Table Of Contents
Configuring RADIUS and TACACS+
Switch Management Security
CLI Security Options
SNMP Security Options
Switch AAA Functionalities
Authentication
Authorization
Accounting
Remote AAA Services
Remote Authentication Guidelines
Server Groups
AAA Service Configuration Options
Error-Enabled Status
AAA Server Monitoring
Authentication and Authorization Process
Configuring RADIUS
Setting the RADIUS Server Address
About the Default RADIUS Server Encryption Type and Preshared Key
Configuring the Default RADIUS Server Encryption Type and Preshared Key
Setting the RADIUS Server Timeout Interval
Setting Transmission Retry Count for the RADIUS Server
Configuring RADIUS Server Monitoring Parameters
Configuring the Test Idle Timer
Configuring Test User Name
Configuring the Dead Timer
Sending RADIUS Test Messages for Monitoring
About Users Specifying a RADIUS Server at Login
Allowing Users to Specify a RADIUS Server at Login
About Vendor-Specific Attributes
VSA Format
Specifying SNMPv3 on AAA Servers
Displaying RADIUS Server Details
Displaying RADIUS Server Statistics
Configuring TACACS+
About TACACS+
About TACACS+ Server Default Configuration
About the Default TACACS+ Server Encryption Type and Preshared Key
Enabling TACACS+
Setting the TACACS+ Server Address
Setting the Global Secret Key
Setting the Timeout Value
About TACACS+ Servers
Configuring TACACS+ Server Monitoring Parameters
Configuring the TACACS+ Test Idle Timer
Configuring Test Username
Configuring the Dead Timer
Sending TACACS+ Test Messages for Monitoring
Password Aging Notification through TACACS+ Server
About Users Specifying a TACACS+ Server at Login
Allowing Users to Specify a TACACS+ Server at Login
Defining Custom Attributes for Roles
Supported TACACS+ Server Parameters
Displaying TACACS+ Server Details
Configuring Server Groups
AAA Server Distribution
Enabling AAA Server Distribution
Starting a Distribution Session on a Switch
Displaying the Session Status
Displaying the Pending Configuration
Committing the Distribution
Discarding the Distribution Session
.Merge Guidelines for RADIUS and TACACS+ Configurations
MSCHAP Authentication
About Enabling MSCHAP
Local AAA Services
Disabling AAA Authentication
Displaying AAA Authentication
Configuring Accounting Services
Displaying Accounting Configuration
Clearing Accounting Logs
Configuring Cisco Access Control Servers
Default Settings
Configuring RADIUS and TACACS+
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use RADIUS and TACACS+ protocols to provide solutions using remote AAA servers.
Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using a AAA server. A preshared secret key provides security for communication between the switch and AAA servers. This secret key can be configured for all AAA servers or for only a specific AAA server. This security feature provides a central management capability for AAA servers.
This chapter includes the following sections:
•Switch Management Security
•Switch AAA Functionalities
•Configuring RADIUS
•Configuring TACACS+
•Configuring Server Groups
•AAA Server Distribution
•MSCHAP Authentication
•Local AAA Services
•Configuring Accounting Services
•Configuring Cisco Access Control Servers
•Default Settings
Switch Management Security
Management security in any switch in the Cisco MDS 9000 Family provides security to all management access methods, including the command-line interface (CLI) or Simple Network Management Protocol (SNMP).
•CLI Security Options
CLI Security Options
You can access the CLI using the console (serial connection), Telnet, or Secure Shell (SSH). For each management path (console, Telnet, and SSH), you can configure one or more of the following security control options: local, remote (RADIUS or TACACS+), or none.
•Remote security control
–Using RADIUS.See the"Configuring RADIUS" section.
–Using TACACS+. See the"Configuring TACACS+" section.
•Local security control. See the "Local AAA Services" section.
These security features can also be configured for the following scenarios:
•iSCSI authentication (see the ).
•Fibre Channel Security Protocol (FC-SP) authentication (see Chapter 36, "Configuring FC-SP and DHCHAP")
SNMP Security Options
The SNMP agent supports security features for SNMPv1, SNMPv2c, and SNMPv3. Normal SNMP security features apply to all applications that use SNMP (for example, Cisco MDS 9000 Fabric Manager).
SNMP security options also apply to Fabric Manager and Device Manager.
See Chapter 31, "Configuring SNMP".
Refer to the Cisco MDS 9000 Family Fabric Manager Configuration Guide for information on Fabric Manager and Device Manager.
Switch AAA Functionalities
Using the CLI or an SNMP application, you can configure AAA switch functionalities on any switch in the Cisco MDS 9000 Family.
This section includes the following topics:
•Authentication
•Authorization
•Accounting
•Remote AAA Services
•Remote Authentication Guidelines
•Server Groups
•AAA Service Configuration Options
•Authentication and Authorization Process
Authentication
Authentication is the process of verifying the identity of the person or device accessing the switch. This identity verification is based on the user ID and password combination provided by the entity trying to access the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
Note When you log in to a Cisco MDS switch successfully using the Fabric Manager or Device Manager through Telnet or SSH and if that switch is configured for AAA server-based authentication, a temporary SNMP user entry is automatically created with an expiry time of one day. The switch authenticates the SNMPv3 protocol data units (PDUs) with your Telnet or SSH login name as the SNMPv3 user. The management station can temporarily use the Telnet or SSH login name as the SNMPv3 auth and priv passphrase. This temporary SNMP login is only allowed if you have one or more active MDS shell sessions. If you do not have an active session at any given time, your login is deleted and you will not be allowed to perform SNMPv3 operations.
Authorization
The following authorization roles exist in all Cisco MDS switches:
•Network operator (network-operator)—Has permission to view the configuration only. The operator cannot make any configuration changes.
•Network administrator (network-admin)— Has permission to execute all commands and make configuration changes. The administrator can also create and customize up to 64 additional roles.
•Default-role—Has permission to use the GUI (Fabric Manager and Device Manager). This access is automatically granted to all users for accessing the GUI.
These roles cannot be changed or deleted. You can create additional roles and configure the following options:
•Configure role-based authorization by assigning user roles locally or using remote AAA servers.
•Configure user profiles on a remote AAA server to contain role information. This role information is automatically downloaded and used when the user is authenticated through the remote AAA server.
Note If a user belongs only to one of the newly created roles and that role is subsequently deleted, then the user immediately defaults to the network-operator role.
Accounting
The accounting feature tracks and maintains a log of every management configuration used to access the switch. This information can be used to generate reports for troubleshooting and auditing purposes. Accounting logs can be stored locally or sent to remote AAA servers.
Remote AAA Services
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:
•User password lists for each switch in the fabric can be managed more easily.
•AAA servers are already deployed widely across enterprises and can be easily adopted.
•The accounting log for all switches in the fabric can be centrally managed.
•User role mapping for each switch in the fabric can be managed more easily.
Remote Authentication Guidelines
If you prefer using remote AAA servers, follow these guidelines:
•A minimum of one AAA server should be IP reachable.
•Be sure to configure a desired local AAA policy as this policy is used if all AAA servers are not reachable.
•AAA servers are easily reachable if an overlay Ethernet LAN is attached to the switch (see Chapter 44, "Configuring IP Storage"). We recommend this method.
•SAN networks connected to the switch should have at least one gateway switch connected to the Ethernet LAN reaching the AAA servers.
Server Groups
You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers implementing the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. If required, you can specify multiple server groups. If the Cisco MDS switch encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA Service Configuration Options
AAA configuration in Cisco MDS 9000 Family switches is service based. You can have separate AAA configurations for the following services:
•Telnet or SSH login (Fabric Manager and Device Manager login)
•Console login
•iSCSI authentication (see )
•FC-SP authentication (see Chapter 36, "Configuring FC-SP and DHCHAP")
•Accounting
In general, server group, local, and none are the three options that can be specified for any service in an AAA configuration. Each option is tried in the order specified. If all the options fail, local is tried.
Caution Cisco MDS SAN-OS does not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. Local username with all numerics cannot be created. If an all numeric username exists on an AAA server and is entered during login, the user is not logged in.
Note Even if local is not specified as one of the options, it is tried when all other configured options fail.
Table 32-1 provides the related CLI command for each AAA service configuration option.
.
Table 32-1 AAA Service Configuration Commands
AAA Service Configuration Option
|
Related Command
|
Telnet or SSH login (Cisco Fabric Manager and Device Manager login)
|
aaa authentication login default
|
Console login
|
aaa authentication login console
|
iSCSI authentication
|
aaa authentication iscsi default
|
FC-SP authentication
|
aaa authentication dhchap default
|
Accounting
|
aaa accounting default
|
Error-Enabled Status
When you log in, the login is processed by rolling over to local user database if the remote AAA servers do not respond. In this situation, the following message is displayed on the your screen—if you have enabled the error-enabled feature:
Remote AAA servers unreachable; local authentication done.
To enable this message display, use the aaa authentication login error-enable command.
To disable this message display, use the no aaa authentication login error-enable command.
To view the current display status, use the show aaa authentication login error-enable command (see Example 32-1).
Example 32-1 Displays AAA Authentication Login Information
switch# show aaa authentication login error-enable
AAA Server Monitoring
An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can periodically monitor an AAA server to check whether it is responding (or alive) to save time in processing AAA requests. The MDS switch marks unresponsive AAA servers as dead and does not send AAA requests to any dead AAA servers. An MDS switch periodically monitors dead AAA servers and brings them to the alive state once they are responding. This monitoring process verifies that an AAA server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP trap is generated and the MDS switch warns the administrator that a failure is taking place before it can impact performance. See Figure 32-1 for AAA server states.
Figure 32-1 AAA Server States
Note The monitoring interval for alive servers and dead servers is different and can be configured by the user. The AAA server monitoring is performed by sending a test authentication request to the AAA server.
The user name and password to be used in the test packet can be configured.
See the "Configuring RADIUS Server Monitoring Parameters" section and"Displaying RADIUS Server Details" section.
Authentication and Authorization Process
Authentication is the process of verifying the identity of the person managing the switch. This identity verification is based on the user ID and password combination provided by the person managing the switch. The Cisco MDS 9000 Family switches allow you to perform local authentication (using the lookup database) or remote authentication (using one or more RADIUS servers or TACACS+ servers).
The following steps explain the authorization and authentication process:
Step 1 You can log in to the required switch in the Cisco MDS 9000 Family, using the Telnet, SSH, Fabric Manager/Device Manager, or console login options.
Step 2 When you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group.
•If the AAA server fails to respond, then the next AAA server is contacted and so on until the remote server responds to the authentication request.
•If all AAA servers in the server group fail to respond, then the servers in the next server group are contacted.
•If all configured methods fail, then the local database is used for authentication.
Step 3 When you are successfully authenticated through a remote AAA server, then the following possible actions are taken:
•If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
•If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
•If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the network-operator role.
Step 4 When your user name and password are successfully authenticated locally, you are allowed to log in, and you are assigned the roles configured in the local database.
Figure 32-2 shows a flow chart of the authorization and authentication process.
Figure 32-2 Switch Authorization and Authentication Flow
Note No more server groups left = no response from any server in all server groups.
No more servers left = no response from any server within this server group.
Configuring RADIUS
Cisco MDS 9000 Family switches can use the RADIUS protocol to communicate with remote AAA servers. You can configure multiple RADIUS servers and server groups and set timeout and retry counts.
RADIUS is a distributed client/server protocol that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco MDS 9000 Family switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
This section defines the RADIUS operation, identifies its network environments, and describes its configuration possibilities.
Setting the RADIUS Server Address
You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys.
To specify the host RADIUS server IPv4 address and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server host 10.10.0.0
key HostKey
|
Specifies the preshared key for the selected RADIUS server. This key overrides the key assigned using the radius-server key command. In this example, the host is 10.10.0.0 and the key is HostKey.
|
Step 3
|
switch(config)# radius-server host 10.10.0.0
auth-port 2003
|
Specifies the destination UDP port number to which the RADIUS authentication messages should be sent. In this example, the host is 10.10.0.0 and the authentication port is 2003. The default authentication port is 1812, and the valid range is 0 to 65366.
|
Step 4
|
switch(config)# radius-server host 10.10.0.0
acct-port 2004
|
Specifies the destination UDP port number to which RADIUS accounting messages should be sent. The default accounting port is 1813, and the valid range is 0 to 65366.
|
Step 5
|
switch(config)# radius-server host 10.10.0.0
accounting
|
Specifies this server to be used only for accounting purposes.
Note If neither the authentication nor the accounting options are specified, the server is used for both accounting and authentication purposes.
|
Step 6
|
switch(config)# radius-server host 10.10.0.0
key 0 abcd
|
Specifies a clear text key for the specified server. The key is restricted to 64 characters.
|
switch(config)# radius-server host 10.10.0.0
key 4 da3Asda2ioyuoiuH
|
Specifies an encrypted key for the specified server. The key is restricted to 64 characters.
|
To specify the host RADIUS server IPv6 address and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A Key HostKey
|
Specifies the preshared key for the selected RADIUS server. This key overrides the key assigned using the radius-server key command. In this example, the host is 2001:0DB8:800:200C::417A and the key is HostKey.
|
Step 3
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A auth-port 2003
|
Specifies the destination UDP port number to which the RADIUS authentication messages should be sent. In this example, the host is 2001:0DB8:800:200C::417A and the authentication port is 2003. The default authentication port is 1812, and the valid range is 0 to 65366.
|
Step 4
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A acct-port 2004
|
Specifies the destination UDP port number to which RADIUS accounting messages should be sent. The default accounting port is 1813, and the valid range is 0 to 65366.
|
Step 5
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A accounting
|
Specifies this server to be used only for accounting purposes.
Note If neither the authentication nor the accounting options are specified, the server is used for both accounting and authentication purposes.
|
Step 6
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A key 0 abcd
|
Specifies a clear text key for the specified server. The key is restricted to 64 characters.
|
switch(config)# radius-server host
2001:0DB8:800:200C::417A key 4
da3Asda2ioyuoiuH
|
Specifies an encrypted key for the specified server. The key is restricted to 64 characters.
|
To specify the host RADIUS server DNS name and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server host radius2
key HostKey
|
Specifies the preshared key for the selected RADIUS server. This key overrides the key assigned using the radius-server key command. In this example, the host is radius2 and the key is HostKey.
|
Step 3
|
switch(config)# radius-server host radius2
auth-port 2003
|
Specifies the destination UDP port number to which the RADIUS authentication messages should be sent. In this example, the host is radius2 and the authentication port is 2003. The default authentication port is 1812, and the valid range is 0 to 65366.
|
Step 4
|
switch(config)# radius-server host radius2
acct-port 2004
|
Specifies the destination UDP port number to which RADIUS accounting messages should be sent. The default accounting port is 1813, and the valid range is 0 to 65366.
|
Step 5
|
switch(config)# radius-server host radius2
accounting
|
Specifies this server to be used only for accounting purposes.
Note If neither the authentication nor the accounting options are specified, the server is used for both accounting and authentication purposes.
|
Step 6
|
switch(config)# radius-server host radius2
key 0 abcd
|
Specifies a clear text key for the specified server. The key is restricted to 64 characters.
|
switch(config)# radius-server host radius2
key 4 da3Asda2ioyuoiuH
|
Specifies an encrypted key for the specified server. The key is restricted to 64 characters.
|
About the Default RADIUS Server Encryption Type and Preshared Key
You need to configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 64 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch.
You can override this global key assignment by explicitly using the key option in the radius-server host command.
Configuring the Default RADIUS Server Encryption Type and Preshared Key
To configure the RADIUS preshared key, follow these steps:
|
Command
|
Purpose
|
Step 1
|
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server key AnyWord
|
Configures a preshared key (AnyWord) to authenticate communication between the RADIUS client and server. The default is clear text.
|
switch(config)# radius-server key 0
AnyWord
|
Configures a preshared key (AnyWord) specified in clear text (indicated by 0) to authenticate communication between the RADIUS client and server.
|
switch(config)# radius-server key 7
abe4DFeeweo00o
|
Configures a preshared key (specified in encrypted text) specified in encrypted text (indicated by 7) to authenticate communication between the RADIUS client and server.
|
Setting the RADIUS Server Timeout Interval
You can configure a global timeout value between transmissions for all RADIUS servers.
Note If timeout values are configured for individual servers, those values override the globally configured values.
To specify the timeout values between retransmissions to the RADIUS servers, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server
timeout 30
|
Configures the global timeout period in seconds for the switch to wait for a response from all TACACS+ servers before the switch declares a timeout failure. The time ranges from 1 to 1440 seconds.
|
switch(config)# no radius-server
timeout 30
|
Reverts the transmission time to the default value (1 second).
|
Setting Transmission Retry Count for the RADIUS Server
By default, a switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server.To specify the number of times that RADIUS servers should try to authenticate a user, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server retransmit 3
|
Configures the number of times (3) the switch tries to connect to a RADIUS server(s) before reverting to local authentication.
|
switch(config)# no radius-server
retransmit
|
Reverts to the default retry count (1).
|
Configuring RADIUS Server Monitoring Parameters
You can configure parameters for monitoring RADIUS servers. You can configure this option to test the server periodically, or you can run a one-time only test.
This section includes the following topics:
•Configuring the Test Idle Timer
•Configuring Test User Name
•Configuring the Dead Timer
Configuring the Test Idle Timer
The test idle timer specifies the interval during which a RADIUS server receives no requests before the MDS switch sends out a test packet.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
To configure the idle timer, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server host 10.1.1.1
test idle-time 20
|
Configures the test idle time interval value in minutes. The valid range is 1 to 1440 minutes.
|
Step 3
|
switch(config)# no radius-server host
10.1.1.1 test idle-time 20
|
Reverts to the default value (0 minutes).
|
Configuring Test User Name
You can configure a username and password for periodic RADIUS server status testing. You do not need to configure the test username and password to issue test messages to monitor RADIUS servers. You can use the default test username (test) and default password (test).
Note We recommend that the test username not be the same as an existing username in the RADIUS database for security reasons.
To configure the optional username and password for periodic RADIUS server status testing, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server host
10.1.1.1 test username testuser
|
Configures the test user (testuser) with the default password (test). The default user name is test.
|
switch(config)# no radius-server host
10.1.1.1 test username testuser
|
Removes the test user name (testuser).
|
switch(config)# radius-server host
10.1.1.1 test username testuser password
Ur2Gd2BH
|
Configures the test user (testuser) and assigns a strong password.
For guidelines for creating strong passwords, see the "Characteristics of Strong Passwords" section on page 39-11.
|
Configuring the Dead Timer
The dead timer specifies the interval that the MDS switch waits, after declaring that a RADIUS server is dead, before sending out a test packet to determine if the server is now alive.
Note The default dead timer value is 0 minutes. When the dead timer interval is 0 minutes, RADIUS server monitoring is not performed unless the RADIUS server is part of a server group and the dead-time interval for the group is greater than 0 minutes. (See the "Server Groups" section.)
Note If the dead timer of a dead RADIUS server expires before it is sent a RADIUS test message, that server is marked as alive again even if it is still not responding. To avoid this scenario, configure a test user with a shorter idle time than the dead timer time.
To configure the dead timer, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server deadtime 30
|
Configures the dead timer interval value in minutes. The valid range is 1 to 1440 minutes.
|
Step 3
|
switch(config)# no radius-server deadtime 30
|
Reverts to the default value (0 minutes).
|
Sending RADIUS Test Messages for Monitoring
You can manually send test messages to monitor a RADIUS server.
To send the test message to the RADIUS server, follow this step:
|
Command
|
Purpose
|
Step 1
|
switch# test aaa server radius
10.10.1.1 test test
|
Sends a test message to a RADIUS server using the default username (test) and password (test).
|
switch# test aaa server radius
10.10.1.1 testuser Ur2Gd2BH
|
Sends a test message to a RADIUS server using a configured test username (testuser) and password (Ur2Gd2BH).
Note A configured username and password is optional (see the "Configuring Test User Name" section).
|
About Users Specifying a RADIUS Server at Login
By default, an MDS switch forwards an authentication request to the first server in the RADIUS server group. You can configure the switch to allow the user to specify which RADIUS server to send the authenticate request by enabling the directed request option. If you enable this option, the user can log in as username@hostname, where the hostname is the name of a configured RADIUS server.
Allowing Users to Specify a RADIUS Server at Login
To allow users logging into an MDS switch to select a RADIUS server for authentication, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius-server
directed-request
|
Allows users to specify a RADIUS server to send the authentication request when logging in.
|
switch(config)# no radius-server
directed-request
|
Reverts to sending the authentication request to the first server in the server group (default).
|
You can use the show tacacs-server directed-request command to display the RADIUS directed request configuration.
switch# show radius-server directed-request
About Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-avpair. The value is a string with the following format:
protocol : attribute seperator value *
Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for mandatory attributes, and * (asterisk) is for optional attributes.
When you use RADIUS servers to authenticate yourself to a Cisco MDS 9000 Family switch, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
VSA Format
The following VSA protocol options are supported by the Cisco SAN-OS software:
•Shell protocol—used in Access-Accept packets to provide user profile information.
•Accounting protocol—used in Accounting-Request packets. If a value contains any white spaces, it should be put within double quotation marks.
The following attributes are supported by the Cisco SAN-OS software:
•roles—This attribute lists all the roles to which the user belongs. The value field is a string storing the list of group names delimited by white space. For example, if you belong to roles vsan-admin and storage-admin, the value field would be "vsan-admin storage-admin". This subattribute is sent in the VSA portion of the Access-Accept frames from the RADIUS server, and it can only be used with the shell protocol value. These are two examples using the roles attribute:
shell:roles="network-admin vsan-admin"
shell:roles*"network-admin vsan-admin"
When an VSA is specified as shell:roles*"network-admin vsan-admin", this VSA is flagged as an optional attribute, and other Cisco devices ignore this attribute.
•accountinginfo—This attribute stores additional accounting information besides the attributes covered by a standard RADIUS accounting protocol. This attribute is only sent in the VSA portion of the Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.
Specifying SNMPv3 on AAA Servers
The vendor/custom attribute cisco-av-pair can be used to specify user's role mapping using the format:
shell:roles="roleA roleB ..."
If the roll option in the cisco-av-pair attribute is not set, the default user role is network-operator.
The VSA format optionally specifies your SNMPv3 authentication and privacy protocol attributes also as follows:
shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128
The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If these options are not specified in the cisco-av-pair attribute on the ACS server, MD5 and DES are used by default.
Displaying RADIUS Server Details
Use the show radius-server command to display configured RADIUS parameters as shown in Example 32-2.
Example 32-2 Displays Configured RADIUS Information
switch# show radius-server
Global RADIUS shared secret:*******
following RADIUS servers are configured:
myradius.cisco.users.com:
available for authentication on port:1812
available for accounting on port:1813
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:******
available for authentication on port:1812
available for accounting on port:1813
RADIUS shared secret:******
Example 32-3 Displays Configured RADIUS Server-Group Order
switch# show radius-server groups
following RADIUS server groups are configured:
server: all configured radius servers
server: Server3 on auth-port 1812, acct-port 1813
server: Server5 on auth-port 1812, acct-port 1813
Displaying RADIUS Server Statistics
You can display RADIUS server statistics using the show radius-server statistics command.
Example 32-4 Displays RADIUS Server Statistics
switch# show radius-server statistics 10.1.3.2
Authentication Statistics
sucessfull transactions: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
sucessfull transactions: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
Configuring TACACS+
A Cisco MDS switch uses the Terminal Access Controller Access Control System Plus (TACACS+) protocol to communicate with remote AAA servers. You can configure multiple TACACS+ servers and set timeout values.
This section includes the following topics:
•About TACACS+
•About TACACS+ Server Default Configuration
•About the Default TACACS+ Server Encryption Type and Preshared Key
•Enabling TACACS+
•Setting the TACACS+ Server Address
•Setting the Global Secret Key
•Setting the Timeout Value
•About TACACS+ Servers
•Sending TACACS+ Test Messages for Monitoring
•Password Aging Notification through TACACS+ Server
•About Users Specifying a TACACS+ Server at Login
•Allowing Users to Specify a TACACS+ Server at Login
•Defining Custom Attributes for Roles
•Displaying TACACS+ Server Details
About TACACS+
TACACS+ is a client/server protocol that uses TCP (TCP port 49) for transport requirements. All switches in the Cisco MDS 9000 Family provide centralized authentication using the TACACS+ protocol. The TACACS+ has the following advantages over RADIUS authentication:
•Provides independent, modular AAA facilities. Authorization can be done without authentication.
•Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.
•Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.
About TACACS+ Server Default Configuration
Fabric Manager allows you to set up a default configuration that can be used for any TACACS+ server that you configure the switch to communicate with. The default configuration includes:
•Encryption type
•Preshared key
•Timeout value
•Number of retransmission attempts
•Allowing the user to specify a TACACS+ server at login
About the Default TACACS+ Server Encryption Type and Preshared Key
You need to configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 64 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch.
You can override this global key assignment by explicitly using the key option when configuring and individual TACACS+ server.
Enabling TACACS+
By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for fabric authentication. When you disable this feature, all related configurations are automatically discarded.
To enable TACACS+ for a Cisco MDS switch, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs+ enable
|
Enables the TACACS+ in this switch.
|
switch(config)# no tacacs+ enable
|
Disables (default) the TACACS+ in this switch.
|
Setting the TACACS+ Server Address
If a secret key is not configured for a configured server, a warning message is issued if a global key is not configured. If a server key is not configured, the global key (if configured) is used for that server (see the "Setting the Timeout Value" section).
Note You can use the dollar sign ($) and the percent sign (%) in global secret keys.
To configure the TACACS+ server IPv4 address and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server host
171.71.58.91
|
Configures the TACACS+ server identified by the specified IPv4 address.
|
switch(config)# no tacacs-server host
171.71.58.91
|
Deletes the specified TACACS+ server identified by the IPv4 address. By default, no server is configured.
|
Step 3
|
switch(config)# tacacs-server host
171.71.58.91 port 2
|
Configures the TCP port for all TACACS+ requests.
|
switch(config)# no tacacs-server host
171.71.58.91 port 2
|
Reverts to the factory default of using port 49 for server access.
|
Step 4
|
switch(config)# tacacs-server host
171.71.58.91 key MyKey
|
Configures the TACACS+ server identified by the specified domain name and assigns the secret key.
|
Step 5
|
switch(config)# tacacs-server host
171.71.58.91 timeout 25
|
Configures the timeout period for the switch to wait for a response from the specified server before it declares a timeout failure.
|
To configure the TACACS+ server IPv6 address and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server host
2001:0DB8:800:200C::417A
warning: no key is configured for the
host
|
Configures the TACACS+ server identified by the specified IPv6 address.
|
switch(config)# no tacacs-server host
2001:0DB8:800:200C::417A
|
Deletes the specified TACACS+ server identified by the IPv6 address. By default, no server is configured.
|
Step 3
|
switch(config)# tacacs-server host
2001:0DB8:800:200C::417A port 2
|
Configures the TCP port for all TACACS+ requests.
|
switch(config)# no tacacs-server host
2001:0DB8:800:200C::417A port 2
|
Reverts to the factory default of using port 49 for server access.
|
Step 4
|
switch(config)# tacacs-server host
2001:0DB8:800:200C::417A key MyKey
|
Configures the TACACS+ server identified by the specified domain name and assigns the secret key.
|
Step 5
|
switch(config)# tacacs-server host
2001:0DB8:800:200C::417A timeout 25
|
Configures the timeout period for the switch to wait for a response from the specified server before it declares a timeout failure.
|
To configure the TACACS+ server DNS name and other options, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server host
host1.cisco.com
warning: no key is configured for the
host
|
Configures the TACACS+ server identified by the specified DNS name.
|
switch(config)# no tacacs-server host
host1.cisco.com
|
Deletes the specified TACACS+ server identified by the DNS name. By default, no server is configured.
|
Step 3
|
switch(config)# tacacs-server host
host1.cisco.com port 2
|
Configures the TCP port for all TACACS+ requests.
|
switch(config)# no tacacs-server host
host1.cisco.com port 2
|
Reverts to the factory default of using port 49 for server access.
|
Step 4
|
switch(config)# tacacs-server host
host1.cisco.com key MyKey
|
Configures the TACACS+ server identified by the specified domain name and assigns the secret key.
|
Step 5
|
switch(config)# tacacs-server host
host1.cisco.com timeout 25
|
Configures the timeout period for the switch to wait for a response from the specified server before it declares a timeout failure.
|
Setting the Global Secret Key
You can configure global values for the secret key for all TACACS+ servers.
Note If secret keys are configured for individual servers, those keys override the globally configured key.
Note You can use the dollar sign ($) and the percent sign (%) in global secret keys.
To set the secret key for TACACS+ servers, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server key
7 3sdaA3daKUngd
|
Assigns the global secret key (in encrypted format) to access the TACACS+ server. This example specifies 7 to indicate the encrypted format being used. If this global key and the individual server keys are not configured, clear text messages are sent to the TACACS+ server(s).
|
switch(config)# no tacacs-server
key oldPword
|
Deletes the configured global secret key to access the TACACS+ server and reverts to the factory default of allowing access to all configured servers.
|
Setting the Timeout Value
You can configure a global timeout value between transmissions for all TACACS+ servers.
Note If timeout values are configured for individual servers, those values override the globally configured values.
To set the global timeout value for TACACS+ servers, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server
timeout 30
|
Configures the global timeout period in seconds for the switch to wait for a response from all TACACS+ servers before the switch declares a timeout failure. The time ranges from 1 to 1440 seconds.
|
switch(config)# no tacacs-server
timeout 30
|
Deletes the configured timeout period and reverts to the factory default of 5 seconds.
|
About TACACS+ Servers
By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. Fabric Manager or Device Manager enables the TACACS+ feature automatically when you configure a TACACS+ server.
If a secret key is not configured for a configured server, a warning message is issued if a global key is not configured. If a server key is not configured, the global key (if configured) is used for that server.
Note Prior to Cisco MDS SAN-OS Release 2.1(2), you can use the dollar sign ($) in the key but the key must be enclosed in double quotes, for example "k$". The percent sign (%) is not allowed. In Cisco MDS SAN-OS Release 2.1(2) and later, you can use the dollar sign ($) without double quotes and the percent sign (%) in global secret keys.
You can configure global values for the secret key for all TACACS+ servers.
Note If secret keys are configured for individual servers, those keys override the globally configured key.
Configuring TACACS+ Server Monitoring Parameters
You can configure parameters for monitoring TACACS+ servers.
This section includes the following topics:
•Configuring the TACACS+ Test Idle Timer
•Configuring Test Username
•Configuring the Dead Timer
Configuring the TACACS+ Test Idle Timer
The test idle timer specifies the interval during which a TACACS+ server receives no requests before the MDS switch sends out a test packet.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
To configure the idle timer, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server host 10.1.1.1
test idle-time 20
|
Configures the test idle time interval value in minutes. The valid range is 1 to 1440 minutes.
|
Step 3
|
switch(config)# no tacacs-server host
10.1.1.1 test idle-time 20
|
Reverts to the default value (0 minutes).
|
Configuring Test Username
You can configure a username and password for periodic TACACS+ server status testing. You do not servers. You can use the default test username (test) and default password (test).
To configure the optional username and password for periodic TACACS+ server status testing, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server host
10.1.1.1 test username testuser
|
Configures the test user (testuser) with the default password (test). The default username is test.
|
switch(config)# no tacacs-server host
10.1.1.1 test username testuser
|
Removes the test user (testuser).
|
switch(config)# tacacs-server host
10.1.1.1 test username testuser password
Ur2Gd2BH
|
Configures the test user (testuser) and assigns a strong password.
For guidelines for creating strong passwords, see the "Characteristics of Strong Passwords" section on page 39-11.
|
Configuring the Dead Timer
The dead timer specifies the interval that the MDS switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Note The default dead timer value is 0 minutes. TACACS+ server monitoring is not performed if the dead timer interval is 0 minutes, unless the TACACS+ server is a part of a bigger group with the dead-time interval greater than 0 minutes. (See "Configuring RADIUS" section.)
Note If the dead timer of a dead TACACS+ server expires before it is sent a TACACS+ test message, that server is marked as alive again even if it is still not responding. To avoid this scenario, configure a test user with a shorter idle time than the dead timer time.
To configure the dead timer, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server deadtime 30
|
Configures the dead-time interval value in minutes. The valid range is 1 to 1440 minutes.
|
Step 3
|
switch(config)# no tacacs-server deadtime 30
|
Reverts to the default value (0 minutes).
Note When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes. (See the "Configuring RADIUS" section.)
|
Sending TACACS+ Test Messages for Monitoring
You can manually send test messages to monitor a TACACS+ server.
To send the test message to the TACACS+ server, follow these steps:
Command
|
Purpose
|
switch# test aaa server tacacs+
10.10.1.1 test test
|
Sends a test message to a TACACS+ server using the default username (test) and password (test).
|
switch# test aaa server tacacs+
10.10.1.1 testuser Ur2Gd2BH
|
Sends a test message to a TACACS+ server using a configured test username and password.
A configured username and password is optional (see the "Configuring Test Username" section).
|
Password Aging Notification through TACACS+ Server
Password aging notification is initiated when the user authenticates to a Cisco MDS 9000 switch via a TACACS+ account. The user is notified when a password is about to expire or has expired. If the password has expired, user is prompted to change the password.
Note As of Cisco MDS SAN-OS Release 3.2(1), only TACACS+ supports password aging notification. If you try to use RADIUS servers by enabling this feature, RADIUSs will generate a SYSLOG message and authentication will fall back to the local database.
Password aging notification facilitates the following:
•Password change — You can change your password by entering a blank password.
•Password aging notification — Notifies password aging. Notification happens only if the AAA server is configured.
•Password change after expiration — Initiates password change after the old password expires. Initiation happens from the AAA server.
To enable the password aging option in the AAA server, enter the following command:
aaa authentication login password-aging enable
To determine whether or not password aging notification is enabled or disabled in the AAA server, enter the following command:
show aaa authentication login password-aging
About Users Specifying a TACACS+ Server at Login
By default, an MDS switch forwards an authentication request to the first server in the TACACS+ server group. You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request. If you enable this feature, the user can log in as username@hostname, where the hostname is the name of a configured TACACS+ server.
Allowing Users to Specify a TACACS+ Server at Login
To allow users logging into an MDS switch to select a TACACS+ server for authentication, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs-server
directed-request
|
Allows users to specify a TACACS+ server to send the authentication request when logging in.
|
switch(config)# no tacacs-server
directed-request
|
Reverts to sending the authentication request to the first server in the server group (default).
|
You can use the show tacacs-server directed-request command to display the TACACS+ directed request configuration.
switch# show tacacs-server directed-request
Defining Custom Attributes for Roles
Cisco MDS 9000 Family switches use the TACACS+ custom attribute for service shells to configure roles to which a user belongs. TACACS+ attributes are specified in name=value format. The attribute name for this custom attribute is cisco-av-pair. The following example illustrates how to specify roles using this attribute:
cisco-av-pair=shell:roles="network-admin vsan-admin"
You can also configure optional custom attributes to avoid conflicts with non-MDS Cisco switches using the same AAA servers.
cisco-av-pair*shell:roles="network-admin vsan-admin"
Additional custom attribute shell:roles are also supported:
shell:roles="network-admin vsan-admin"
or
shell:roles*"network-admin vsan-admin"
Note TACACS+ custom attributes can be defined on an Access Control Server (ACS) for various services (for example, shell). Cisco MDS 9000 Family switches require the TACACS+ custom attribute for the service shell to be used for defining roles.
Supported TACACS+ Server Parameters
The Cisco SAN-OS software currently supports the following parameters for the listed TACACS+ servers:
•TACACS+
cisco-av-pair=shell:roles="network-admin"
•Cisco ACS TACACS+
shell:roles="network-admin"
shell:roles*"network-admin"
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair*shell:roles*"network-admin"
cisco-av-pair=shell:roles*"network-admin"
•Open TACACS+
cisco-av-pair*shell:roles="network-admin"
cisco-av-pair=shell:roles*"network-admin"
Displaying TACACS+ Server Details
Use the show aaa and show tacacs-server commands to display information about TACACS+ server configuration in all switches in the Cisco MDS 9000 Family as shown in Examples 32-5 to 32-10.
Example 32-5 Displays Configured TACACS+ Server Information
switch# show tacacs-server
Global TACACS+ shared secret:***********
total number of servers:3
following TACACS+ servers are configured:
TACACS+ shared secret:*****
Example 32-6 Displays AAA Authentication Information
switch# show aaa authentication
default: group TacServer local none
Example 32-7 Displays AAA Authentication Login Information
switch# show aaa authentication login error-enable
Example 32-8 Displays Configured TACACS+ Server Groups
switch# show tacacs-server groups
following TACACS+ server groups are configured:
server 171.71.58.91 on port 2
server ServerA on port 49
server ServerB on port 49:
Example 32-9 Displays All AAA Server Groups
Example 32-10 Displays TACACS+ Server Statistics
switch# show tacacs-server statistics 10.1.2.3
Authentication Statistics
sucessfull transactions: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
sucessfull transactions: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
sucessfull transactions: 0
responses with no matching requests: 0
responses not processed: 0
responses containing errors: 0
Configuring Server Groups
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the same protocol, either RADIUS or TACACS+. The servers are tried in the same order in which you configure them.
The AAA server monitoring feature can mark an AAA server as dead. You can configure a period of time in minutes to elapse before the switch sends requests to a dead AAA server. (See the "AAA Server Monitoring" section.)
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. You configure AAA policies for CLI users or Fabric Manager or Device Manager users.
To configure a RADIUS server group, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# aaa group server radius
RadServer
switch(config-radius)#
|
Creates a server group named RadServer and enters the RADIUS server group configuration submode for that group.
|
switch(config)# no aaa group server
radius RadServer
|
Deletes the server group called RadServer from the authentication list.
|
Step 3
|
switch(config-radius)# server 10.71.58.91
|
Configures the RADIUS server at IPv4 address 10.71.58.91 to be tried first within the server group RadServer.
Tip If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command.
|
Step 4
|
switch(config-radius)# server
2001:0DB8:800:200C::417A
|
Configures the RADIUS server at IPv6 address 2001:0DB8:800:200C::417A to be tried first within the server group RadServer.
|
switch(config-radius)# no server
2001:0DB8:800:200C::417A
|
Removes the RADIUS server at IPv6 address 2001:0DB8:800:200C::417A from the server group RadServer.
|
Step 5
|
switch(config-radius)# exit
|
Returns to configuration mode.
|
Step 6
|
switch(config)# aaa group server radius
RadiusServer
switch(config-radius)#
|
Creates a server group named RadiusServer and enters the RADIUS server group configuration submode for that group.
|
Step 7
|
switch(config-radius)# server ServerA
|
Configures ServerA to be tried first within the server group called the RadiusServer1.
Tip If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command.
|
Step 8
|
switch(config-radius)# server ServerB
|
Configures ServerB to be tried second within the server group RadiusServer1.
|
Step 9
|
switch(config-radius)# deadtime 30
|
Configures the monitoring dead time to 30 minutes. The range is 0 through 1440.
Note If the dead-time interval for an individual RADIUS server is greater than 0, that value takes precedence over the value set for the server group.
|
switch(config-radius)# no deadtime 30
|
Reverts to the default value (0 minutes).
Note If the dead-time interval for both the RADIUS server group and an individual TACACS+ server in the RADIUS server group is set to 0, the switch does not mark the RADIUS server as dead when it is found to be unresponsive by periodic monitoring. Also, the switch does not perform dead server monitoring for that RADIUS server. (See the "Configuring RADIUS Server Monitoring Parameters" section.)
|
To verify the configured server group order, use the show radius-server groups command:
switch# show radius-server groups
following RAIDUS server groups are configured:
server 10.71.58.91 on port 2
server ServerA on port 49
server ServerB on port 49:
To configure a TACACS+ server group, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# aaa group server tacacs+
TacacsServer1
switch(config-tacacs+)#
|
Creates a server group named TacacsServer1 and enters the submode for that group.
|
switch(config)# no aaa group server
tacacs+ TacacsServer1
|
Deletes the server group called TacacsServer1 from the authentication list.
|
Step 3
|
switch(config-tacacs+)# server ServerA
|
Configures ServerA to be tried first within the server group called the TacacsServer1.
Tip If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.
|
Step 4
|
switch(config-tacacs+)# server ServerB
|
Configures ServerB to be tried second within the server group TacacsServer1.
|
switch(config-tacacs+)# no server ServerB
|
Deletes ServerB within the TacacsServer1 list of servers.
|
Step 5
|
switch(config-tacacs+)# deadtime 30
|
Configures the monitoring dead time to 30 minutes. The range is 0 through 1440.
Note If the dead-time interval for an individual TACACS+ server is greater than 0, that value takes precedence over the value set for the server group.
|
switch(config-tacacs+)# no deadtime 30
|
Reverts to the default value (0 minutes).
Note If the dead-time interval for both the TACACS+ server group and an individual TACACS+ server in the TACACS+ server group is set to 0, the switch does not mark the TACACS+ server as dead when it is found to be unresponsive by periodic monitoring. Also, the switch does not perform dead server monitoring for that TACACS+ server. (See the "Configuring TACACS+ Server Monitoring Parameters" section.)
|
AAA Server Distribution
Configuration for RADIUS and TACACS+ AAA on an MDS switch can be distributed using the Cisco Fabric Services (CFS). The distribution is disabled by default (see Chapter 6, "Using the CFS Infrastructure").
After enabling the distribution, the first server or global configuration starts an implicit session. All server configuration commands entered thereafter are stored in a temporary database and applied to all switches in the fabric (including the originating one) when you explicitly commit the database. The various server and global parameters are distributed, except the server and global keys. These keys are unique secrets to a switch and should not be shared with other switches.
Note Server group configurations are not distributed.
Note For an MDS switch to participate in AAA server configuration distribution, it must be running Cisco MDS SAN-OS Release 2.0(1b) or later.
Enabling AAA Server Distribution
Only switches where distribution is enabled can participate in the distribution activity.
To enable RADIUS server distribution, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius distribute
|
Enables RADIUS configuration distribution in this switch.
|
switch(config)# no radius
distribute
|
Disables RADIUS configuration distribution in this switch (default).
|
To enable TACACS+ server distribution, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs+ distribute
|
Enables TACACS+ configuration distribution in this switch.
|
switch(config)# no tacacs+
distribute
|
Disables TACACS+ configuration distribution in this switch (default).
|
Starting a Distribution Session on a Switch
A distribution session starts the moment you begin a RADIUS/TACACS+ server or global configuration. For example, the following tasks start an implicit session:
•Specifying the global timeout for RADIUS servers.
•Specifying the global timeout for TACACS+ servers.
Note After you issue the first configuration command related to AAA servers, all server and global configurations that are created (including the configuration that caused the distribution session start) are stored in a temporary buffer, not in the running configuration.
Displaying the Session Status
Once the implicit distribution session has started, you can check the session status . You see the distribution status on the CFS tabuse the show radius command.
switch# show radius distribution status
merge protocol status: merge activation done
last operation status: success
Once the implicit distribution session has started, you can check the session status using the show tacacs+ distribution status command.
switch# show tacacs+ distribution status
merge protocol status: merge activation done
last operation status: success
Displaying the Pending Configuration
To display the RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer use the show radius pending command, follow these steps:
switch(config)# show radius pending-diff
+radius-server host testhost1 authentication accounting
+radius-server host testhost2 authentication accounting
To display the TACACS+ global and/or server configuration stored in the temporary buffer, use the show tacacs+ pending command.
switch(config)# show tacacs+ pending-diff
+tacacs-server host testhost3
+tacacs-server host testhost4
Committing the Distribution
The RADIUS or TACACS+ global and/or server configuration stored in the temporary buffer can be applied to the running configuration across all switches in the fabric (including the originating switch).
To commit RADIUS configuration changes, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius commit
|
Commits the RADIUS configuration changes to the running configuration.
|
To commit TACACS+ configuration changes, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs+ commit
|
Commits the TACACS+ configuration changes to the running configuration.
|
Discarding the Distribution Session
Discarding the distribution of a session in progress causes the configuration in the temporary buffer to be dropped. The distribution is not applied.
To discard the RADIUS session-in-progress distribution, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# radius abort
|
Discards the RADIUS configuration changes to the running configuration.
|
To discard the TACACS+ session-in-progress distribution, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# tacacs+ abort
|
Discards the TACACS+ configuration changes to the running configuration.
|
To clear the ongoing CFS distribution session (if any) and to unlock the fabric for the RADIUS feature, enter the clear radius session command from any switch in the fabric.
switch# clear radius session
To clear the ongoing CFS distribution session (if any) and to unlock the fabric for the TACACS+ feature, enterthe clear tacacs+ session command from any switch in the fabric.
switch# clear tacacs+ session
.Merge Guidelines for RADIUS and TACACS+ Configurations
The RADIUS and TACACS+ server and global configuration are merged when two fabrics merge. The merged configuration is applied to CFS distribution-enabled switches.
When merging the fabric, be aware of the following conditions:
•The server groups are not merged.
•The server and global keys are not changed during the merge.
•The merged configuration contains all servers found on all CFS enabled switches.
•The timeout and retransmit parameters of the merged configuration are the largest values found per server and global configuration.
Caution If there is a conflict between two switches in the server ports configured, the merge fails.
Use the show radius distribution status command to view the status of the RADIUS fabric merge as shown in Example 32-11.
Example 32-11 Displays the RADIUS Fabric Merge Status
switch# show radius distribution status
session db: does not exist
merge protocol status: merge response received
merge error: conflict: server dmtest2 has auth-port 1812 on this switch and 1999
last operation status: success
Use the show tacacs+ distribution status command to view the status of the TACACS+ fabric merge as shown in Example 32-12.
Example 32-12 Displays the TACACS+ Fabric Merge Status
switch# show tacacs+ distribution status
session db: does not exist
merge protocol status: merge activation done
last operation status: success
MSCHAP Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to an MDS switch through a remote authentication server (RADIUS or TACACS+).
About Enabling MSCHAP
By default, the switch uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you need to configure your RADIUS server to recognize the MSCHAP vendor-specific attributes. See the "About Vendor-Specific Attributes" section. Table 32-2 shows the RADIUS vendor-specific attributes required for MSCHAP.
Table 32-2 MSCHAP RADIUS Vendor-Specific Attributes
Vendor-ID Number
|
Vendor-Type Number
|
Vendor-Specific Attribute
|
Description
|
311
|
11
|
MSCHAP-Challenge
|
Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both Access-Request and Access-Challenge packets.
|
211
|
11
|
MSCHAP-Response
|
Contains the response value provided by an user in response to the challenge. It is only used in Access-Request packets.
|
To enable MSCHAP authentication, follow these steps:
|
Command
|
Purpose
|
Step 1
|
switch# config t
|
Enters configuration mode.
|
Step 2
|
switch(config)# aaa authentication login
mschap enable
|
Enables MSCHAP login authentication.
|
You can use the show aaa authentication login mschap command to display the MSCHAP authentication configuration.
switch# show aaa authentication login mschap
Local AAA Services
The system maintains the username and password locally and stores the password information in encrypted form. You are authenticated based on the locally stored user information. Use the username command to configure local users and their roles (see the "Configuring User Accounts" section on page 39-10).
Use the show accounting log command to view the local accounting log as shown in Example 32-13.
Example 32-13 Displays the Accounting Log Information
switch# show accounting log
Sat Jan 24 03:22:06 1981:stop:snmp_349154526_171.71.58.69:admin:
Sat Jan 24 03:22:06 1981:start:snmp_349154526_171.71.58.69:admin:
Sat Jan 24 03:22:06 1981:update:snmp_349154526_171.71.58.69:admin:Added member [
WWN: 21:00:00:20:37:a6:be:00 ID: 2] to zone test-27 on VSAN 1
Sat Jan 24 23:59:56 1981:stop:/dev/pts/0_349228792:root:shell terminated
Sun Jan 25 00:00:06 1981:start:/dev/pts/1_349228806:admin:
Disabling AAA Authentication
You can turn off password verification using the none option. If you configure this option, users can log in without giving a valid password. But the user should at least exist locally on the Cisco MDS 9000 Family switch.
Caution Use this option cautiously. If configured, any user can access the switch at any time.
Use the none option in the aaa authentication login command to disable password verification.
A user created by entering the username command will exist locally on the Cisco MDS 9000 Family switch.
Displaying AAA Authentication
The show aaa authentication command displays the configured authentication methods as shown in Example 32-14.
Example 32-14 Displays Authentication Information
switch# show aaa authentication
default: group TacServer local none
Configuring Accounting Services
Accounting refers to the log information that is kept for each management session in a switch. This information may be used to generate reports for troubleshooting and auditing purposes. Accounting can be implemented locally or remotely (using RADIUS). The default maximum size of the accounting log is 250,000 bytes and cannot be changed.
Tip The Cisco MDS 9000 Family switch uses interim-update RADIUS accounting-request packets to communicate accounting log information to the RADIUS server. The RADIUS server must be appropriately configured to log the information communicated in these packets. Several servers typically have log update/watchdog packets flags in the AAA client configuration. Turn on this flag to ensure proper RADIUS accounting.
Note Configuration operations are automatically recorded in the accounting log if they are performed in configuration mode. Additionally, important system events (for example, configuration save and system switchover) are also recorded in the accounting log.
Displaying Accounting Configuration
To display configured accounting information use show accounting command. See Examples 32-15 to 32-17. To specify the size of the local accounting log to be displayed, use the show accounting log command. By default about 250 KB of accounting log is displayed.
Example 32-15 Displays Two Samples of Configured Accounting Parameters
switch# show accounting config
switch# show aaa accounting
Example 32-16 Displays 60,000 Bytes of the Accounting Log
switch# show accounting log 60000
Fri Jan 16 15:28:21 1981:stop:snmp_348506901_64.104.131.208:admin:
Fri Jan 16 21:17:04 1981:start:/dev/pts/0_348527824:admin:
Fri Jan 16 21:35:45 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group5
Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group5
Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group3
Fri Jan 16 21:58:17 1981:start:snmp_348530297_171.71.150.105:admin:
Example 32-17 Displays the Entire Log File
switch# show accounting log
Fri Jan 16 15:28:21 1981:stop:snmp_348506901_64.104.131.208:admin:
Fri Jan 16 21:17:04 1981:start:/dev/pts/0_348527824:admin:
Fri Jan 16 21:35:45 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Fri Jan 16 21:35:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group5
Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group5
Fri Jan 16 21:35:55 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group3
Fri Jan 16 21:58:17 1981:start:snmp_348530297_171.71.150.105:admin:
Fri Jan 16 21:58:17 1981:stop:snmp_348530297_171.71.150.105:admin:
Fri Jan 16 21:58:18 1981:start:snmp_348530298_171.71.150.105:admin:
Fri Jan 16 21:58:18 1981:stop:snmp_348530298_171.71.150.105:admin:
Fri Jan 16 23:37:02 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group3
Fri Jan 16 23:37:26 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for
group:TacacsServer1
Fri Jan 16 23:45:19 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for
group:TacacsServer1
Fri Jan 16 23:45:19 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Fri Jan 16 23:53:51 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
server:Server3
Fri Jan 16 23:54:00 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
server:Server5
Fri Jan 16 23:54:22 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for
server:ServerA
Fri Jan 16 23:54:25 1981:update:/dev/pts/0_348527824:admin:updated TACACS+ parameters for
server:ServerB
Fri Jan 16 23:55:03 1981:update:/dev/pts/0_348527824:admin:updated RADIUS parameters for
group:Group1
Sat Jan 17 00:01:41 1981:start:snmp_348537701_171.71.58.100:admin:
Sat Jan 17 00:01:41 1981:stop:snmp_348537701_171.71.58.100:admin:
Sat Jan 17 00:01:42 1981:start:snmp_348537702_171.71.58.100:admin:
Sat Jan 17 00:01:42 1981:stop:snmp_348537702_171.71.58.100:admin:
Clearing Accounting Logs
To clear out the contents of the current log, use the clear accounting log command.
switch# clear accounting log
Configuring Cisco Access Control Servers
The Cisco Access Control Server (ACS) uses TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment.When using the AAA server, user management is normally done using Cisco ACS. Figure 32-3, Figure 32-4, Figure 32-5, and Figure 32-6 display ACS server user setup configurations for network-admin roles and multiple roles using either RADIUS or TACACS+.
Caution Cisco MDS SAN-OS does not support all numeric usernames, whether created with RADIUS or TACACS+, or created locally. Local users with all numeric names cannot be created. If an all numeric user name exists on an AAA server and is entered during login, the user is not logged in.
Figure 32-3 Configuring the network-admin Role When Using RADIUS
Figure 32-4 Configuring Multiple Roles with SNMPv3 Attributes When Using RADIUS
Figure 32-5 Configuring the network-admin Role with SNMPv3 Attributes When Using TACACS+
Figure 32-6 Configuring Multiple Roles with SNMPv3 Attributes When Using TACACS+
Default Settings
Table 32-3 lists the default settings for all switch security features in any switch.
Table 32-3 Default Switch Security Settings
Parameters
|
Default
|
Roles in Cisco MDS switches
|
Network operator (network-operator)
|
AAA configuration services
|
Local
|
Authentication port
|
1821
|
Accounting port
|
1813
|
Preshared key communication
|
Clear text
|
RADIUS server timeout
|
1 (one) second
|
RADIUS server retries
|
Once
|
RADIUS server directed requests
|
Disabled
|
TACACS+
|
Disabled
|
TACACS+ servers
|
None configured
|
TACACS+ server timeout
|
5 seconds
|
TACACS+ server directed requests
|
Disabled
|
AAA server distribution
|
Disabled
|
Accounting log size
|
250 KB
|