs+ session command from any switch in the fabric.
switch# clear tacacs+ session.Merge Guidelines for RADIUS and TACACS+ Configurations
The RADIUS and TACACS+ server and global configuration are merged when two fabrics merge. The merged configuration is applied to CFS distribution-enabled switches.
When merging the fabric, be aware of the following conditions:
•
•
•
•
Caution
Use the show radius distribution status command to view the status of the RADIUS fabric merge as shown in Example 34-11.
Example 34-11 Displays the RADIUS Fabric Merge Status
switch# show radius distribution statusdistribution : enabledsession ongoing: nosession db: does not existmerge protocol status: merge response receivedmerge error: conflict: server dmtest2 has auth-port 1812 on this switch and 1999on remotelast operation: enablelast operation status: successUse the show tacacs+ distribution status command to view the status of the TACACS+ fabric merge as shown in Example 34-12.
Example 34-12 Displays the TACACS+ Fabric Merge Status
switch# show tacacs+ distribution statusdistribution : enabledsession ongoing: nosession db: does not existmerge protocol status: merge activation donelast operation: enablelast operation status: successMSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to an MDS switch through a remote authentication server (RADIUS or TACACS+).
About Enabling MSCHAP
By default, the switch uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize the MSCHAP vendor-specific attributes. See the "About Vendor-Specific Attributes" section. Table 34-2 shows the RADIUS vendor-specific attributes required for MSCHAP.
To enable MSCHAP authentication, follow these steps:
Step 1
switch# config t
Enters configuration mode.
Step 2
switch(config)# aaa authentication login mschap enable
Enables MSCHAP login authentication.
You can use the show aaa authentication login mschap command to display the MSCHAP authentication configuration.
switch# show aaa authentication login mschapdisabledLocal AAA Services
The system maintains the username and password locally and stores the password information in encrypted form. You are authenticated based on the locally stored user information. Use the username command to configure local users and their roles (see the "Configuring User Accounts" section on page 32-10).
Use the show accounting log command to view the local accounting log as shown in Example 34-13.
Example 34-13 Displays the Accounting Log Information
switch# show accounting logSat Jan 24 03:22:06 1981:stop:snmp_349154526_171.71.58.69:admin:Sat Jan 24 03:22:06 1981:start:snmp_349154526_171.71.58.69:admin:Sat Jan 24 03:22:06 1981:update:snmp_349154526_171.71.58.69:admin:Added member [WWN: 21:00:00:20:37:a6:be:00 ID: 2] to zone test-27 on VSAN 1...Sat Jan 24 23:59:56 1981:stop:/dev/pts/0_349228792:root:shell terminatedSun Jan 25 00:00:06 1981:start:/dev/pts/1_349228806:admin:Disabling AAA Authentication
You can turn off password verification using the none option. If you configure this option, users can log in without giving a valid password. But the user should at least exist locally on the Cisco MDS 9000 Family switch.
Caution
Use the none option in the aaa authentication login command to disable password verification.
A user created by entering the username command will exist locally on the Cisco MDS 9000 Family switch.
Displaying AAA Authentication
The show aaa authentication command displays the configured authentication methods as shown in Example 34-14.
Example 34-14 Displays Authentication Information
switch# show aaa authenticationNo AAA Authenticationdefault: group TacServer local noneconsole: local noneiscsi: localdhchap: localConfiguring Accounting Services
Accounting refers to the log information that is kept for each management session in a switch. This information may be used to generate reports for troubleshooting and auditing purposes. Accounting can be implemented locally or remotely (using RADIUS). The default maximum size of the accounting log is 250,000 bytes and cannot be changed.
Tip
Note
Displaying Accounting Configuration
To display configured accounting information use show accounting command. See Examples 34-15 to 34-17. To specify the size of the local accounting log to be displayed, use the show accounting log command. By default about 250 KB of accounting log is displayed.
Example 34-15 Displays Two Samples of Configured Accounting Parameters
switch# show accounting configshow aaa accountingdefault: localswitch# show aaa accountingdefault: group rad1Example 34-16 Displays 60,000 Bytes of the Accounting Log
switch# show accounting log 60000Fri Jan 16 15:28:21 1981:stop:snmp_348506901_64.104.131.208:admin:Fri Jan 16 21:17:04 1981:start:/dev/pts/0_348527824:admin:Fri Jan 16 21:35:45 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group5Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group5Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group3Fri Jan 16 21:58:17 1981:start:snmp_348530297_171.71.150.105:admin:...Example 34-17 Displays the Entire Log File
switch# show accounting logFri Jan 16 15:28:21 1981:stop:snmp_348506901_64.104.131.208:admin:Fri Jan 16 21:17:04 1981:start:/dev/pts/0_348527824:admin:Fri Jan 16 21:35:45 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group5Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group5Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group3Fri Jan 16 21:58:17 1981:start:snmp_348530297_171.71.150.105:admin:Fri Jan 16 21:58:17 1981:stop:snmp_348530297_171.71.150.105:admin:Fri Jan 16 21:58:18 1981:start:snmp_348530298_171.71.150.105:admin:Fri Jan 16 21:58:18 1981:stop:snmp_348530298_171.71.150.105:admin:...Fri Jan 16 23:37:02 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group3Fri Jan 16 23:37:26 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for group:TacacsServer1Fri Jan 16 23:45:19 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for group:TacacsServer1Fri Jan 16 23:45:19 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1...Fri Jan 16 23:53:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for server:Server3Fri Jan 16 23:54:00 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for server:Server5Fri Jan 16 23:54:22 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for server:ServerAFri Jan 16 23:54:25 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for server:ServerBFri Jan 16 23:55:03 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for group:Group1...Sat Jan 17 00:01:41 1981:start:snmp_348537701_171.71.58.100:admin:Sat Jan 17 00:01:41 1981:stop:snmp_348537701_171.71.58.100:admin:Sat Jan 17 00:01:42 1981:start:snmp_348537702_171.71.58.100:admin:Sat Jan 17 00:01:42 1981:stop:snmp_348537702_171.71.58.100:admin:...Clearing Accounting Logs
To clear out the contents of the current log, use the clear accounting log command.
switch# clear accounting logConfiguring Cisco Access Control Servers
The Cisco Access Control Server (ACS) uses TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment.When using the AAA server, user management is normally done using Cisco ACS. Figure 34-3, Figure 34-4, Figure 34-5, and Figure 34-6 display ACS server user setup configurations for network-admin roles and multiple roles using either RADIUS or TACACS+.
Caution
Figure 34-3 Configuring the network-admin Role When Using RADIUS
Figure 34-4 Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS
Figure 34-5 Configuring the network-admin Role with SNMPv3 Attributes When Using TACACS+
Figure 34-6 Configuring Multiple Roles with SNMPv3 Attributes When Using TACACS+
Default Settings
Table 34-3 lists the default settings for all switch security features in any switch.
