Avaya VSP 4000, VSP 9000, VSP 8000 Technical Configuration Manual
Virtual Services Platform
4000 / 8000 / 9000
Engineering
> Management Access Security
Technical Configuration Guide
Avaya Networking
Document Date: April 2015
Document Number: NN48500-650
Document Version: 1.1
2
avaya.com
March 2015
© 2015 Avaya Inc.
All Rights Reserved.
Notices
While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of
printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in
this document without the obligation to notify any person or organization of such changes.
Documentation disclaimer
Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation
unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya,
Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with,
subsequent modifications, additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s)
provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and
does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that
these links will work all the time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In
addition, Avaya’s standard warranty language, as well as information regarding support for this product, while under warranty, is
available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support
Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/
ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM
AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL
AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN
WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN
AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE
LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY
INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF
YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE
(HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND
CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA
AFFILIATE ("AVAYA").
Copyright
Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All
content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the
content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui
generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or
distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission,
dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under
the applicable law.
Third Party Components
Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements
("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party
Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source
code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available
on the Avaya Support Web site: http://support.avaya.com/Copyright.
Trademarks
The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya
are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks
without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the
documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and
to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya
Inc. All non-Avaya trademarks are the property of their respective owners.
Downloading documents
For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support
Contact Avaya Support
Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support
telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site:
http:// www.avaya.com/support.
Avaya Inc. – External Distribution
3
avaya.com
March 2015
Version
Date
Revised By
Remarks
Draft 1
3/16/2015
John Vant Erve
Jeff Cox
Initial Draft
Draft 2
4/3/2015
Didier Ducarre
Review
Draft 3
4/9/2015
Ludovico Stevens
Review and reworked SSH and SNMP sections
Draft 4
4/13/2015
Rob Tyler
Update SSH section
Draft 5
4/13/2015
John Vant Erve
Jeff Cox
Final version
Draft 6
4/16/2015
Ludovico Stevens
Rob Tyler
Updates to SSH section 6 and 8.3
Abstract
This document provides examples on configuring various items related to accessing the VSP 4000 / 8000
/ 9000 securely for management purposes. This document covers accessing the switch using Telnet,
HTTP, SSL, SSH, and SNMP.
Revision Control
Avaya Inc. – External Distribution
4
avaya.com
March 2015
Table of Contents
Figures .......................................................................................................................................................... 7
Tables ............................................................................................................................................................ 8
1. Overview ............................................................................................................................................. 10
2. Enabling or Disabling Access Services via Boot Configuration Flags ................................................ 10
2.1 Enhanced Secure Mode .............................................................................................................. 11
2.1.1 Enhanced Security Password Requirements ......................................................................................... 12
2.1.2 Enhanced Security Configuration ........................................................................................................... 12
3. Local password protection .................................................................................................................. 17
3.1 CLI Password Protection ............................................................................................................. 17
3.1.1 User Names and Passwords .................................................................................................................. 18
3.1.2 Enabling or Disabling Access Levels ...................................................................................................... 18
3.3 High Secure (hsecure) Mode ...................................................................................................... 20
3.3.1 Access Level Options – hsecure mode .................................................................................................. 20
3.4 CLI Logging ................................................................................................................................. 21
3.5 CLI Prompt .................................................................................................................................. 21
3.6 Login message and password prompt ........................................................................................ 21
3.7 Telnet Access Configuration Examples using Local Users with hsecure disabled ..................... 22
3.7.1 Local Password Configuration - Password Security Disabled ................................................................ 22
3.7.2 Verify Operations .................................................................................................................................... 23
4. Password Protection using RADIUS Authentication ........................................................................... 24
4.1 Enabling RADIUS globally .......................................................................................................... 26
4.2 Adding RADIUS server for authentication ................................................................................... 26
4.3 CLI Profile .................................................................................................................................... 27
4.4 Enabling RADIUS accounting globally ........................................................................................ 27
4.5 Enabling accounting for CLI commands ..................................................................................... 27
4.6 RADIUS Password Configuration Example ................................................................................ 28
4.6.1 Ethernet Routing Switch Configuration ................................................................................................... 28
4.6.2 VSP Switch: Verify Operations ............................................................................................................... 29
4.6.3 IDE RADIUS Configuration .................................................................................................................... 31
4.6.4 Verify Operations .................................................................................................................................... 52
5. Password Protection using TACACS+ Authentication ........................................................................ 56
5.1 Enabling TACACS+ globally ....................................................................................................... 58
5.2 Changing TACACS+ user levels ................................................................................................. 58
5.3 TACACS+ Configuration Example .............................................................................................. 59
Avaya Inc. – External Distribution
5
avaya.com
March 2015
5.3.1 VSP Switch Configuration ...................................................................................................................... 59
5.3.2 Verify Operations .................................................................................................................................... 59
5.3.3 IDE TACACS+ Configuration ................................................................................................................. 61
5.4 TACACS+ Configuration Example with Command Restrictions ................................................. 65
5.4.1 VSP Switch Configuration ...................................................................................................................... 66
5.4.2 IDE TACACS+ Configuration ................................................................................................................. 67
5.4.3 Verify Operations .................................................................................................................................... 76
6. Secure Shell (SSH) and SFTP/SCP ................................................................................................... 78
6.1 SSH Configuration Example – Password Authentication ........................................................... 82
6.1.1 Configuration .......................................................................................................................................... 82
6.1.2 Verify Operations .................................................................................................................................... 85
6.2 SSH Configuration Example –Public Key Authentication ........................................................... 86
6.2.1 Configuration .......................................................................................................................................... 86
6.2.2 Verify Operations .................................................................................................................................... 94
7. WEB Access – Enterprise Device Manager ....................................................................................... 95
7.1 EDM configuration Example ........................................................................................................ 96
7.1.1 Configuration .......................................................................................................................................... 96
7.1.2 Verify Operations .................................................................................................................................. 100
8. SNMP ................................................................................................................................................ 101
8.1 SNMPv3 Overview .................................................................................................................... 101
8.2 Blocking SNMP ......................................................................................................................... 102
8.3 Blocking SNMPv1/2 only ........................................................................................................... 102
8.4 Community Strings .................................................................................................................... 103
8.4.1 Displaying the default Community Strings ............................................................................................ 104
8.5 Adding a new Community String ............................................................................................... 105
8.6 Deleting Community Strings ...................................................................................................... 105
8.7 Community Strings – Virtual Routers ........................................................................................ 106
8.8 Community String Configuration Example: Allowing only read-only access using the default
community strings ................................................................................................................................. 107
8.8.1 Configuration ........................................................................................................................................ 107
8.8.2 Verify Operations .................................................................................................................................. 107
8.9 Configuration Example: Changing the Default SNMP Community Names .............................. 108
8.9.1 Configuration ........................................................................................................................................ 108
8.9.2 Verify Operations .................................................................................................................................. 108
8.10 Configuration Example: Adding additional SNMP community strings ...................................... 109
8.10.1 Configuration.................................................................................................................................... 109
8.10.2 Verify Operations ............................................................................................................................. 109
Avaya Inc. – External Distribution
6
avaya.com
March 2015
8.11 Creating a MIB View ................................................................................................................. 110
8.12 Configuration Example – Adding a new SNMP MIB view ......................................................... 111
8.12.1 Configuration.................................................................................................................................... 111
8.12.2 Verify Operations ............................................................................................................................. 111
8.13 SNMPv3 Configuration Steps ................................................................................................... 112
8.13.1 Loading the DES or AES Encryption Module ................................................................................... 112
8.13.2 Adding a New SNMPv3 User ........................................................................................................... 112
8.13.3 Adding USM Group .......................................................................................................................... 113
8.14 SNMPv3 Configuration Example............................................................................................... 115
8.14.1 Configuration.................................................................................................................................... 115
8.14.2 Verify Operations ............................................................................................................................. 116
8.15 SNMP Traps .............................................................................................................................. 119
8.15.1 Trap Receivers................................................................................................................................. 119
8.16 SNMPv1 Trap Configuration Example ...................................................................................... 120
8.16.1 Configuration.................................................................................................................................... 120
8.16.2 Verify Operations ............................................................................................................................. 120
9. Access Policy .................................................................................................................................... 123
9.1 Enable Access Polices Globally ................................................................................................ 123
9.2 Adding an Access Policy ........................................................................................................... 124
9.3 Access Policies and SNMP ....................................................................................................... 126
9.4 Access Policy Configuration Example – Adding SNMPv1/2c, SSH, FTP, and TELNET Services
127
9.4.1 Configuration ........................................................................................................................................ 127
9.4.2 Verify Operations .................................................................................................................................. 129
9.5 Access Policy Configuration Example – limit SNMPv3 to specific host and Telnet Access to a
specific network ..................................................................................................................................... 132
9.5.1 Configuration ........................................................................................................................................ 132
9.5.2 Verify Operations .................................................................................................................................. 134
10. Reference Documentation ............................................................................................................ 137
Avaya Inc. – External Distribution
7
avaya.com
March 2015
Figures
Figure 1: SNMPv3 USM ............................................................................................................................ 101
Figure 2: MIB Structure ............................................................................................................................. 110
Avaya Inc. – External Distribution
8
avaya.com
March 2015
Tables
Table 1: Enhanced User Levels .................................................................................................................. 11
Table 2: Default User Names and Password .............................................................................................. 17
Table 3: RADIUS Features ......................................................................................................................... 24
Table 4: RADIUS Attributes ........................................................................................................................ 24
Table 5: Enhanced Security RADIUS Attributes ......................................................................................... 25
Table 6: RADIUS Events Logged ............................................................................................................... 25
Table 7: TACACS+ Access Levels ............................................................................................................. 56
Table 8: Enhanced Security TACACS+ Attributes ...................................................................................... 56
Table 9: SSH clients .................................................................................................................................... 78
Table 10: DSA authentication access level and file name .......................................................................... 79
Table 11: RSA authentication access level and file name .......................................................................... 81
Table 12: Navigation pane buttons ............................................................................................................. 98
Table 13: Navigation tree folders ................................................................................................................ 98
Avaya Inc. – External Distribution
9
avaya.com
March 2015
Symbols
Tip – Highlights a configuration or technical tip.
Note – Highlights important information to the reader.
Warning – Highlights important information about an action that may result in equipment
damage, configuration or data loss.
Text
Bold text indicates emphasis.
Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or
command:
ERS5520-48T# show running-config
Output examples from Avaya devices are displayed in a Lucida Console font:
ERS5520-48T# show sys-info
Operation Mode: Switch
MAC Address: 00-12-83-93-B0-00
PoE Module FW: 6370.4
Reset Count: 83
Last Reset Type: Management Factory Reset
Power Status: Primary Power
Autotopology: Enabled
Pluggable Port 45: None
Pluggable Port 46: None
Pluggable Port 47: None
Pluggable Port 48: None
Base Unit Selection: Non-base unit using rear-panel switch
sysDescr: Ethernet Routing Switch 5520-48T-PWR
HW:02 FW:6.0.0.10 SW:v6.2.0.009
Mfg Date:12042004 HW Dev:H/W rev.02
Conventions
This section describes the text, image, and command conventions used in this document.
Avaya Inc. – External Distribution
10
avaya.com
March 2015
1. Overview
This document provide a guide on how to configure various items related to access security for
management purposes on the Virtual Services Platform switch.
2. Enabling or Disabling Access Services via
Boot Configuration Flags
You can enable or disable access services by setting boot configuration flags from the Run-Time CLI.
To enable or disabled access services by setting the boot configuration flags, enter the following
commands.
VSPswitch:1(config)#boot config flags block-snmp
VSPswitch:1(config)#no boot config flags block-snmp
VSPswitch:1(config)#boot config flags ftpd
VSPswitch:1(config)#no boot config flags ftpd
VSPswitch:1(config)#boot config flags rlogind
VSPswitch:1(config)#no boot config flags rlogind
VSPswitch:1(config)#boot config flags sshd
VSPswitch:1(config)#no boot config flags sshd
VSPswitch:1(config)#boot config flags telnetd
VSPswitch:1(config)#no boot config flags telnetd
VSPswitch:1(config)#boot config flags tftpd
VSPswitch:1(config)#no boot config flags tftpd
To view the current boot configuration file settings, enter either of the following commands.
VSPswitch:1(config)#show boot config flags
VSPswitch:1#more /intflash/config.cfg
Avaya Inc. – External Distribution
11
avaya.com
March 2015
Access level
Description
Login location
Administrator
The administrator access level permits all readwrite access, and can change security settings.
The administrator access level can configure ACLI
and web-based management user names,
passwords, and the SNMP community strings.
The administrator access level can also view audit
logs.
SSH/Telnet (in band/mgmt)/
console
Privilege
The privilege access level has the same access
permission as the administrator; however, the
privilege access level cannot use RADIUS or
TACACS+ authentication. The system must
authenticate the privilege access level within the
VSP switch at a console level. The privilege
access level is also known as emergency-admin.
Console
Operator
The operator access level can view most switch
configurations and status information. The
operator access level can change physical port
settings at layer 2 and layer 3. The operator
SSH/Telnet (in band/mgmt)/
console/
2.1 Enhanced Secure Mode
The switch supports a configurable flag called enhanced secure. After you enable the new boot config
flags enhancedsecure-mode, enhanced secure mode allows the system to provide role-based access
levels, stronger password requirements, and stronger rules on password length, password complexity,
password change intervals, password reuse, and password maximum age use.
The VSP switch does not support the default SNMPv1 and SNMPv2 community strings, and default
SNMPv3 user name. The individual in the administrator access level role can configure a non-default
value for the community strings, and the VSP switch can continue to support SNMPv1 and SNMPv2. The
individual in the administrator access level role can also configure a non-default value for the SNMPv3
user name and the VSP switch can continue to support SNMPv3. If you disable enhanced secure mode,
the SNMPv1 and SNMPv2 support for community strings remains the same, and the default SNMPv3
user name remains the same.
After you enable enhanced secure mode, the switch supports role-based authentication levels. With
enhanced secure mode enabled, the switch supports the following authentication access levels for local
authentication, Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller
Access Control System Plus (TACACS+) authentication:
Administrator
Privilege
Operator
Auditor
Security
Each username is associated with a certain role in the product and appropriate authorization rights for
viewing and executing commands are available for that role.
Table 1: Enhanced User Levels
Avaya Inc. – External Distribution
12
avaya.com
March 2015
access level cannot access audit logs or security
settings
Auditor
The auditor access level can view configuration
information, status information, and audit logs.
SSH/Telnet (in band/mgmt)/
console/
Security
The security access level can change security
settings only. The security access level also has
permission to view configuration and status
information.
SSH/Telnet (in band/mgmt)/
console/
Enable enhanced secure mode and reboot switch
After the switch reboots, login using the initial administrator user name and password of
admin/admin and then change user name and use a password made up of 15 characters total
using the requirements as outlined in section 2.1.1.
2.1.1 Enhanced Security Password Requirements
After enabling enhanced security mode on the switch, you will be able to login for the first time using a
user name and password of admin/admin and then will be prompted to change both the user name and
password. The password for the admin user must be 15 characters and made up of two of the following
characters:
Two uppercase character, from the range: ABCDEFGHIJKLMNOPQRSTUVWXYZ
Two lowercase character, from the range: abcdefghijklmnopqrstuvwxyz
Two numeric character, from the range: 1234567890
Two special character, from the range: `~!@#$%^&*()_-+={[}]|\:;”’<,>.?/
Please note the above requirement applies only to the administrator user.
2.1.2 Enhanced Security Configuration
VSPswitch:1(config)#boot config flags enhancedsecure-mode
Warning: Enhancedsecure-mode flag is enabled
Warning: Please save configuration and reboot the switch
for this to take effect.
VSPswitch:1(config)#save config
VSPswitch:1(config)#reset –y
Copyright(c) 2010-2015 Avaya, Inc.
All Rights Reserved.
Virtual Services Platform 8200
VSP Operating System Software Build 4.2.0.0_B015 (PRIVATE)
Built: Thu Mar 12 18:18:49 EDT 2015
Avaya Inc. – External Distribution
13
avaya.com
March 2015
Please note the min-passwd-len and password-rule as shown above applies to all user except
for the administrator user
Unsupported Software, Internal Use Only
AVAYA COMMAND LINE INTERFACE
Login: admin
Password: admin
This is an initial attempt using the default user name and password.
Please change the user name and password to continue.
Enter the new name : rwa
Enter the New password : Admin@!Jvelab123
Re-enter the New password : Admin@!Jvelab123
8202:1>en
8202:1#show cli password
change-interval 24
min-passwd-len 8
password-history 3
password-rule 1 1 1 1
pre-expiry-notification-interval 1 7 30
post-expiry-notification-interval 1 7 30
access-level
ACCESS LOGIN AGING MAX-SESSIONS STATE
admin rwa 90 3 ena
privilege 90 3 dis
operator 90 3 dis
security 90 3 dis
auditor 90 3 dis
Default Lockout Time 60
Lockout-Time:
Avaya Inc. – External Distribution
14
avaya.com
March 2015
Adding a new temporary user name and password via the administrator access level.
Please note the privilege user can only be changed via the console port.
Password aging – default is 90 days
Password change interval – default is 24 hours. This is the minimum time before you can change
to a new password.
Password length – default is 15 total characters
Password maximum sessions – default is 3 per user name
Password history – default is 3 previous passwords remembered
A user in the administrator access role can configure a temporary user name and password. After this
user logs in for the first time with the temporary user name and password, the system will force the user
to change the temporary user name and password. After you change the temporary user name and
password, you cannot use them again in subsequent sessions.
VSPswitch:1(config)#password create-user <auditor|operator|privilege|security> <user
name>
VSPswitch:1(config)#password create-user operator user1
## After user1 logs in, the user will be prompted to enter a new user name and
password. Note, you cannot use the same user name or password as that temporarily
configured.
Login: user1
Password: **********
This is an initial attempt using the default user name and password.
Please change the user name and password to continue.
Enter the new name : userabcd
Enter the New password : ************
Re-enter the New password : ************
VSPswitch:1(config)#password aging-time day <1-365> user <user name>
VSPswitch:1(config)#password change-interval <1-999>
VSPswitch:1(config)#password min-passwd-len <8-32>
VSPswitch:1(config)#password max-sessions <1-8> user-name <user name>
VSPswitch:1(config)#password password-history <3-32>
Avaya Inc. – External Distribution
15
avaya.com
March 2015
Password rule – change between 1 and 2 upper-case, lower-case, numeric-case, and special-case
characters. By default, 2 is used for each
Change default lockout time – default is 60 seconds. This is the length of time a user is locked out
if the incorrect user name and/or password is entered
Password pre-notification and post-notification interval rule
Factory setting – you can default any password setting by adding default prior to the password
setting. Once defaulted, you must save the configuration and reboot the switch
VSPswitch:1(config)#password password-rule <upper-case: 1-2> <lower-case: 1-2>
<numeric-case: 1-2> <special-characters: 1-2>
Example: 1 upper case, 2 lower case, 2 numbers, and 1 special character minimum
VSPswitch:1(config)#password password-rule 1 2 2 1
VSPswitch:1(config)#password default-lockout-time <61-65000>
In enhanced security mode, the switch enforces password expiry. To ensure a user does not lose access,
the switch offers pre and post notification messages explaining when the password will expire. The
administrator can define the pre and post notification interfaces between 1 and 99 days. If you do not
change the password before the expiry date, the system locks the account. Once locked, only the
administrator can unlock the account. The administrator creates a temporary password that the user will
initially have to use to login with and then change the password.
VSPswitch:1(config)#password pre-expiry-notification-interval <interval 1: 1-99>
<interval 2: 1-99> <interval 3: 1-99>
VSPswitch:1(config)#password post-expiry-notification-interval <interval 1: 1-99>
<interval 2: 1-99> <interval 3: 1-99>
VSPswitch:1(config)#default password <setting>
VSPswitch:1(config)#save config
VSPswitch:1(config)#reset
Example: Default the password rule
VSPswitch:1(config)#default password password-rule
VSPswitch:1(config)#save config
VSPswitch:1(config)#reset -y
Avaya Inc. – External Distribution
16
avaya.com
March 2015
Factory default – reset to factory default plus remove all enhanced user accounts
Only a user with the administrator access role can use this command to return the system back to the
factory default defaults and delete all the configured user accounts.
VSPswitch:1(config)#sys system-default
WARNING: Executing this command returns the system to factory defaults and deletes all
local configured user accounts.
This command needs system reset to take into effect
Do you want to continue (y/n) ? y
VSPswitch:1(config)# (config)#save config
VSPswitch:1(config)# (config)#reset
Avaya Inc. – External Distribution
17
avaya.com
March 2015
Access level
Description
Default
logon
Default
password
Read-only
Permits view-only configuration and status
information. Is equivalent to Simple Network
Management Protocol (SNMP) read-only community
access.
ro
ro
Layer 1 read/write
View most switch configuration and status
information and change physical port settings.
l1
l1
Layer 2 read/write
View and change configuration and status
information for Layer 2 (bridging and switching)
functions.
l2
l2
Layer 3 read/write
View and change configuration and status
information for Layer 2 and Layer 3 (routing)
functions.
l3
l3
Read/write
View and change configuration and status
information across the switch. You cannot change
security and password settings. This access level is
equivalent to SNMP read/write community access.
rw
rw
Read/write/all
Permits all the rights of Read/Write access and the
ability to change security settings, including the CLI
and Web-based management user names and
passwords and the SNMP community strings.
rwa
rwa
3. Local password protection
3.1 CLI Password Protection
The following table shows the default values for logon and password for both console and Telnet
sessions.
Table 2: Default User Names and Password
Avaya Inc. – External Distribution
18
avaya.com
March 2015
3.1.1 User Names and Passwords
The default user name and password can be changed by issuing the following command.
VSPswitch:1(config)#cli password <login user name> ?
layer1 Change layer1 read write login/password
layer2 Change layer2 read write login/password
layer3 Change layer3 read write login/password
read-only Change read only login/password
read-write Change read write login/password
read-write-all Change read write all login/password
For example, assuming you wish to change the read-write-all password, but, still leaving the default user
name as rwa, enter command shown below. After entering this command, you will be prompted to enter
the old password followed by the entering and verifying the new password
VSPswitch:1(config)#cli password rwa read-write-all
Enter the old password : rwa
Enter the New password : ******
Re-enter the New password : ******
3.1.2 Enabling or Disabling Access Levels
To enable or disable a user level, enter the following command.
VSPswitch:1(config)#password access-level <access level>
VSPswitch:1(config)#no password access-level <access level>
For example, to disable the read-only access level, enter the following command
VSPswitch:1(config)#no password access-level ro
To change aging time, lockout time, minimum password length, or password history:
VSPswitch:1(config)#password access-level <word> ?
aging-time Set age-out time for passwords
default-lockout-time Change the default lockout time after three invalid
attempts
min-passwd-len Set the minimum length of passwords in hsecure mode
password-history Number of previous passwords to remember
<cr>
Avaya Inc. – External Distribution
19
avaya.com
March 2015
The following command confirms the change.
VSPswitch:1#show cli password
access-level
aging 90
min-passwd-len 8
password-history 3
ACCESS LOGIN STATE
rwa rwa NA
rw rw ena
l3 l3 ena
l2 l2 ena
l1 l1 ena
ro ro dis
Default Lockout Time 60
Lockout-Time:
IP Time
Avaya Inc. – External Distribution
20
avaya.com
March 2015
Consider the following after you enable the hsecure flag:
You cannot enable the Web server for Enterprise Device Manager (EDM) access.
You cannot enable the Secure Shell (SSH) password authentication.
3.3 High Secure (hsecure) Mode
The switch supports a configurable flag called high secure (hsecure). High secure mode introduces a
protection mechanism to filter invalid source network broadcast IP addresses communicating with the
CPU, limitation of failed logon attempts, and two restrictions on passwords: 10-character enforcement
and aging time. An example of an invalid source would be an interface in subnet 192.168.168.0/24 where
source IP addresses of 192.168.168.0 and 192.168.168.255 are discarded.
After you enable the hsecure flag, the software enforces the 10-character rule for all passwords. This
password must contain a minimum of two uppercase characters, two lowercase characters, two numbers,
and two special characters.
After you enable hsecure, the system requires you to save the configuration file and reboot the system for
hsecure to take effect. If the existing password does not meet the minimum requirements for hsecure, the
system prompts you to change the password during the first login.
The default username is rwa and the default password is rwa. In hsecure, the system prompts you to
change these during first login because they do not meet the minimum requirements for hsecure.
When you enable hsecure, the system disables Simple Network Management Protocol (SNMP) v1,
SNMPv2 and SNMPv3. If you want to use SNMP, you must re-enable SNMP, using the command no
boot config flag block-snmp.
After you enable the hsecure flag, you can configure a duration after which you must change your
password. You configure the duration by using the aging parameter.
For SNMP and File Transfer Protocol (FTP), after a password expires, access is denied. Before you
access the system, you must change a community string to a new string consisting of more than eight
characters.
To enable hsecure mode, enter the following commands. You will be prompted with an error message if
telnet or rlogin is enabled.
VSPSwitch:1(config)#boot config flags hsecure
Warning: If your CLI session is running over Telnet or Rlogin -
you will be disconnected and will not be able to reconnect.
Are you sure you want to continue (y/n) ? y
3.3.1 Access Level Options – hsecure mode
If High Security (hsecure) is enabled, you can set the aging time, lockout time, mimimum password
length, and password history using the following command. By default, the aging time is set for 90
seconds, minimum password length is set for 10 characters, and the password history is set for 3
previous passwords.
VSPSwitch:1(config)#password ?
aging-time Set age-out time for passwords
default-lockout-time Change the default lockout time after three invalid
attempts
min-passwd-len Set the minimum length of passwords in hsecure mode
password-history Number of previous passwords to remember
Avaya Inc. – External Distribution
21
avaya.com
March 2015
3.4 CLI Logging
If you wish, you can enable CLI logging of ACLI commands executed. The ACLI commands are logged to
the system log file using the CLILOG module.
VSPswitch:1(config)#clilog enable
VSPswitch:1(config)#show logging file module clilog
To disable CLI logging:
VSPswitch:1(config)#no clilog enable
3.5 CLI Prompt
To change the CLI prompt, enter the following command.
VSPswitch:1(config)#prompt <word, 0-255>
To change to the default CLI prompt:
VSPswitch:1(config)#default prompt
3.6 Login message and password prompt
To change the default CLI login prompt, first you must disable the default login prompt (no loginmessage) and then enter the new prompt.
VSPswitch:1(config)#no login-message
VSPswitch:1(config)#login-message {string length 1..1513}
To change the default CLI password prompt, first you must disable the default password prompt and then
enter the new prompt.
VSPswitch:1(config)#no passwordprompt
VSPswitch:1(config)#passwordprompt {string length 1..1510}
To change the login-message and password prompt back to the default settings:
VSPswitch:1(config)#default login-message
VSPswitch:1(config)#default passwordprompt
Avaya Inc. – External Distribution
22
avaya.com
March 2015
Step 1 – Add new user names and passwords
Step 2 – Change default login user and password prompt
3.7 Telnet Access Configuration Examples using
Local Users with hsecure disabled
3.7.1 Local Password Configuration - Password Security
Disabled
For this configuration example, we will configure the following.
Change the default read-write-all user name from rwa to user1
o For user1, use the password rwaccess
Change the default read-only user name from rw to user2
o For user2, use the password readwrite
Change the default login and password prompt from Login: and Password: to Enter username:
and Enter your password:
VSPswitch:1(config)#cli password user1 read-write-all
Enter the old password : *** (rwa)
Enter the New password : ******** (rwaccess)
Re-enter the New password : ********
VSPswitch:1(config)#no login-message
VSPswitch:1(config)#login-message "Enter username: "
VSPswitch:1(config)#no passwordprompt
VSPswitch:1(config)#passwordprompt "Enter your password: "
Avaya Inc. – External Distribution
23
avaya.com
March 2015
Step 1 – Verify user names
Step 2 – Verify the login prompt
3.7.2 Verify Operations
VSPswitch:1(config)#show cli password
access-level
aging 90
min-passwd-len 10
password-history 3
ACCESS LOGIN STATE
rwa user1 NA
rw user2 ena
l3 l3 ena
l2 l2 ena
l1 l1 ena
ro ro ena
Default Lockout Time 60
Lockout-Time:
IP Time
VSPswitch:1(config)#show cli info
cli configuration
more : true
screen-lines : 23
telnet-sessions : 8
rlogin-sessions : 8
timeout : 900 seconds
monitor duration: 300 seconds
monitor interval: 5 seconds
use default login prompt : false
default login prompt : Login:
custom login prompt : Enter username:
use default password prompt : false
default password prompt : Password:
custom password prompt : Enter your password:
prompt : 9001
Avaya Inc. – External Distribution
24
avaya.com
March 2015
Feature
Description
Additional user names
You can use additional user names to access the device, in addition to
the six existing user names of ro, L1, L2, L3, rw, and rwa. The RADIUS
server authenticates the user name and assigns one of the existing
access priorities to that name. Unauthenticated user names are denied
access to the device. User names ro, L1, L2, L3, rw, and rwa must be
added to the RADIUS server if authentication is enabled. Users not
added to the server are denied access.
User configurable
Up to 10 RADIUS servers in each device for fault tolerance (each
server is assigned a priority and is contacted in that order).
A secret key for each server to authenticate the RADIUS client
The server UDP port
Maximum retries allowed
Time-out period for each attempt
Access Level
VSA Attribute 26 – Vendor Identifier 1584 Type 192 value
None-Access
0
Read-Only-Access
1
L1-Read-Write-Access
2
L2-Read-Write-Access
3
L3-Read-Write-Access
4
Read-Write-Access
5
Read-Write-All-Access
6
4. Password Protection using RADIUS
Authentication
Users who access the Avaya switch through Telnet, local console, rlogin, or SSHv2 (password
authentication), can be authenticated against a RADIUS server.
RADIUS supports both IPv4 and IPv6 with no differences in functionality or configuration in all but the
following case. When you add or update a RADIUS server in Enterprise Device Manager (EDM) you must
specify if the address type is an IPv4 or an IPv6 address.
The following table displays the various RADIUS features supported on the VSP switch.
Table 3: RADIUS Features
The following chart displays the outbound attribute values required by the VSP switch for each access
level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192.
Table 4: RADIUS Attributes
Avaya Inc. – External Distribution
25
avaya.com
March 2015
Access Level
VSA Attribute 26 – Vendor Identifier 1584 Type 192 value
None-Access
0
Auditor
1
Security
2
Operator
3
Privilege
N/A – Not allowed by RADIUS
Admin
6
If you plan to use RADIUS with enhanced secure mode, please enable RADIUS after the
enhanced mode is enabled. If RADIUS is enabled prior to enabling the enhanced secure mode,
the RADIUS shared key must be re-entered; one must delete the shared key and re-enter it
again.
Event
Accounting information logged at server
Accounting is turned on at
router
Accounting on request:NAS
IP address
Accounting is turned off at
router
Accounting off request: NAS IP address.
User logs in
Accounting start request:NAS IP address
Session Id
User Name
More than 40 CLI commands
are executed
Accounting Interim request:NAS IP address
Session Id
CLI commands
User Name
User logs off
Accounting Stop request:NAS IP Address
Session Id
Session duration
User Name
number of input octets for session
number of octets output for session
number of packets input for session
number of packets output for session
CLI commands
If enhanced security is enabled, the following chart displays the outbound attribute values required by the
VSP switch for each access level for RADIUS vendor identifier 1584 (Bay Networks) attribute type 192.
Table 5: Enhanced Security RADIUS Attributes
In addition, you can deny CLI commands for a user. This is done using RADIUS vendor identifier 1584
attribute types 194 and 195. Attribute type 194 needs to be set to a value of 0 while attribute 195 lists the
command you wish to deny to a user.
The following table displays the various event and logged information
Table 6: RADIUS Events Logged
Avaya Inc. – External Distribution
26
avaya.com
March 2015
4.1 Enabling RADIUS globally
To use RADIUS, it must be enabled globally using the following command.
VSPswitch:1(config)#radius enable
If you wish specify and use the source IP address for the RADIUS server configuration, you must also
enable the global parameter using the following command
VSPswitch:1(config)#radius sourceip-flag
4.2 Adding RADIUS server for authentication
To add a RADIUS server, enter the following command with the option of enabling accounting and
specifying the source IP address. If you do not specify the source IP, the VSP switch will use the source
IP address of the out-going interface. Depending on the number of out-going interfaces, you may have to
add two or more RADIUS authenticators on your RADIUS server unless you specify the source IP
address. The source IP address should be a circuitless/loopback IP address which is not tied down to a
physical interface.
VSPswitch:1(config)#radius server host <ip address> key <secret key> ?
acct-enable Server acct enabled
acct-port Server acct udp port
enable Server enabled
port Server udp port
priority Server priority
retry Max number of retries
source-ip Source ip address
timeout No answer timeout value
used-by Use for cli,eapol,snmp or web
<cr>
Avaya Inc. – External Distribution
27
avaya.com
March 2015
4.3 CLI Profile
If you wish to restrict CLI commands for a user, simply enable the RADIUS cli-profile setting as shown
below. On the RADIUS server, via vendor identifier code 1584 using attributes types 194 and 195, set
attribute type 194 to a value of 0 and add the CLI command using attribute 195.
VSPswitch:1(config)#radius cli-profile
If you wish to change the default CLI access attribute value to another value other than 194, enter the
following command.
VSPswitch:1(config)#radius command-access-attribute <192-240>
If you wish to change the default CLI command attribute value to another value other than 195, enter the
following command.
VSPswitch:1(config)#radius cli-commands-attribute <192-240>
4.4 Enabling RADIUS accounting globally
To use RADIUS accounting, it must also be enabled globally using the following command.
VSPswitch:1(config)#radius accounting enable
4.5 Enabling accounting for CLI commands
You can specify whether you want CLI commands included in RADIUS accounting requests by issuing
the following command.
VSPswitch:1(config)#radius accounting include-cli-commands
You can also specify the number of CLI commands entered prior to the VSP switch sending a CLI
accounting record. The default setting is 40. If you wish to change the default value, enter the following
command.
VSPswitch:1(config)#radius cli-cmd-count <1-40>
Avaya Inc. – External Distribution
28
avaya.com
March 2015
Step 1 – Add RADIUS server, enable RADIUS, enable RADIUS accounting, and enable RADIUS
accounting to include CLI command with a command count of 5
Step 2 – Add IP loopback address
If you wish to restrict CLI commands for a user, simply enable the RADIUS cli-profile
setting as shown below. On the RADIUS server, via vendor identifier code 1584 using
attributes types 194 and 195, set attribute type 194 to a value of 0 and add the CLI
command using attribute 195.
4.6 RADIUS Password Configuration Example
For this configuration example, we will configure the VSP switch for RADIUS authentication using IPv4
addressing and using the loopback address as the source IP for CLI and EDM authentication. We will
also show the configuration steps required using Avaya’s Identity Engines Ignition Server.
4.6.1 Ethernet Routing Switch Configuration
Up to ten RADIUS servers are supported on the VSP switch where each server is assigned a priority and
is connected according to the assigned priority. For this configuration example we will simply configure
one RADIUS server using IPv4 addressing and use the IP loopback address as the source IP address.
Please note by default, CLI RADIUS authentication is selected by when adding a RADIUS server – no
additional configuration steps are required to enable CLI RADIUS authentication.
VSPswitch:1(config)#radius server host 10.12.120.120 key avaya priority 1 source-ip
10.1.1.81
VSPswitch:1(config)#radius enable
VSPswitch:1(config)#radius accounting enable
VSPswitch:1(config)#radius accounting include-cli-commands
VSPswitch:1(config)#radius sourceip-flag
VSPswitch:1(config)#radius cli-cmd-count 5
VSPswitch:1(config)#interface loopback 1
VSPswitch:1(config-if)#ip address 1 10.1.1.81/255.255.255.255
VSPswitch:1(config-if)#exit
Avaya Inc. – External Distribution
29
avaya.com
March 2015
Step 1 – Verify that RADIUS configuration
Step 2 – Verify that RADIUS has been enabled globally
4.6.2 VSP Switch: Verify Operations
VSPswitch:1#show running-config module radius
#
# RADIUS CONFIGURATION
#
radius server host 10.12.120.120 key ****** priority 1 source-ip 10.1.1.81
radius enable
radius accounting enable
radius accounting include-cli-commands
radius cli-cmd-count 5
radius sourceip-flag
VSPswitch:1#show radius
Sub-Context: clear config dump monitor mplsping mplstrace peer show switchover test
trace
Current Context:
acct-attribute-value : 193
acct-enable : true
acct-include-cli-commands : true
access-priority-attribute : 192
auth-info-attr-value : 91
command-access-attribute : 194
cli-commands-attribute : 195
cli-cmd-count : 5
cli-profile-enable : false
enable : true
igap-passwd-attr : standard
igap-timeout-log-fsize : 512
maxserver : 10
mcast-addr-attr-value : 90
sourceip-flag : true
Avaya Inc. – External Distribution
30
avaya.com
March 2015
Step 3 – Verify that RADIUS Server Configuration
VSPswitch:1#show radius-server
================================================================================================
Radius Server Entries
================================================================================================
ACCT ACCT SOURCE
NAME USEDBY SECRET PORT PRIO RETRY TIMEOUT ENABLED PORT ENABLED IP
------------------------------------------------------------------------------------------------
10.12.120.120 cli ****** 1812 1 1 3 true 1813 true 10.1.1.81
Avaya Inc. – External Distribution
Loading...