Security Configuration Guide

aaa aaa introduction introduction aaa is the abbreviation of authentication, authorization and accounting, which is a security management mechanism for access control in network security, providing three kinds of security services authentication, authorization and accounting description of principle description of principle aaa provides the following three security services authentication authentication authentication the user's identity is verified to determine if he or she is a legitimate user the entire authentication is usually performed by reviewing the user's entered username and password for permissions the principle of authentication is that each user has a unique permission acquisition criteria the aaa server checks the user's criteria against the criteria of each user in the database if it matches, then the user is authenticated if not, the network connection is denied the following authentication methods are currently supported radius authentication radius authentication tacacs+ authentication tacacs+ authentication local authentication local authentication authorization authorization authorization for authenticated users, authorize which services they can use for example, after logging into the system, the user may execute some commands to complete the corresponding operations at this point, the authorization process checks whether the user has permission to execute these commands in general, the authorization process is a combination of a number of coercion policies that determine the type or quality of activity, resources, or services that the user is allowed to use the authorization process occurs in the context of authentication, and once a user is authenticated, they are granted the appropriate permissions as well the following authorization methods are currently supported radius authorization radius authorization tacacs+ authorization tacacs+ authorization local authorization local authorization accounting accounting accounting records the resources consumed by users using network services during the connection process, such as connection time or the amount of transmissions and traffic sent and received by users during the connection process the counting process can be performed based on statistical logs of the connection process, user information, authorization control, billing, trend analysis, resource utilization, and capacity planning activities the following accounting methods are currently supported tacacs+ accounting tacacs+ accounting local accounting local accounting aaa configuration aaa configuration table 1 overview of aaa configuration tasks table 1 overview of aaa configuration tasks configuration tasks description configure authentication mode configure authentication mode optional configure authorization mode configure authorization mode optional configure accounting mode configure accounting mode optional configure radius server configure radius server optional configure tacacs+ server configure tacacs+ server optional aaa default setting aaa default setting the default setting of aaa is shown in the following table table 2 aaa default setting table 2 aaa default setting parameters default value aaa authentication mode local aaa account mode local aaa authorization mode local failthrough disable tacacs+ global/server auth type pap tacacs+ global/server connection timeout time 5s tacacs+ global passkey empty tacacs+ server tcp port id 49 tacacs+ server priority 1 tacacs+ server admin vrf no vrf configure authentication mode configure authentication mode configure the authentication methods used for user authentication and the order in which each authentication method takes effect to avoid authentication failures due to no response in single authentication method scenarios, local authentication is generally configured as the backup authentication method in the authentication scheme table 3 configure authentication mode table 3 configure authentication mode purpose command description enter global configuration view configure terminal configure aaa authentication mode aaa authentication mode login { tacacs+ | local | tacacs+,local | local,tacacs+ | radius,local | local,radius | radius | default } the default mode is local comma separated modes indicate multi level authentication enable failthrough aaa authentication mode failthrough { enable | disable | default } this function is disabled by default after this function is enabled, when performing multi level authentication, if the first level of authentication fails, it will continue to perform the second level of authentication; otherwise, it will end directly configure authorization mode configure authorization mode configure the authorization methods used for user authorization and the order in which each authorization method takes effect the use of multiple authorization methods in an authorization scheme avoids authorization failures caused by the lack of response from a single authorization method the authentication and authorization processes of radius are converged and cannot be separated, and the authorization information is included in the authentication acceptance message responded by the server therefore, there is no need to configure the authorization mode when using radius authentication table 4 configure authorization mode table 4 configure authorization mode purpose command description enter global configuration view configure terminal configure authorization mode aaa authorization mode { tacacs+ | local | tacacs+,local | default } the default mode is local configure accounting mode configure accounting mode configure the accounting mode to be used for user accounting table 5 configure accounting mode table 5 configure accounting mode purpose command description enter global configuration view configure terminal configure account mode aaa accounting mode { tacacs+ | local | tacacs+,local | default } the default mode is local configure radius server configure radius server table 6 configure radius server table 6 configure radius server purpose command description enter global configuration view configure terminal add radius server radius server ip address \[ priority priority ] shared secret specify the radius server ip you can specify the server priority (range 1 to 64) after entering, enter the passkey configure configure tacacs+ tacacs+ server server table 6 tacacs+ server configuration table 6 tacacs+ server configuration purpose command description enter global configuration view configure terminal add tacacs+ server tacacs server ip address \[ timeout interval ] \[ auth type { chap | pap | mschap | login }] \[ port tcp port ] \[ pri priority ] \[ use mgmt vrf ] \[ cipher cipher secret | key ] ip address tacacs+ server ip address interval \ timeout interval(s), range 1 to 60, default is 5 key passkey auth type authentication type, default is "pap" tcp port tcp port id, range is 1 65535, default is 49 priority the default value is 1use mgmt vrf manage vrf, default is "no vrf" if you enter key, enter the passkey after the command is finished configure tacacs+ global authtype tacacs server authtype \[ chap | pap | mschap | login ] configure tacacs+ global key tacacs server passkey enter the passkey after the command is completed configure tacacs+ global timeout tacacs server timeout interval interval timeout interval(s), range 1 to 60, default is 5 restore to default configuration tacacs server default { authtype | passkey | timeout } display and maintenance display and maintenance table 7 display and maintenance table 7 display and maintenance purpose command description show aaa configuration show aaa show tacacs+ configuration show tacacs show radius configuration show radius typical configuration examples typical configuration examples example for configuring radius authentication for ssh login users example for configuring radius authentication for ssh login users networking requirements a radius server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use radius authentication to log in to the switch via ssh to manage the switch remotely the specific requirements are as follows the administrator must enter the correct username and password to log in to the switch via ssh after logging in to the switch via ssh, the administrator can execute all commands at level 0 to 15 topology procedure radius server \#install freeradius #edit the /etc/freeradius/clients conf to configure the client passkey ,ip client 10 250 0 0/24 { secret = radkey shortname = test } \#edit the /etc/freeradius/users to configure the username and password used by the client to log in "user" cleartext password = "admin" reply message = "hello, %{user name}", management privilege level = 15 \#turn on freeradius service sudo freeradius x switch #configure the authentication method sonic# configure terminal sonic(config)# aaa authentication mode login radius,local \#if multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled sonic(config)# aaa authentication mode failthrough enable \#configure the radius server sonic# configure terminal sonic(config)#radius server 10 250 0 243 shared secret \#enter the passkey of the radius authentication server after the command is completed, which needs to be consistent with the configuration on the radius server 4 verify the configuration #client login via ssh remotely ssh user\@10 250 0 206 connecting to 10 250 0 206 22 connection established to escape to local shell, press ctrl+alt+] warning! the remote ssh server rejected x11 forwarding request linux sonic 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 / \ | | | \ | | / \ / | / \ / || | / \\| ' || \\| || | | |\\ \\ / \ \\ \\| | | /| | | |\ || | | | ) | / / \\ \\| / \\ | \\ || | | | \\ | \\ / | / \ asterfusion network operating system help http //www asterfusion com/ user\@sonic $ example for configuring tacacs+ authentication for ssh login users example for configuring tacacs+ authentication for ssh login users networking requirements a tacacs+server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use tacacs+authentication to log in to the switch via ssh to manage the switch remotely the specific requirements are as follows the administrator must enter the correct username and password to log in to the switch via ssh after logging in to the switch via ssh, the administrator can execute all commands at level 0 to 15 topology procedure tacacs+ server #install tacacs+ edit the /etc/tacacs+/tac plus conf to configure the client passkey ,the username and password used by the client to log in key = "testkey123" user = su1 { login = cleartext "su1" pap = cleartext "su1" member = remote user su } \#restart tacacs+service systemctl stop tacacs plus service sudo tac plus c /etc/tacacs+/tac plus conf g g d 512 switch #configure the authentication method sonic# configure terminal sonic(config)# aaa authentication mode login tacacs+/tacacs+,local/local,tacacs+ \#if multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled sonic(config)# aaa authentication mode failthrough enable \#configure the tacacs+server sonic# configure terminal sonic(config)#tacacs+ server 10 250 0 243 timeout 30 key auth type pap enter the passkey of the tacacs+ authentication server after the command is completed, which needs to be consistent with the configuration on the tacacs+ server verify the configuration \#client login via ssh remotely ssh su1\@10 250 0 206 connecting to 10 250 0 206 22 connection established to escape to local shell, press ctrl+alt+] warning! the remote ssh server rejected x11 forwarding request linux sonic 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 / \ | | | \ | | / \ / | / \ / || | / \\| ' || \\| || | | |\\ \\ / \ \\ \\| | | /| | | |\ || | | | ) | / / \\ \\| / \\ | \\ || | | | \\ | \\ / | / \ asterfusion network operating system help http //www asterfusion com/ su1\@sonic $ management vrf management vrf introduction introduction by separating service port traffic from management port traffic, the security of the management network can be improved configure management vrf configure management vrf table 8 configrue management vrf table 8 configrue management vrf purpose commands description enter global configuration view configure terminal enter the management port configuration view interface mgmt 0 configure the management port vrf vrf mgmt display and maintenance display and maintenance table 9 table 9 management vrf management vrf display and maintenance display and maintenance purpose commands description display the management interface ip and gateway show interface mgmt display the management vrf show interface mgmt vrf storm control storm control introduction introduction storm control, the storm suppression function, should be configured on the traffic ingress after broadcast/unknown unicast/multicast storm suppression is configured on the interface, when the corresponding traffic on the interface exceeds the threshold set by the user, the system will automatically drop the messages that exceed the traffic limit, preventing bum messages from affecting normal network service traffic forwarding configure storm control configure storm control currently storm control only supports configuration on physical interfaces when the interface needs to modify the parameters of storm control, you do not need to delete the previous configuration, and the repeated configuration will automatically overwrite the previous operation you can set the speed limit in bps (bytes per second) or pps (packets per second) the actual speed limit in packets may not be accurate due to different chip implementations for example, some chips implement speed limits in packets by using a fixed message length that translates into a speed limit in bytes, in which case the suppression threshold configured on the port may not be consistent with the actual effective suppression threshold table 10 configure storm control profile table 10 configure storm control profile purpose commands description enter global configuration view configure terminal enter interface configuration view interface ethernet interface number configure a storm suppression policy storm suppress { unknown unicast | broadcast | multicast } { bytes | packets } limit value \[ cbs cbs value ] limit value specify the rate limit value, which ranges from 7812 300000000000 bit/sec in bytes mode and 61 2343750000 pkts/sec pkts/sec in packets mode cbs value specify the committed burst size, which is the amount of committed burst traffic that can pass instantaneously the range of values is 1 1518500249 bytes in bytes mode and 1 11863283 packets in packets mode display and maintenance display and maintenance table 11 display and maintenance table 11 display and maintenance purpose commands description display the configuration for storm suppression show storm suppress