Brocade FastIron Ethernet Switch Security Configuration Guide

53-1003088-03 30 July 2014

FastIron Ethernet Switch

Security Configuration Guide

Supporting FastIron Software Release 08.0.10d

Brocade, the B-wing symbol, Brocade Assurance, ADX, AnyIO, DCX, Fabric OS, FastIron, HyperEdge, ICX, MLX, MyBrocade, NetIron, OpenScript, VCS, VDX, and Vyatta are registered trademarks, and The Effortless Network and the On-Demand Data Center are trademarks of Brocade Communications Systems, Inc., in the United States and in other countries. Other brands and product names mentioned may be trademarks of others.

Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.

The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to the accuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs that accompany it.

The product described by this document may contain open source software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

Preface...................................................................................................................................13

Document conventions....................................................................................13

Text formatting conventions................................................................ 13

Command syntax conventions............................................................ 13

Notes, cautions, and warnings............................................................ 14

Brocade resources.......................................................................................... 15

Getting technical help......................................................................................15

Document feedback........................................................................................ 16

About This Document.............................................................................................................. 17

What’s new in this document ......................................................................... 17

How command information is presented in this guide.....................................17

Security Access ......................................................................................................................19

Supported security access features................................................................ 19

Securing access methods............................................................................... 20

Remote access to management function restrictions..................................... 23

ACL usage to restrict remote access ................................................. 23

Defining the console idle time............................................................. 25

Remote access restrictions................................................................. 25

Restricting access to the device based on IP orMAC address........... 26

Defining the Telnet idle time................................................................27

Specifying the maximum number of login attemptsfor Telnet

access........................................................................................... 27

Changing the login timeout period for Telnet sessions....................... 28

Restricting remote access to the device tospecific VLAN IDs.............28

Designated VLAN for Telnet management sessionsto a Layer 2

Switch............................................................................................ 29

Device management security..............................................................30

Disabling specific access methods..................................................... 30

Passwords used to secure access..................................................................31

Setting a Telnet password ..................................................................32

Setting passwords for management privilege levels........................... 32

Recovering from a lost password........................................................34

Displaying the SNMP community string.............................................. 35

Specifying a minimum password length..............................................35

Local user accounts........................................................................................ 35

Enhancements to username and password........................................36

Local user account configuration........................................................ 40

Changing a local user password......................................................... 41

TACACS and TACACS+ security....................................................................42

How TACACS+ differs from TACACS.................................................42

TACACS/TACACS+ authentication, authorization,and accounting.....42

TACACS authentication...................................................................... 44

TACACS/TACACS+ configuration considerations.............................. 47

Enabling TACACS...............................................................................48

Identifying the TACACS/TACACS+ servers........................................48

Specifying different servers for individual AAA functions.................... 49

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Setting optional TACACS and TACACS+ parameters......................49

Configuring authentication-method lists forTACACS and

TACACS+....................................................................................50

Configuring TACACS+ authorization................................................ 53

TACACS+ accounting configuration................................................. 55

Configuring an interface as the source for allTACACS and

TACACS+ packets...................................................................... 56

Displaying TACACS/TACACS+ statistics andconfiguration

information...................................................................................57

RADIUS security........................................................................................... 58

RADIUS authentication, authorization, and accounting.................... 58

RADIUS configuration considerations...............................................61

Configuring RADIUS......................................................................... 61

Brocade-specific attributes on the RADIUS server........................... 62

Enabling SNMP to configure RADIUS.............................................. 63

Identifying the RADIUS server to the Brocade device...................... 64

Specifying different servers for individual AAA functions..................64

RADIUS server per port.................................................................... 64

RADIUS server to individual ports mapping......................................65

RADIUS parameters......................................................................... 66

Setting authentication-method lists for RADIUS............................... 67

RADIUS authorization.......................................................................69

RADIUS accounting.......................................................................... 71

Configuring an interface as the source for allRADIUS packets........ 72

Displaying RADIUS configuration information...................................72

SSL security..................................................................................................73

Specifying a port for SSL communication......................................... 73

Changing the SSL server certificate key size....................................74

Support for SSL digital certificates larger than 2048 bits.................. 74

Importing digital certificates and RSA private key files..................... 74

Generating an SSL certificate........................................................... 75

Deleting the SSL certificate...............................................................75

Authentication-method lists...........................................................................75

Configuration considerations for authentication-method lists........... 76

Examples of authentication-method lists...........................................76

TCP Flags - edge port security..................................................................... 78

Using TCP Flags in combination with other ACL features................ 79

SSH2 and SCP......................................................................................................................81

Supported SSH2 and Secure Copy features................................................ 81

SSH version 2 overview................................................................................81

Tested SSH2 clients..........................................................................82

SSH2 supported features..................................................................82

SSH2 unsupported features..............................................................83

SSH2 authentication types............................................................................83

Configuring SSH2............................................................................. 83

Enabling and disabling SSH by generating and deleting host

keys............................................................................................. 84

Configuring DSA or RSA challenge-response authentication...........86

Optional SSH parameters............................................................................. 88

Setting the number of SSH authentication retries.............................88

Deactivating user authentication.......................................................88

Enabling empty password logins.......................................................89

Setting the SSH port number............................................................ 89

Setting the SSH login timeout value................................................. 89

Designating an interface as the source for all SSH packets............. 90

Configuring the maximum idle time for SSH sessions...................... 90

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Filtering SSH access using ACLs................................................................... 90

Terminating an active SSH connection........................................................... 90

Displaying SSH information............................................................................ 90

Displaying SSH connection information.............................................. 91

Displaying SSH configuration information...........................................91

Displaying additional SSH connection information..............................93

Secure copy with SSH2.................................................................................. 93

Enabling and disabling SCP................................................................93

Secure copy configuration notes.........................................................93

Example file transfers using SCP........................................................94

SSH2 client..................................................................................................... 96

Enabling SSH2 client.......................................................................... 97

Configuring SSH2 client public key authentication..............................97

Using SSH2 client............................................................................... 98

Displaying SSH2 client information..................................................... 99

Rule-Based IP ACLs ..............................................................................................................101

Supported Rule-Based IP ACL Features...................................................... 101

ACL overview................................................................................................ 103

Types of IP ACLs.............................................................................. 104

ACL IDs and entries.......................................................................... 104

Numbered and named ACLs.............................................................105

Default ACL action............................................................................ 105

How hardware-based ACLs work..................................................................106

How fragmented packets are processed...........................................106

Hardware aging of Layer 4 CAM entries........................................... 106

ACL configuration considerations................................................................. 106

Configuring standard numbered ACLs..........................................................107

Standard numbered ACL syntax....................................................... 108

Configuration example for standard numbered ACLs....................... 109

Standard named ACL configuration.............................................................. 109

Standard named ACL syntax............................................................ 109

Configuration example for standard named ACLs............................ 111

Extended numbered ACL configuration........................................................ 112

Extended numbered ACL syntax...................................................... 112

Extended named ACL configuration............................................................. 118

Applying egress ACLs to Control (CPU) traffic............................................. 122

Preserving user input for ACL TCP/UDP port numbers................................ 122

ACL comment text management...................................................................123

Adding a comment to an entry in a numbered ACL.......................... 123

Adding a comment to an entry in a named ACL............................... 124

Deleting a comment from an ACL entry............................................ 124

Viewing comments in an ACL........................................................... 124

Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN.125

ACL logging...................................................................................................126

Configuration notes for ACL logging................................................. 126

Configuration tasks for ACL logging..................................................127

Example ACL logging configuration.................................................. 127

Displaying ACL Log Entries.............................................................. 128

Enabling strict control of ACL filtering of fragmented packets.......................128

Enabling ACL support for switched traffic in the router image...................... 129

Enabling ACL filtering based on VLAN membership or VE port

membership.............................................................................................130

Configuration notes for ACL filtering................................................. 130

Applying an IPv4 ACL to specific VLAN members on a port

(Layer 2 devices only)................................................................. 131

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Applying an IPv4 ACL to a subset of ports on a virtual interface

(Layer 3 devices only)............................................................... 132

ACLs to filter ARP packets..........................................................................132

Configuration considerations for filtering ARP packets...................133

Configuring ACLs for ARP filtering..................................................133

Displaying ACL filters for ARP........................................................ 134

Clearing the filter count................................................................... 134

Filtering on IP precedence and ToS values................................................ 134

TCP flags - edge port security.........................................................135

QoS options for IP ACLs.............................................................................135

Configuration notes for QoS options on FCX and ICX devices...... 136

Using an ACL to map the DSCP value (DSCP CoS mapping)....... 136

Using an IP ACL to mark DSCP values (DSCP marking)...............137

DSCP matching...............................................................................140

ACL-based rate limiting...............................................................................140

ACL statistics.............................................................................................. 140

ACL accounting...........................................................................................141

Configuring IPv4 ACL accounting................................................... 141

ACLs to control multicast features.............................................................. 142

Enabling and viewing hardware usage statistics for an ACL...................... 142

Displaying ACL information.........................................................................143

Troubleshooting ACLs.................................................................................144

Policy-based routing (PBR).........................................................................144

Configuration considerations for policy-based routing.................... 144

Configuring a PBR policy................................................................ 145

Configuring the ACLs......................................................................145

Configuring the route map...............................................................147

Enabling PBR..................................................................................148

Configuration examples for policy based routing............................ 149

Basic example of policy based routing............................................149

Setting the next hop........................................................................ 149

Setting the output interface to the null interface..............................150

Trunk formation with PBR policy.....................................................151

IPv6 ACLs .......................................................................................................................... 153

Supported IPv6 ACL features..................................................................... 153

IPv6 ACL overview......................................................................................153

IPv6 ACL traffic filtering criteria.......................................................154

IPv6 protocol names and numbers................................................. 154

IPv6 ACL configuration notes..................................................................... 155

Configuring an IPv6 ACL.............................................................................156

Example IPv6 configurations...........................................................156

Default and implicit IPv6 ACL action...............................................157

Creating an IPv6 ACL................................................................................. 158

Syntax for creating an IPv6 ACL.....................................................159

Enabling IPv6 on an interface to which an ACL will be applied.................. 164

Syntax for enabling IPv6 on an interface........................................ 164

Applying an IPv6 ACL to an interface......................................................... 164

Syntax for applying an IPv6 ACL.................................................... 165

Applying an IPv6 ACL to a trunk group...........................................165

Applying an IPv6 ACL to a virtual interface in a protocol-based

or subnet-based VLAN.............................................................. 165

Adding a comment to an IPv6 ACL entry....................................................165

Deleting a comment from an IPv6 ACL entry..............................................166

Support for ACL logging..............................................................................166

Configuring IPv6 ACL accounting............................................................... 167

Displaying IPv6 ACLs .................................................................................168

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

802.1X Port Security.............................................................................................................169

Supported 802.1X port security features.......................................................169

IETF RFC support ........................................................................................ 170

How 802.1X port security works....................................................................170

Device roles in an 802.1X configuration............................................170

Communication between the devices............................................... 172

Controlled and uncontrolled ports..................................................... 172

Message exchange during authentication.........................................173

Authenticating multiple hosts connected to the same port................176

802.1X port security and sFlow.........................................................180

802.1X accounting............................................................................ 180

802.1X port security configuration.................................................................180

Configuring an authentication method list for 802.1X....................... 181

Setting RADIUS parameters............................................................. 181

Dynamic VLAN assignment for 802.1X port configuration................ 184

Dynamically applying IP ACLs and MAC address filtersto 802.1X

ports.............................................................................................187

Enabling 802.1X port security .......................................................... 191

Setting the port control...................................................................... 191

Configuring periodic re-authentication.............................................. 192

Re-authenticating a port manually.................................................... 192

Setting the quiet period..................................................................... 193

Specifying the wait interval and number of EAP-request/identity

frame retransmissions from the Brocade device......................... 193

Wait interval and number of EAP-request/identity frame

retransmissions from the RADIUS server....................................194

Specifying a timeout for retransmission of messages to the

authentication server................................................................... 195

Initializing 802.1X on a port...............................................................195

Allowing access to multiple hosts......................................................195

MAC address filters for EAP frames................................................. 198

Configuring VLAN access for non-EAP-capable clients....................198

802.1X accounting configuration...................................................................199

802.1X Accounting attributes for RADIUS........................................ 199

Enabling 802.1X accounting............................................................. 200

Displaying 802.1X information...................................................................... 200

Displaying 802.1X configuration information.....................................201

Displaying 802.1X statistics.............................................................. 205

Clearing 802.1X statistics..................................................................206

Displaying dynamically-assigned VLAN information......................... 206

Displaying information about dynamically appliedMAC address

filters and IP ACLs.......................................................................207

Displaying 802.1X multiple-host authentication information..............209

Sample 802.1X configurations...................................................................... 210

Point-to-point configuration............................................................... 211

Hub configuration.............................................................................. 212

802.1X Authentication with dynamic VLAN assignment................... 214

Multi-device port authentication and 802.1Xsecurity on the same port ........215

MAC Port Security.................................................................................................................217

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Supported MAC port security features.......................................................... 217

MAC port security overview.......................................................................... 217

Local and global resources used for MAC port security....................218

Configuration notes and feature limitations for MAC port security.... 218

Secure MAC movement.................................................................... 219

MAC port security configuration..................................................................219

Enabling the MAC port security feature.......................................... 219

Setting the maximum number of secure MAC addresses for an

interface.....................................................................................219

Setting the port security age timer.................................................. 220

Specifying secure MAC addresses................................................. 221

Autosaving secure MAC addresses to the startup configuration.... 221

Specifying the action taken when a security violation occurs......... 222

Clearing port security statistics................................................................... 223

Clearing restricted MAC addresses................................................ 223

Clearing violation statistics..............................................................223

Displaying port security information ........................................................... 224

Displaying port security settings......................................................224

Displaying the secure MAC addresses........................................... 224

Displaying port security statistics.................................................... 225

Displaying restricted MAC addresses on a port..............................226

MAC-based VLANs..............................................................................................................227

Supported MAC-based VLAN features....................................................... 227

MAC-based VLAN overview........................................................................227

Static and dynamic hosts................................................................ 228

MAC-based VLAN feature structure................................................228

Dynamic MAC-based VLAN........................................................................229

Configuration notes and feature limitations for dynamic MAC-

based VLAN.............................................................................. 229

Dynamic MAC-based VLAN CLI commands...................................229

Dynamic MAC-based VLAN configuration example....................... 230

MAC-based VLAN configuration................................................................. 231

Using MAC-based VLANs and 802.1X securityon the same port ..232 Configuring generic and Brocade vendor-specificattributes on

the RADIUS server....................................................................232

Aging for MAC-based VLAN........................................................... 233

Disabling aging for MAC-based VLAN sessions.............................234

Configuring the maximum MAC addresses per port....................... 235

Configuring a MAC-based VLAN for a static host...........................235

Configuring MAC-based VLAN for a dynamic host.........................236

Configuring dynamic MAC-based VLAN.........................................236

Configuring MAC-based VLANs using SNMP............................................ 237

Displaying Information about MAC-based VLANs...................................... 237

Displaying the MAC-VLAN table..................................................... 237

Displaying the MAC-VLAN table for a specific MAC address......... 238

Displaying allowed MAC addresses................................................238

Displaying denied MAC addresses................................................. 239

Displaying detailed MAC-VLAN data.............................................. 240

Displaying MAC-VLAN information for a specific interface............. 241

Displaying MAC addresses in a MAC-based VLAN .......................242

Displaying MAC-based VLAN logging.............................................242

Clearing MAC-VLAN information................................................................ 243

Sample MAC-based VLAN application....................................................... 243

Defining MAC Address Filters.............................................................................................. 247

Supported MAC address filter features.......................................................247

MAC address filters configuration notes and limitations............................. 247

MAC address filters command syntax.........................................................248

Enabling logging of management traffic permitted by MAC address

filters......................................................................................................249

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

MAC address filter logging command syntax....................................250

Configuring MAC filter accounting.................................................................250

MAC address filter override for 802.1X-enabled ports.................................. 251

MAC address filter override configuration notes............................... 251

MAC address filter override configuration syntax..............................251

Multi-Device Port Authentication...........................................................................................253

Supported Multi-device port authentication (MDPA) features....................... 253

How multi-device port authentication works..................................................254

RADIUS authentication..................................................................... 255

Authentication-failure actions............................................................ 255

Unauthenticated port behavior.......................................................... 255

Supported RADIUS attributes........................................................... 255

Support for dynamic VLAN assignment............................................ 256

Support for dynamic ACLs................................................................ 256

Support for authenticating multiple MAC addresseson an interface. 256

Support for dynamic ARP inspection with dynamic ACLs.................256

Support for DHCP snooping with dynamic ACLs.............................. 257

Support for source guard protection..................................................257

Multi-device port authentication and 802.1Xsecurity on the same port.........257

Configuring Brocade-specific attributes on theRADIUS server.........258

Multi-device port authentication configuration...............................................259

Enabling multi-device port authentication......................................... 259

Specifying the format of the MAC addresses sent to theRADIUS

server...........................................................................................260

Specifying the authentication-failure action.......................................260

Generating traps for multi-device port authentication....................... 261

Defining MAC address filters.............................................................261

Configuring dynamic VLAN assignment............................................261

Dynamically applying IP ACLs to authenticated MAC addresses..... 265

Enabling denial of service attack protection......................................267

Enabling source guard protection..................................................... 268

Clearing authenticated MAC addresses............................................269

Disabling aging for authenticated MAC addresses........................... 270

Changing the hardware aging period for blockedMAC addresses....270

Specifying the aging time for blocked MAC addresses.....................271

Specifying the RADIUS timeout action..............................................271

Multi-device port authentication password override.......................... 272

Limiting the number of authenticated MAC addresses..................... 273

Displaying multi-device port authentication information................................ 273

Displaying authenticated MAC address information......................... 273

Displaying multi-device port authenticationconfiguration

information...................................................................................274

Displaying multi-device port authentication informationfor a

specific MAC address or port...................................................... 275

Displaying the authenticated MAC addresses.................................. 276

Displaying the non-authenticated MAC addresses........................... 276

Displaying multi-device port authentication information for a port.....276

Displaying multi-device port authentication settingsand

authenticated MAC addresses.................................................... 277

Displaying the MAC authentication table for FCX and ICX devices..280

Example port authentication configurations.................................................. 281

Multi-device port authentication with dynamicVLAN assignment .....281

Examples of multi-device port authentication and 802.1X

authentication configuration on the same port.............................285

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Web Authentication............................................................................................................ 291

Supported Web Authentication features..................................................... 291

Web authentication overview...................................................................... 291

Web authentication configuration considerations....................................... 292

Web authentication configuration tasks...................................................... 294

Enabling and disabling web authentication.................................................295

Web authentication mode configuration......................................................295

Using local user databases.............................................................296

Passcodes for user authentication..................................................299

Automatic authentication.................................................................304

Web authentication options configuration................................................... 304

Enabling RADIUS accounting for web authentication.....................304

Changing the login mode (HTTPS or HTTP).................................. 305

Specifying trusted ports...................................................................305

Specifying hosts that are permanently authenticated .................... 305

Configuring the re-authentication period.........................................306

Defining the web authentication cycle.............................................306

Limiting the number of web authentication attempts.......................306

Clearing authenticated hosts from the webauthentication table..... 307

Setting and clearing the block duration for webauthentication

attempts.....................................................................................307

Manually blocking and unblocking a specific host.......................... 307

Limiting the number of authenticated hosts.................................... 308

Filtering DNS queries......................................................................308

Forcing re-authentication when ports are down..............................308

Forcing re-authentication after an inactive period...........................309

Defining the web authorization redirect address.............................309

Deleting a web authentication VLAN.............................................. 310

Web authentication pages.............................................................. 310

Displaying web authentication information..................................................317

Displaying the web authentication configuration.............................317

Displaying a list of authenticated hosts...........................................319

Displaying a list of hosts attempting to authenticate....................... 320

Displaying a list of blocked hosts.................................................... 320

Displaying a list of local user databases......................................... 321

Displaying a list of users in a local user database.......................... 321

Displaying passcodes..................................................................... 321

DoS Attack Protection.........................................................................................................323

Supported DoS protection features.............................................................323

Smurf attacks.............................................................................................. 323

Avoiding being an intermediary in a Smurf attack...........................324

Avoiding being a victim in a Smurf attack....................................... 324

TCP SYN attacks........................................................................................ 326

TCP security enhancement ............................................................327

Displaying statistics about packets dropped because of DoS

attacks....................................................................................... 328

DHCP................................................................................................................................. 331

Supported DHCP packet inspection and tracking features.........................331

Dynamic ARP inspection ............................................................................331

ARP poisoning................................................................................ 331

About Dynamic ARP Inspection......................................................332

Configuration notes and feature limitations for DAI........................ 333

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Dynamic ARP inspection configuration............................................. 334

Displaying ARP inspection status and ports..................................... 335

Displaying the ARP table ................................................................. 335

Multi-VRF support............................................................................. 336

DHCP snooping............................................................................................ 336

How DHCP snooping works..............................................................337

System reboot and the binding database..........................................338

Configuration notes and feature limitations for DHCP snooping.......338

Configuring DHCP snooping............................................................. 339

Clearing the DHCP binding database............................................... 340

Displaying DHCP snooping status and ports.................................... 340

Displaying the DHCP snooping binding database............................ 340

Displaying DHCP binding entry and status....................................... 340

DHCP snooping configuration example ........................................... 341

Multi-VRF support............................................................................. 341

DHCP relay agent information ..................................................................... 342

Configuration notes for DHCP option 82...........................................343

DHCP Option 82 sub-options............................................................344

DHCP option 82 configuration...........................................................345

Viewing information about DHCP option 82 processing................... 347

Configuring the source IP address of a DHCP-client packet on

the DHCP relay agent..................................................................349

IP source guard.............................................................................................349

Configuration notes and feature limitations for IP source guard....... 349

Enabling IP source guard on a port...................................................351

Defining static IP source bindings..................................................... 351

Enabling IP source guard per-port-per-VLAN................................... 351

Enabling IP source guard on a VE.................................................... 351

Enabling IP Source Guard to support a Multi-VRF instance............. 352

Displaying learned IP addresses.......................................................352

DHCPv6................................................................................................................................355

Supported DHCPv6 packet inspection and tracking features....................... 355

Securing IPv6 address configuration............................................................ 355

DHCPv6 snooping.........................................................................................355

How DHCPv6 snooping works.......................................................... 356

Configuration notes and feature limitations for DHCPv6 snooping... 357

Configuring DHCPv6 snooping......................................................... 357

Clearing the DHCPv6 binding database........................................... 358

Displaying DHCPv6 snooping status and ports ............................... 358

Displaying the DHCPv6 snooping binding database ........................359

DHCPv6 snooping configuration example ....................................... 359

Multi-VRF support for DHCPv6 snooping......................................... 359

IPv6 RA Guard.......................................................................................................................361

Supported platforms for the IPv6 RA guard feature...................................... 361

Securing IPv6 address configuration............................................................ 361

IPv6 RA guard overview................................................................................361

RA guard policy.................................................................................362

Whitelist.............................................................................................362

Prefix list............................................................................................362

Maximum preference........................................................................ 362

Trusted, untrusted, and host ports.................................................... 362

Configuration notes and feature limitations for IPv6 RA guard..................... 363

Configuring IPv6 RA guard........................................................................... 363

Example of configuring IPv6 RA guard......................................................... 364

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Example: Configuring IPv6 RA guard on a device..........................364

Example: Configuring IPv6 RA guard in a network.........................364

Example: Verifying the RA guard configuration.............................. 366

Security Commands............................................................................................................367

access-list enable accounting..................................................................... 368

clear access-list accounting........................................................................ 369

clear ipv6 raguard ...................................................................................... 369

enable-accounting.......................................................................................371

logging ........................................................................................................371

ipv6 raguard policy .....................................................................................372

ipv6 raguard vlan ........................................................................................372

ipv6 raguard whitelist ................................................................................. 373

mac filter enable-accounting....................................................................... 374

preference-maximum ................................................................................. 374

prefix-list .....................................................................................................375

raguard .......................................................................................................375

show access-list accounting........................................................................377

show ipv6 raguard ......................................................................................380

show ipv6 raguard counts .......................................................................... 380

ip bootp-use-intf-ip...................................................................................... 382

whitelist ...................................................................................................... 382

Index..................................................................................................................................385

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Preface

● Document conventions....................................................................................................13

● Brocade resources.......................................................................................................... 15

● Getting technical help......................................................................................................15

● Document feedback........................................................................................................ 16

Document conventions

The document conventions describe text formatting conventions, command syntax conventions, and important notice formats used in Brocade technical documentation.

Text formatting conventions

Text formatting conventions such as boldface, italic, or Courier font may be used in the flow of the text to highlight specific words or phrases.

Format

bold text

italic text

Courier font

Description

Identifies command names

Identifies keywords and operands

Identifies the names of user-manipulated GUI elements

Identifies text to enter at the GUI

Identifies emphasis

Identifies variables and modifiers

Identifies paths and Internet addresses

Identifies document titles

Identifies CLI output

Identifies command syntax examples

Command syntax conventions

Bold and italic text identify command syntax components. Delimiters and operators define groupings of parameters and their logical relationships.

Convention

bold text Identifies command names, keywords, and command options.

italic text Identifies a variable.

Description

FastIron Ethernet Switch Security Configuration Guide 13 53-1003088-03

Notes, cautions, and warnings

Convention Description

value In Fibre Channel products, a fixed value provided as input to a command

[ ] Syntax components displayed within square brackets are optional.

option is printed in plain text, for example, --show WWN.

Default responses to system prompts are enclosed in square brackets.

{ x | y | z } A choice of required parameters is enclosed in curly brackets separated by

x | y A vertical bar separates mutually exclusive elements.

< > Nonprinting characters, for example, passwords, are enclosed in angle

...

vertical bars. You must select one of the options.

In Fibre Channel products, square brackets may be used instead for this purpose.

brackets.

Repeat the previous element, for example, member[member...].

Indicates a “soft” line break in command examples. If a backslash separates two lines of a command input, enter the entire command at the prompt without the backslash.

Notes, cautions, and warnings

Notes, cautions, and warning statements may be used in this document. They are listed in the order of increasing severity of potential hazards.

NOTE

A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.

ATTENTION

An Attention statement indicates potential damage to hardware or data.

CAUTION

A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.

DANGER

A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

14 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Brocade resources

Visit the Brocade website to locate related documentation for your product and additional Brocade resources.

You can download additional publications supporting your product at www.brocade.com.

• Adapter documentation is available on the Downloads and Documentation for Brocade Adapters page. Select your platform and scroll down to the Documentation section.

• For all other products, select the Brocade Products tab to locate your product, then click the Brocade product name or image to open the individual product page. The user manuals are available in the resources module at the bottom of the page under the Documentation category.

To get up-to-the-minute information on Brocade products and resources, go to MyBrocade. You can register at no cost to obtain a user ID and password.

Release notes are available on MyBrocade under Product Downloads.

White papers, online demonstrations, and data sheets are available through the Brocade website.

Brocade resources

Getting technical help

You can contact Brocade Support 24x7 online, by telephone, or by e-mail.

For product support information and the latest information on contacting the Technical Assistance Center, go to http://www.brocade.com/services-support/index.html.

Use one of the following methods to contact the Brocade Technical Assistance Center.

Online Telephone E-mail

Preferred method of contact for nonurgent issues:

• My Cases through MyBrocade

• Software downloads and licensing tools

• Knowledge Base

Required for Sev 1-Critical and Sev 2-High issues:

• Continental US: 1-800-752-8061

• Europe, Middle East, Africa, and Asia Pacific: +800-AT FIBREE (+800 28 34 27 33)

• For areas unable to access toll free number: +1-408-333-6061

• Toll-free numbers are available in many countries.

support@brocade.com

Please include:

• Problem summary

• Serial number

• Installation details

• Environment description

FastIron Ethernet Switch Security Configuration Guide 15 53-1003088-03

Document feedback

To send feedback and report errors in the documentation you can use the feedback form posted with the document or you can e-mail the documentation team.

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. You can provide feedback in two ways:

• Through the online feedback form in the HTML documents posted on www.brocade.com.

• By sending your feedback to documentation@brocade.com.

Provide the publication title, part number, and as much detail as possible, including the topic heading and page number if applicable, as well as your suggestions for improvement.

16 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

About This Document

● What’s new in this document ......................................................................................... 17

● How command information is presented in this guide.....................................................17

What’s new in this document

This document includes the information from IronWare software release 08.0.10d. The following table lists the enhancements for FastIron release 08.0.10d.

Summary of enhancements in FastIron release 08.0.10dTABLE 1

Feature Description Described in

TTL enhancement The no-ttl-decrement option

disables the TTL decrement and the packets will be forwarded without decrementing TTL for the traffic matched by the policy.

See Configuring the route map on page

147.

How command information is presented in this guide

For all new content, command syntax and parameters are documented in a separate command reference section at the end of the publication.

In an effort to provide consistent command line interface (CLI) documentation for all products, Brocade is in the process of preparing standalone Command References for the IP platforms. This process involves separating command syntax and parameter descriptions from configuration tasks. Until this process is completed, command information is presented in two ways:

• For all new content included in this guide, the CLI is documented in separate command pages. The new command pages follow a standard format to present syntax, parameters, usage guidelines, examples, and command history. Command pages are compiled in alphabetical order in a separate command reference chapter at the end of the publication.

• Legacy content continues to include command syntax and parameter descriptions in the chapters where the features are documented.

If you do not find command syntax information embedded in a configuration task, refer to the command reference section at the end of this publication for information on CLI syntax and usage.

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

How command information is presented in this guide

18 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Security Access

● Supported security access features................................................................................ 19

● Securing access methods............................................................................................... 20

● Remote access to management function restrictions..................................................... 23

● Passwords used to secure access..................................................................................31

● Local user accounts........................................................................................................ 35

● TACACS and TACACS+ security....................................................................................42

● RADIUS security............................................................................................................. 58

● SSL security.................................................................................................................... 73

● Authentication-method lists............................................................................................. 75

● TCP Flags - edge port security....................................................................................... 78

Supported security access features

Lists security access features supported on FastIron devices.

The following table lists the individual Brocade FastIron switches and the security access features they support. These features are supported in the Layer 2 and Layer 3 software images, except where explicitly noted.

Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800

FSX 1600

Authentication, Authorization and Accounting (AAA): RADIUS, TACACS ACACS+

AAA support for console commands 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Restricting remote access to management functions

Disabling TFTP access 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Using ACLs to restrict remote access 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Local user accounts 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Local user passwords 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

SSL security 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

AAA authentication-method lists 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Packet filtering on TCP flags 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 No 08.0.10

This chapter explains how to secure access to management functions on a Brocade device.

08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

ICX 7750

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Securing access methods

NOTE

Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.

NOTE

For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.

Securing access methods

The following table lists the management access methods available on a Brocade device, how they are secured by default, and the ways in which they can be secured.

Ways to secure management access to Brocade devices TABLE 2

Access method How the access method is

Serial access to the CLI

Access to the Privileged EXEC and CONFIG levels of the CLI

Telnet access Not secured Regulate Telnet

secured by default

Not secured Establish passwords

Not secured Establish a password

Ways to secure the access method

for management privilege levels

for Telnet access to the CLI

Establish passwords for management privilege levels

Set up local user accounts

Configure TACACS/ TACACS+ security

Configure RADIUS security

access using ACLs

See page

Setting passwords for management privilege levels on page 32

Setting a Telnet password on page 32

Setting passwords for management privilege levels on page 32

Local user accounts on

page 35

TACACS and TACACS+ security on page 42

RADIUS security on page

Using an ACL to restrict Telnet access on page

Allow Telnet access only from specific IP addresses

Restrict Telnet access based on a client MAC address

20 FastIron Ethernet Switch Security Configuration Guide

Restricting Telnet access to a specific IP address on page 26

Restricting access to the device based on IP orMAC address on

page 26

53-1003088-03

Security Access

Ways to secure management access to Brocade devices (Continued)TABLE 2

Access method How the access method is

Allow Telnet access only from specific MAC addresses

Define the Telnet idle time

Change the Telnet login timeout period

Specify the maximum number of login attempts for Telnet access

Disable Telnet access Disabling Telnet access on page

Establish a password for Telnet access

Establish passwords for privilege levels of the CLI

secured by default

Restricting Telnet access to a specific VLAN on page 28

Defining the Telnet idle time on

page 27

Changing the login timeout period for Telnet sessions on page 28

Specifying the maximum number of login attemptsfor Telnet access on

page 27

Setting a Telnet password on page

Setting passwords for management privilege levels on page 32

Ways to secure the access method

See page

Set up local user accounts

Configure TACACS/ TACACS+ security

Configure RADIUS security

Secure Shell (SSH) access

Local user accounts on page 35

TACACS and TACACS+ security

on page 42

RADIUS security on page 58

Not configured Configure SSH Refer to the Configuring

Regulate SSH access using ACLs

Allow SSH access only from specific IP addresses

Allow SSH access only from specific MAC addresses

Establish passwords for privilege levels of the CLI

SSH2 section

Using an ACL to restrict SSH access on page

Restricting SSH access to a specific IP address

on page 26

Restricting access to the device based on IP orMAC address on page

Setting passwords for management privilege levels on page 32

FastIron Ethernet Switch Security Configuration Guide 21 53-1003088-03

Security Access

Ways to secure management access to Brocade devices (Continued)TABLE 2

Access method How the access method is

secured by default

SNMP access SNMP read or read-write

community strings and the password to the Super User privilege level

NOTE

SNMP read or read-write community strings are always required for SNMP access to the device.

Ways to secure the access method

Set up local user accounts

Configure TACACS/ TACACS+ security

Configure RADIUS security

Regulate SNMP access using ACLs

Allow SNMP access only from specific IP addresses

Disable SNMP access Disabling SNMP access

Allow SNMP access only to clients connected to a specific VLAN

See page

Local user accounts on

page 35

TACACS and TACACS+ security on page 42

RADIUS security on page

Using ACLs to restrict SNMP access on page

Restricting SNMP access to a specific IP address

on page 26

on page 31

Restricting SNMP access to a specific VLAN on

page 28

Establish passwords to management levels of the CLI

Set up local user accounts

Establish SNMP read or read-write community strings

TFTP access Not secured Allow TFTP access

Access for Stacked Devices

Access to multiple consoles must be secured after AAA is enabled

only to clients connected to a specific VLAN

Disable TFTP access Disabling TFTP access

Extra steps must be taken to secure multiple consoles in a traditional stack.

Setting passwords for management privilege levels on page 32

Local user accounts on

page 35

TACACS and TACACS+ security on page 42

Restricting TFTP access to a specific VLAN on

page 29

on page 31

Configuring TACACS/ TACACS+ for devices in a Brocade traditional stack on page 43

22 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Remote access to management function restrictions

You can restrict access to management functions from remote sources, including Telnet and SNMP. The following methods for restricting remote access are supported:

• Using ACLs to restrict Telnet or SNMP access

• Allowing remote access only from specific IP addresses

• Allowing Telnet and SSH access only from specific MAC addresses

• Allowing remote access only to clients connected to a specific VLAN

• Specifically disabling Telnet or SNMP access to the device

NOTE

Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.

The following sections describe how to restrict remote access to a Brocade device using these methods.

ACL usage to restrict remote access

You can use standard ACLs to control the following access methods to management functions on a Brocade device:

• Telnet

• SSH

• SNMP

Consider the following to configure access control for these management access methods.

1. Configure an ACL with the IP addresses you want to allow to access the device.

2. Configure a Telnet access group, SSH access group, and SNMP community strings. Each of these configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses that can use the access method.

The following sections present examples of how to secure management access using ACLs. Refer to the Rule-Based IP ACLs chapter for more information on configuring ACLs.

Using an ACL to restrict Telnet access

To configure an ACL that restricts Telnet access to the device, enter commands such as the following.

device(config)#access-list 10 deny host 10.157.22.32 log device(config)#access-list 10 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 10 deny 10.157.25.0/24 log device(config)#access-list 10 permit any device(config)#telnet access-group 10 device(config)#write memory

Syntax: telnet access-group num

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device allows Telnet access to all IP addresses except those listed in ACL 10.

FastIron Ethernet Switch Security Configuration Guide 23 53-1003088-03

Using an ACL to restrict SSH access

To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL.

device(config)#access-list 10 permit host 10.157.22.32 device(config)#access-list 10 permit 10.157.23.0 0.0.0.255 device(config)#access-list 10 permit 10.157.24.0 0.0.0.255 device(config)#access-list 10 permit 10.157.25.0/24 device(config)#telnet access-group 10 device(config)#write memory

The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet access from all other IP addresses.

Using an ACL to restrict SSH access

To configure an ACL that restricts SSH access to the device, enter commands such as the following.

device(config)#access-list 12 deny host 10.157.22.98 log device(config)#access-list 12 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 12 deny 10.157.24.0/24 log device(config)#access-list 12 permit any device(config)#ssh access-group 12 device(config)#write memory

Syntax: ssh access-group num

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

These commands configure ACL 12, then apply the ACL as the access list for SSH access. The device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH access from all IP addresses.

NOTE

In this example, the command ssh access-group 10 could have been used to apply the ACL configured in the example for Telnet access. You can use the same ACL multiple times.

Using ACLs to restrict SNMP access

To restrict SNMP access to the device using ACLs, enter commands such as the following.

NOTE

The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet and SSH using ACLs.

device(config)#access-list 25 deny host 10.157.22.98 log device(config)#access-list 25 deny 10.157.23.0 0.0.0.255 log device(config)#access-list 25 deny 10.157.24.0 0.0.0.255 log device(config)#access-list 25 permit any device(config)#access-list 30 deny 10.157.25.0 0.0.0.255 log device(config)#access-list 30 deny 10.157.26.0/24 log device(config)#access-list 30 permit any device(config)#snmp-server community public ro 25 device(config)#snmp-server community private rw 30 device(config)#write memory

Syntax: snmp-server community string [ ro | rw ] num

The string parameter specifies the SNMP community string the user must enter to gain SNMP access.

24 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Defining the console idle time

The ro parameter indicates that the community string is for read-only ("get") access. The rw parameter indicates the community string is for read-write ("set") access.

The num parameter specifies the number of a standard ACL and must be from 1 - 99.

These commands configure ACLs 25 and 30, then apply the ACLs to community strings.

ACL 25 is used to control read-only access using the "public" community string. ACL 30 is used to control read-write access using the "private" community string.

NOTE

When snmp-server community is configured, all incoming SNMP packets are validated first by their community strings and then by their bound ACLs.

Defining the console idle time

By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out.

NOTE

You must enable AAA support for console commands, AAA authentication, and Exec authorization in order to set the console idle time.

To configure the idle time for a serial console session, use the following command.

device(config)#console timeout 120

Syntax: [no] console timeout [ 0-240 ]

Possible values: 0 - 240 minutes

Default value: 0 minutes (no timeout)

NOTE

In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes.

Remote access restrictions

By default, a Brocade device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods:

• Telnet access

• SSH access

• SNMP access

In addition, you can restrict all access methods to the same IP address using a single command.

The following examples show the CLI commands for restricting remote access. You can specify only one IP address with each command. However, you can enter each command ten times to specify up to ten IP addresses.

FastIron Ethernet Switch Security Configuration Guide 25 53-1003088-03

Restricting Telnet access to a specific IP address

To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.

device(config)#telnet client 10.157.22.39

Syntax: [no] telnet client { ip-addr | ipv6-addr }

Restricting SSH access to a specific IP address

To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.

device(config)#ip ssh client 10.157.22.39

Syntax: [no] ip ssh client { ip-addr | ipv6-addr }

Restricting SNMP access to a specific IP address

To allow SNMP access only to the host with IP address 10.157.22.14, enter the following command.

device(config)#snmp-client 10.157.22.14

Syntax: [no] snmp-client { ip-addr | ipv6-addr }

Restricting all remote management access to a specific IP address

To allow Telnet and SNMP management access to the Brocade device only to the host with IP address 10.157.22.69, enter three separate commands (one for each access type) or enter the following command.

device(config)#all-client 10.157.22.69

Syntax: [no] all-client { ip-addr | ipv6-addr }

Restricting access to the device based on IP orMAC address

You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address.

Restricting Telnet connection

You can restrict Telnet connection to a device based on the client IP address or MAC address.

To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.

device(config)#telnet client 10.157.22.39 0000.000f.e9a0

Syntax: [no] telnet client { ip-addr | ipv6-addrmac-addr }

26 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Restricting SSH connection

The following command allows Telnet access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0.

device(config)#telnet client any 0000.000f.e9a0

Syntax: [no] telnet client any mac-addr

Restricting SSH connection

You can restrict SSH connection to a device based on the client IP address or MAC address.

To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.

device(config)#ip ssh client 10.157.22.39 0000.000f.e9a0

Syntax: [no] ip ssh client { ip-addr | ipv6-addrmac-addr }

To allow SSH access to the Brocade device to a host with any IP address and MAC address

0000.000f.e9a0, enter the following command.

device(config)#ip ssh client any 0000.000f.e9a0

Syntax: [no] ip ssh client any mac-addr

Defining the Telnet idle time

You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages from the device, but is not being used to send data.

To configure the idle time for a Telnet session, use the following command.

device(config)#telnet timeout 120

Syntax: [no] telnet timeout minutes

For minutes enter a value from 0 - 240. The default value is 0 minutes (no timeout).

Specifying the maximum number of login attemptsfor Telnet access

If you are connecting to the Brocade device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet session.

You can specify the number of attempts a Telnet user has to enter a correct username and password before the device disconnects the Telnet session. For example, to allow a Telnet user up to 5 chances to enter a correct username and password, enter the following command.

device(config)#telnet login-retries 5

Syntax: [no] telnet login-retries number

You can specify from 0 - 5 attempts. The default is 4 attempts.

FastIron Ethernet Switch Security Configuration Guide 27 53-1003088-03

Changing the login timeout period for Telnet sessions

NOTE

You need to configure telnet with the enable telnet authentication local command to enable only a certain number of telnet login attempts.

Changing the login timeout period for Telnet sessions

By default, the login timeout period for a Telnet session is 2 minutes. To change the login timeout period, use the following command.

device(config)#telnet login-timeout 5

Syntax: [no] telnet login-timeout minutes

For minutes , enter a value from 1 to 10. The default timeout period is 2 minutes.

Restricting remote access to the device tospecific VLAN IDs

You can restrict management access to a Brocade device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods:

• Telnet access

• SNMP access

• TFTP access

By default, access is allowed for all the methods listed above on all ports. Once you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.

VLAN-based access control works in conjunction with other access control methods. For example, suppose you configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN. Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot access the device through Telnet.

Restricting Telnet access to a specific VLAN

To allow Telnet access only to clients in a specific VLAN, enter a command such as the following.

device(config)#telnet server enable vlan 10

The command in this example configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.

Syntax: [no] telnet server enable vlan vlan-id

Restricting SNMP access to a specific VLAN

To allow SNMP access only to clients in a specific VLAN, enter a command such as the following.

device(config)#snmp-server enable vlan 40

28 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Restricting TFTP access to a specific VLAN

The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] snmp-server enable vlan vlan-id

Restricting TFTP access to a specific VLAN

To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.

device(config)#tftp client enable vlan 40

The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

Syntax: [no] tftp client enable vlan vlan-id

Designated VLAN for Telnet management sessionsto a Layer 2 Switch

All Brocade FastIron devices support the creation of management VLANs. By default, the management IP address you configure on a Layer 2 Switch applies globally to all the ports on the device. This is true even if you divide the device ports into multiple port-based VLANs.

If you want to restrict the IP management address to a specific port-based VLAN, you can make that VLAN the designated management VLAN for the device. When you configure a VLAN to be the designated management VLAN, the management IP address you configure on the device is associated only with the ports in the designated VLAN. To establish a Telnet management session with the device, a user must access the device through one of the ports in the designated VLAN.

You also can configure up to five default gateways for the designated VLAN, and associate a metric with each one. The software uses the gateway with the lowest metric. The other gateways reside in the configuration but are not used. To use one of the other gateways, modify the configuration so that the gateway you want to use has the lowest metric.

If more than one gateway has the lowest metric, the gateway that appears first in the running-config is used.

NOTE

If you have already configured a default gateway globally and you do not configure a gateway in the VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.

To configure a designated management VLAN, enter commands such as the following.

device(config)#vlan 10 by port device(config-vlan-10)#untag ethernet 1/1 to 1/4 device(config-vlan-10)#management-vlan device(config-vlan-10)#default-gateway 10.10.10.1 1 device(config-vlan-10)#default-gateway 10.20.20.1 2

These commands configure port-based VLAN 10 to consist of ports 1/1 - 1/4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the

10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in

the configuration but is not used. You can use the other one by changing the metrics so that the

10.20.20.1 gateway has the lower metric.

Syntax: [no] default-gateway ip-addr metric

The ip-addr parameters specify the IP address of the gateway router.

FastIron Ethernet Switch Security Configuration Guide 29 53-1003088-03

Device management security

The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1 - 5. There is no default. The software uses the gateway with the lowest metric.

Device management security

By default, all management access is disabled. Each of the following management access methods must be specifically enabled as required in your installation:

• SSHv2

• SNMP

The commands for granting access to each of these management interfaces is described in the following.

Allowing SSHv2 access to the Brocade device

To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the following command.

device(config)#crypto key generate

Syntax: crypto key [ generate | zeroize ]

The generate parameter generates a dsa key pair.

The zeroize parameter deletes the currently operative dsa key pair.

In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available.

device(config)#aaa authentication login default tacacs+ local

Allowing SNMP access to the Brocade device

To allow SNMP access to the Brocade device, enter the following command.

device(config)#snmp-server

Syntax: [no] snmp server

Disabling specific access methods

You can specifically disable the following access methods:

• Telnet access

• SNMP access

• TFTP

NOTE

If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you will not be able to use an SNMP-based management applications.

30 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Disabling Telnet access

You can use a Telnet client to access the CLI on the device over the network. If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command.

device(config)#no telnet server

To re-enable Telnet operation, enter the following command.

device(config)#telnet server

Syntax: [no] telnet server

Disabling SNMP access

To disable SNMP management of the device.

device(config)#no snmp-server

To later re-enable SNMP management of the device.

device(config)#snmp-server

Syntax: [no] snmp-server

Disabling TFTP access

You can globally disable TFTP to block TFTP client access. By default, TFTP client access is enabled.

To disable TFTP client access, enter the following command at the Global CONFIG level of the CLI.

device(config)#tftp disable

When TFTP is disabled, users are prohibited from using the copy tftp command to copy files to the system flash. If users enter this command while TFTP is disabled, the system will reject the command and display an error message.

To re-enable TFTP client access once it is disabled, enter the following command.

device(config)#no tftp disable

Syntax: [no] tftp disable

Passwords used to secure access

Passwords can be used to secure the following access methods:

• Telnet access can be secured by setting a Telnet password. Refer to Setting a Telnet password on page 32.

• Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting passwords for management privilege levels. Refer to Setting passwords for management privilege levels on page 32.

This section also provides procedures for enhancing management privilege levels, recovering from a lost password, and disabling password encryption.

FastIron Ethernet Switch Security Configuration Guide 31 53-1003088-03

Setting a Telnet password

NOTE

You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account a management privilege level. Refer to Local user accounts on page 35.

Setting a Telnet password

By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can assign a password for Telnet access using one of the following methods.

Set the password "letmein" for Telnet access to the CLI using the following command at the global CONFIG level.

device(config)#enable telnet password letmein

Syntax: [no] enable telnet password string

Suppressing Telnet connection rejection messages

By default, if a Brocade device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the Brocade device. Instead, the denied client simply does not gain access.

To suppress the connection rejection message, use the following CLI method.

To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following command at the global CONFIG level of the CLI.

device(config)#telnet server suppress-reject-message

Syntax: [no] telnet server suppress-reject-message

Setting passwords for management privilege levels

You can set one password for each of the following management privilege levels:

• Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.

• Port Configuration level - Allows read-and-write access for specific ports but not for global (systemwide) parameters.

• Read Only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.

You can assign a password to each management privilege level. You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account to one of the three privilege levels. Refer to Local user accounts on page 35.

NOTE

You must use the CLI to assign a password for management privilege levels.

If you configure user accounts in addition to privilege level passwords, the device will validate a user access attempt using one or both methods (local user account or privilege level password), depending

32 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Augmenting management privilege levels

on the order you specify in the authentication-method lists. Refer to Authentication-method lists on page

75.

Follow the steps given below to set passwords for management privilege levels.

1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode.

device> enable device#

2. Access the CONFIG level of the CLI by entering the following command.

device#configure terminal device(config)#

3. Enter the following command to set the Super User level password.

device(config)#enable super-user-password text

NOTE

You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number.

4. Enter the following commands to set the Port Configuration level and Read Only level passwords.

device(config)#enable port-config-password text device(config)#enable read-only-password text

Syntax: enable super-user-password text

Syntax: enable port-config-password text

Syntax: enable read-only-password text

NOTE

If you forget your Super User level password, refer to Recovering from a lost password on page 34.

Augmenting management privilege levels

Each management privilege level provides access to specific areas of the CLI by default:

• Super User level provides access to all commands and displays.

• Port Configuration level gives access to:

‐ The User EXEC and Privileged EXEC levels ‐ The port-specific parts of the CONFIG level ‐ All interface configuration levels

• Read Only level gives access to:

‐ The User EXEC and Privileged EXEC levels

You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.

NOTE

This feature applies only to management privilege levels on the CLI.

FastIron Ethernet Switch Security Configuration Guide 33 53-1003088-03

Recovering from a lost password

Enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG level.

device(config)#privilege configure level 4 ip

In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level user names and passwords can enter commands that begin with "ip" at the global CONFIG level.

Syntax: [no] privilege cli-level level privilege-level command-string

The cli-level parameter specifies the CLI level and can be one of the following values:

• exec - EXEC level; for example, device> or device#

• configure - CONFIG level; for example, device(config)#

• interface - Interface level; for example, device(config-if-6)#

• loopback-interface - loopback interface level

• virtual-interface - Virtual-interface level; for example, device(config-vif-6)#

• dot1x - 802.1X configuration level

• ipv6-access-list - IPv6 access list configuration level

• rip-router - RIP router level; for example, device(config-rip-router)#

• ospf-router - OSPF router level; for example, device(config-ospf-router)#

• dvmrp-router - DVMRP router level; for example, device(config-dvmrp-router)#

• pim-router - PIM router level; for example, device(config-pim-router)#

• bgp-router - BGP4 router level; for example, device(config-bgp-router)#

• vrrp-router - VRRP configuration level

• gvrp - GVRP configuration level

• trunk - trunk configuration level

• port-vlan - Port-based VLAN level; for example, device(config-vlan)#

• protocol-vlan - Protocol-based VLAN level

The privilege-level indicates the number of the management privilege level you are augmenting. You can specify one of the following:

• 0 - Super User level (full read-write access)

• 4 - Port Configuration level

• 5 - Read Only level

The command -string parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt.

Recovering from a lost password

Recovery from a lost password requires direct access to the serial port and a system reset.

NOTE

You can perform this procedure only from the CLI.

Follow the steps given below to recover from a lost password.

34 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Displaying the SNMP community string

1. Start a CLI session over the serial interface to the device.

2. Reboot the device.

3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode.

4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check.

5. Enter boot system flash primary at the prompt. On ICX 6430 and ICX 6450 devices, enter boot_primary.

6. After the console prompt reappears, assign a new password.

Displaying the SNMP community string

If you want to display the SNMP community string, enter the following commands.

device(config)#enable password-display device#show snmp server

The enable password-display command enables display of the community string in the output of the show snmp server command. Display of the string is still encrypted in the startup-config file and

running-config. When the enable password-display command is configured, the user password and snmp community string are encrypted in the show run command output. Enter the command at the global CONFIG level of the CLI.

Specifying a minimum password length

By default, the Brocade device imposes no minimum length on the Line (Telnet), Enable, or Local passwords. You can configure the device to require that Line, Enable, and Local passwords be at least a specified length.

For example, to specify that the Line, Enable, and Local passwords be at least 8 characters, enter the following command.

device(config)#enable password-min-length 8

Syntax: enable password-min-length number-of-characters

The number-of-characters can be from 1 - 48.

Local user accounts

You can define up to 32 local user accounts on a Brocade device. User accounts regulate who can access the management functions in the CLI using the following methods:

• Telnet access

• SNMP access

• SSH access

Local user accounts provide greater flexibility for controlling management access to Brocade devices than do management privilege level passwords and SNMP community strings of SNMP versions 1 and

2. You can continue to use the privilege level passwords and the SNMP community strings as additional

means of access authentication. Alternatively, you can choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP community strings. Local user accounts are backward-compatible with configuration files that contain privilege level passwords. Refer to Setting passwords for management privilege levels on page 32.

FastIron Ethernet Switch Security Configuration Guide 35 53-1003088-03

Enhancements to username and password

If you configure local user accounts, you also need to configure an authentication-method list for Telnet access and SNMP access. Refer to Authentication-method lists on page 75.

For each local user account, you specify a user name. You also can specify the following parameters:

• A password

NOTE

If you use AAA authentication for SNMP access and set the password same as the username, providing the password during authentication is optional. You can provide just the correct username for successful authentication.

• A management privilege level, which can be one of the following:

‐ Super User level (default) - Allows complete read-and-write access to the system. This is

generally for system administrators and is the only privilege level that allows you to configure passwords.

‐ Port Configuration level - Allows read-and-write access for specific ports but not for global

parameters.

‐ Read Only level - Allows access to the Privileged EXEC mode and User EXEC mode with

read access only.

• You can set additional username and password rules. Refer to Enhancements to username and

password on page 36.

Enhancements to username and password

This section describes the enhancements to the username and password features introduced in earlier releases.

The following rules are enabled by default:

• Users are required to accept the message of the day.

• Users are locked out (disabled) if they fail to login after three attempts. This feature is automatically enabled. Use the disable-on-login-failure command to change the number of login attempts (up to

10) before users are locked out.

The following rules are disabled by default:

• Enhanced user password combination requirements

• User password masking

• Quarterly updates of user passwords

• You can configure the system to store up to 15 previously configured passwords for each user.

• You can use the disable-on-login-failure command to change the number of login attempts (up to

10) before users are locked out.

• A password can now be set to expire.

Enabling enhanced user password combination requirements

When strict password enforcement is enabled on the Brocade device, you must enter a minimum of eight characters containing the following combinations when you create an enable and a user password:

• At least two upper case characters

• At least two lower case characters

• At least two numeric characters

• At least two special characters

36 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Enabling user password masking

NOTE

Password minimum and combination requirements are strictly enforced.

Use the enable strict-password-enforcement command to enable the password security feature.

device(config)#enable strict-password-enforcement

Syntax: [no] enable strict-password-enforcement

This feature is disabled by default.

The following security upgrades apply to the enable strict-password-enforcement command:

• Passwords must not share four or more concurrent characters with any other password configured on the router. If the user tries to create a password with four or more concurrent characters, the following error message will be returned.

Error - The substring str within the password has been used earlier, please choose a different password.

For example, the previous password was Ma!i4aYa&, the user cannot use any of the following as his or her new password:

• ‐ Ma!imai$D because "Mail" were used consecutively in the previous password

‐ &3B9aYa& because "aYa&" were used consecutively in the previous password ‐ i4aYEv#8 because "i4aY" were used consecutively in the previous password

• If the user tries to configure a password that was previously used, the Local User Account configuration will not be allowed and the following message will be displayed.

This password was used earlier for same or different user, please choose a different password.

Enabling user password masking

By default, when you use the CLI to create a user password, the password displays on the console as you type it. For enhanced security, you can configure the Brocade device to mask the password characters entered at the CLI. When password masking is enabled, the CLI displays asterisks (*) on the console instead of the actual password characters entered.

The following shows the default CLI behavior when configuring a username and password.

device(config)#username kelly password summertime

The following shows the CLI behavior when configuring a username and password when passwordmasking is enabled.

device(config)#username kelly password Enter Password: ********

NOTE

When password masking is enabled, press the [Enter] key before entering the password.

Syntax: username name password [Enter]

For [Enter], press the Enter key. Enter the password when prompted.

If strict-password-enforcement is enabled, enter a password which contains the required character combination. Refer to Enabling enhanced user password combination requirements on page 36.

FastIron Ethernet Switch Security Configuration Guide 37 53-1003088-03

Enabling user password aging

To enable password masking, enter the following command.

device(config)#enable user password-masking

Syntax: [no] enable user password-masking

Enabling user password aging

For enhanced security, password aging enforces quarterly updates of all user passwords. After 180 days, the CLI will automatically prompt users to change their passwords when they attempt to sign on.

When password aging is enabled, the software records the system time that each user password was configured or last changed. The time displays in the output of the show running configuration command, indicated by set-time time .

device#show run Current configuration:

....

username waldo password .....

username raveen set-time 2086038248

....

The password aging feature uses the NTP server clock to record the set-time. If the network does not have an NTP server, then set-time will appear as set-time 0 in the output of the show running configuration command.

A username set-time configuration is removed when:

• The username and password is deleted from the configuration

• The username password expires

When a username set-time configuration is removed, it no longer appears in the show running configuration output.

Note that if a username does not have an assigned password, the username will not have a set-time configuration.

Password aging is disabled by default. To enable it, enter the following command at the global CONFIG level of the CLI.

device(config)#enable user password-aging

Syntax: [no] enable user password-aging

Configuring password history

By default, the Brocade device stores the last five user passwords for each user. When changing a user password, the user cannot use any of the five previously configured passwords.

For security purposes, you can configure the Brocade device to store up to 15 passwords for each user, so that users do not use the same password multiple times. If a user attempts to use a password that is stored, the system will prompt the user to choose a different password.

To configure enhanced password history, enter a command such as the following at the global CONFIG level of the CLI.

device(config)#enable user password-history 15

Syntax: [no] enable user password-history 1-15

38 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Enhanced login lockout

The CLI provides up to three login attempts. If a user fails to login after three attempts, that user is locked out (disabled). If desired, you can increase or decrease the number of login attempts before the user is disabled. To do so, enter a command such as the following at the global CONFIG level of the CLI.

device(config)#enable user disable-on-login-failure 7

Syntax: enable user disable-on-login-failure 1-10

To re-enable a user that has been locked out, do one of the following:

• Reboot the Brocade device to re-enable all disabled users.

• Enable the user by entering the following command.

device(config)#username sandy enable

device(config)#user sandy enable device#show user Username Password Encrypt Priv Status Expire Time ============================================================================== sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled 0 enabled 90 days

Syntax: username name enable

Setting passwords to expire

You can set a user password to expire. Once a password expires, the administrator must assign a new password to the user. To configure a user password to expire, enter the following.

device(config)#username sandy expires 20

Syntax: username name expires days

Enter 1 - 365 for number of days. The default is 90 days.

device(config)#username sandy expires 20 device#show user Username Password Encrypt Priv Status Expire Time ================================================================================ sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled 0 enabled 20 days

Requirement to accept the message of the day

If a message of the day (MOTD) is configured, a user will be required to press the Enter key before he or she can login. MOTD is configured using the banner motd command.

There are no new CLI commands for this feature.

NOTE

This requirement is disabled by default, unless configured. Users are not required to press Enter after the MOTD banner is displayed. Refer to "Requiring users to press the Enter key after the message of the day banner" section in the FastIron Ethernet Switch Administration Guide .

FastIron Ethernet Switch Security Configuration Guide 39 53-1003088-03

Local user account configuration

You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords.

You can assign privilege levels to local user accounts, but on a new device, you must create a local user account that has a Super User privilege before you can create accounts with other privilege levels.

NOTE

You must grant Super User level privilege to at least one account before you add accounts with other privilege levels. You need the Super User account to make further administrative changes.

Local user accounts with no passwords

To create a user account without a password, enter the following command at the global CONFIG level of the CLI.

device(config)#username wonka nopassword

Syntax: [no] username user-string privilege privilege-level nopassword

Local user accounts with unencrypted passwords

If you want to use unencrypted passwords for local user accounts, enter a command such as the following at the global CONFIG level of the CLI.

device(config)#username wonka password willy

If password masking is enabled, press the [Enter] key before entering the password.

device(config)#username wonka password Enter Password: *******

The above commands add a local user account with the user name "wonka" and the password. This account has the Super User privilege level; this user has full access to all configuration and display features.

device(config)#username waldo privilege 5 password whereis

This command adds a user account for user name "waldo", password "whereis", with the Read Only privilege level. Waldo can look for information but cannot make configuration changes.

Syntax: [no] usernameuser-string privilege privilege-level [ password | nopassword ] passwordstring

You can enter up to 48 characters for user-string .

The privilege privilege-level parameter specifies the privilege level for the account. You can specify one of the following:

• 0 - Super User level (full read-write access)

• 4 - Port Configuration level

• 5 - Read Only level

The default privilege level is 0 . If you want to assign Super User level access to the account, you can enter the command without privilege 0 , as shown in the command example above.

40 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Changing a local user password

The password | nopassword parameter indicates whether the user must enter a password. If you specify password , enter the string for the user's password. You can enter up to 48 characters for password-string . If strict password enforcement is enabled on the device, you must enter a minimum of eight characters containing the following combinations:

• At least two upper case characters

• At least two lower case characters

• At least two numeric characters

• At least two special characters

NOTE

You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters.

To display user account information, enter the following command.

device#show users

Syntax: show users

To know the different methods to secure access to the device using the configured username and password, see Authentication-method lists on page 75.

Changing a local user password

To change a local user password for an existing local user account, enter a command such as the following at the global CONFIG level of the CLI.

NOTE

You must be logged on with Super User access (privilege level 0) to change user passwords.

device(config)#username wonka password willy

If password masking is enabled, enter the username, press the [Enter] key, then enter the password.

device(config)#username wonka password Enter Password:

The above commands change wonka's user name and password.

Syntax: [no] username user-string password password-string

Enter up to 48 characters for user-string.

The password-string parameter is the user password. The password can be up to 48 characters and must differ from the current password and two previously configured passwords.

When a password is changed, a message such as the following is sent to the Syslog.

SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 Security: Password has been changed for user tester from console session.

The message includes the name of the user whose password was changed and during which session type, such as Console, Telnet, SSH, Web, SNMP, or others, the password was changed.

FastIron Ethernet Switch Security Configuration Guide 41 53-1003088-03

TACACS and TACACS+ security

You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the Brocade device:

• Telnet access

• SSH access

• Console access

• Access to the Privileged EXEC level and CONFIG levels of the CLI

The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Brocade device and an authentication database on a TACACS/TACACS + server. TACACS/TACACS+ services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server running.

How TACACS+ differs from TACACS

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.

TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, which allow any authentication mechanism to be utilized with the Brocade device. TACACS+ is extensible to provide for site customization and future development features. The protocol allows the Brocade device to request very precise access control and allows the TACACS+ server to respond to each component of that request.

NOTE

TACACS+ provides for authentication, authorization, and accounting, but an implementation or configuration is not required to employ all three.

TACACS/TACACS+ authentication, authorization,and accounting

When you configure a Brocade device to use a TACACS/TACACS+ server for authentication , the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS/TACACS+ server.

If you are using TACACS+, Brocade recommends that you also configure authorization , in which the Brocade device consults a TACACS+ server to determine which management privilege level (and which associated set of commands) an authenticated user is allowed to use. You can also optionally configure accounting , which causes the Brocade device to log information on the TACACS+ server when specified events occur on the device.

NOTE

By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level. The user can enter the enable command to get to the Privileged EXEC level. A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after login. Refer to Entering privileged EXEC mode after a Telnet or SSH login on page 52.

42 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Configuring TACACS/TACACS+ for devices in a Brocade traditional stack

Becausedevices operating in a Brocade traditional stack topology present multiple console ports, you must take additional steps to secure these ports when configuring TACACS/TACACS+.

The following is a sample AAA console configuration using TACACS+.

aaa authentication login default tacacs+ enable aaa authentication login privilege-mode aaa authorization commands 0 default tacacs+ aaa authorization exec default tacacs+ aaa accounting commands 0 default start-stop tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting system default start-stop tacacs+ enable aaa console hostname Fred ip address 10.10.6.56/255 tacacs-server host 255.253.255 tacacs-server key 2 $d3NpZ0BVXFpJ

kill console

Syntax: kill console [ all | unit ]

• all - logs out all console port on stack units that are not the Active Controller

• unit - logs out the console port on a specified unit

Once AAA console is enabled, you should log out any open console ports on your traditional stack using the kill console command:

device(config)#kill console all

In case a user forgets to log out or a console is left unattended, you can also configure the console timeout (in minutes) on all stack units (including the Active Controller).

device(config)#stack unit 3 device(config-unit-3)#console timeout 5 device(config-unit-3)#exit device(config)#stack unit 4 device(config-unit-4)#console timeout 5

Use the show who and the show telnet commands to confirm the status of console sessions.

stack9#show who Console connections (by unit number): 1 established you are connecting to this session 4 seconds in idle 2 established 1 hours 3 minutes 12 seconds in idle 3 established 1 hours 3 minutes 9 seconds in idle 4 established 1 hours 3 minutes 3 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9# stack9#show telnet Console connections (by unit number): 1 established

FastIron Ethernet Switch Security Configuration Guide 43 53-1003088-03

TACACS authentication

you are connecting to this session 1 minutes 5 seconds in idle 2 established 1 hours 4 minutes 18 seconds in idle 3 established 1 hours 4 minutes 15 seconds in idle 4 established 1 hours 4 minutes 9 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9#

TACACS authentication

NOTE

Also, multiple challenges are supported for TACACS+ login authentication.

When TACACS authentication takes place, the following events occur.

1. A user attempts to gain access to the Brocade device by doing one of the following:

• ‐ Logging into the device using Telnet or SSH ‐ Entering the Privileged EXEC level or CONFIG level of the CLI

2. The user is prompted for a username and password.

3. The user enters a username and password.

4. The Brocade device sends a request containing the username and password to the TACACS server.

5. The username and password are validated in the TACACS server database.

6. If the password is valid, the user is authenticated.

TACACS+ authentication

When TACACS+ authentication takes place, the following events occur.

1. A user attempts to gain access to the Brocade device by doing one of the following:

• ‐ Logging into the device using Telnet or SSH

‐ Entering the Privileged EXEC level or CONFIG level of the CLI

2. The user is prompted for a username.

3. The user enters a username.

4. The Brocade device obtains a password prompt from a TACACS+ server.

5. The user is prompted for a password.

6. The user enters a password.

7. The Brocade device sends the password to the TACACS+ server.

8. The password is validated in the TACACS+ server database.

9. If the password is valid, the user is authenticated.

44 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

TACACS+ authorization

Brocade devices support two kinds of TACACS+ authorization:

• Exec authorization determines a user privilege level when they are authenticated

• Command authorization consults a TACACS+ server to get authorization for commands entered by the user

When TACACS+ exec authorization takes place, the following events occur.

1. A user logs into the Brocade device using Telnet or SSH

2. The user is authenticated.

3. The Brocade device consults the TACACS+ server to determine the privilege level of the user.

4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user.

5. The user is granted the specified privilege level.

When TACACS+ command authorization takes place, the following events occur.

TACACS+ accounting

TACACS+ accounting works as follows.

1. One of the following events occur on the Brocade device:

• ‐ A user logs into the management interface using Telnet or SSH

‐ A user enters a command for which accounting has been configured ‐ A system event occurs, such as a reboot or reloading of the configuration file

2. The Brocade device checks the configuration to see if the event is one for which TACACS+ accounting is required.

3. If the event requires TACACS+ accounting, the Brocade device sends a TACACS+ Accounting Start packet to the TACACS+ accounting server, containing information about the event.

4. The TACACS+ accounting server acknowledges the Accounting Start packet.

5. The TACACS+ accounting server records information about the event.

6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the TACACS+ accounting server.

7. The TACACS+ accounting server acknowledges the Accounting Stop packet.

AAA operations for TACACS/TACACS+

The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a Brocade device that has TACACS/TACACS+ security configured.

User action

Applicable AAA operations

User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI

FastIron Ethernet Switch Security Configuration Guide 45 53-1003088-03

Enable authentication:

aaa authentication enable default method-list

Exec authorization (TACACS+):

aaa authorization exec default tacacs+

Security Access

User action Applicable AAA operations

System accounting start (TACACS+):

aaa accounting system default start-stop method-list

User logs in using Telnet/SSH Login authentication:

aaa authentication login default method-list

Exec authorization (TACACS+):

aaa authorization exec default tacacs+

Exec accounting start (TACACS+):

aaa accounting exec default method-list

System accounting start (TACACS+):

aaa accounting system default start-stop method-list

User logs out of Telnet/SSH session Command accounting (TACACS+):

aaa accounting commands privilege-level default start-stop methodlist

EXEC accounting stop (TACACS+):

aaa accounting exec default start-stop method-list

User enters system commands

(for example, reload , boot system )

User enters the command:

[no] aaa accounting system defaultstart-stop method-list

User enters other commands Command authorization (TACACS+):

Command authorization (TACACS+):

aaa authorization commands privilege-level default method-list

Command accounting (TACACS+):

aaa accounting commands privilege-level default start-stop methodlist

System accounting stop (TACACS+):

aaa accounting system default start-stop method-list

Command authorization (TACACS+):

aaa authorization commands privilege-level default method-list

Command accounting (TACACS+):

aaa accounting commands privilege-level default start-stop methodlist

System accounting start (TACACS+):

aaa accounting system default start-stop method-list

aaa authorization commands privilege-level default method-list

Command accounting (TACACS+):

aaa accounting commands privilege-level default start-stop methodlist

46 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

AAA security for commands pasted into the running-config

If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually.

When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands. The AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the runningconfig file. If the device determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The remaining commands may not be executed if command authorization is configured.

TACACS/TACACS+ configuration considerations

• You must deploy at least one TACACS/TACACS+ server in your network.

• Brocade devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to use the servers in the order you add them to the device configuration.

• You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary method for the same type of access. However, you can configure backup authentication methods for each access type.

• You can configure the Brocade device to authenticate using a TACACS or TACACS+ server, not both.

Configuring TACACS

Follow the procedure given below for TACACS configurations.

1. Identify TACACS servers. Refer to Identifying the TACACS/TACACS+ servers on page 48.

2. Set optional parameters. Refer to Setting optional TACACS and TACACS+ parameters on page

49.

3. Configure authentication-method lists. Refer to Configuring authentication-method lists forTACACS

and TACACS+ on page 50.

Configuring TACACS+

Follow the procedure given below for TACACS+ configurations.

1. Identify TACACS+ servers. Refer to Identifying the TACACS/TACACS+ servers on page 48.

2. Set optional parameters. Refer to Setting optional TACACS and TACACS+ parameters on page

49.

3. Configure authentication-method lists. Refer to Configuring authentication-method lists forTACACS

and TACACS+ on page 50.

4. Optionally configure TACACS+ authorization. Refer to Configuring TACACS+ authorization on page

53.

5. Optionally configure TACACS+ accounting. Refer to TACACS+ accounting configuration on page

55.

FastIron Ethernet Switch Security Configuration Guide 47 53-1003088-03

Enabling TACACS

TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must enable TACACS by entering the following command.

device(config)#enable snmp config-tacacs

Syntax: [no] enable snmp [ config-radius | config-tacacs ]

The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default.

The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default.

Identifying the TACACS/TACACS+ servers

To use TACACS/TACACS+ servers to authenticate access to a Brocade device, you must identify the servers to the Brocade device.

For example, to identify three TACACS/TACACS+ servers, enter commands such as the following.

device(config)#tacacs-server host 10.94.6.161 device(config)#tacacs-server host 10.94.6.191 device(config)#tacacs-server host 10.94.6.122

Syntax: tacacs-server host { ip-addr |ipv6-addr | server-name } [ auth-port number ] [ acctportnumber]

The ip-addr | ipv6-addr | hostname parameter specifies the IP address or host name of the server. You can enter up to eight tacacs-server host commands to specify up to eight different servers.

NOTE

To specify the server's host name instead of its IP address, you must first identify a DNS server using the ip dns server-address ip-addr command at the global CONFIG level.

If you add multiple TACACS/TACACS+ authentication servers to the Brocade device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order.

1. 10.94.6.161

2. 10.94.6.191

3. 10.94.6.122

You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For example, to remove 10.94.6.161, enter the following command.

device(config)#no tacacs-server host 10.94.6.161

NOTE

If you erase a tacacs-server command (by entering "no" followed by the command), make sure you also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer to Configuring authentication-method lists forTACACS and TACACS+ on page 50.) Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not be able to access the system.

48 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Specifying different servers for individual AAA functions

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting, enter the command such as following.

device(config)#tacacs-server host 10.2.3.4 auth-port 49 authentication-only key abc device(config)#tacacs-server host 10.2.3.5 auth-port 49 authorization-only key def device(config)#tacacs-server host 10.2.3.6 auth-port 49 accounting-only key ghi

Syntax: tacacs-server host { ip-addr | ipv6-addr | server-name } [ auth-port num ] [ authenticationonly | authorization-only | accounting-only | default ] [ key [ 0 | 1 ] string ]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for authorization and accounting. If the authenticating server cannot perform the requested function, then the next server in the configured list of servers is tried; this process repeats until a server that can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS and TACACS+ parameters

You can set the following optional parameters in a TACACS and TACACS+ configuration:

• TACACS+ key - This parameter specifies the value that the Brocade device sends to the TACACS+ server when trying to authenticate user access.

• Retransmit interval - This parameter specifies how many times the Brocade device will resend an authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 - 5 times. The default is 3 times.

• Dead time - This parameter specifies how long the Brocade device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 - 5 seconds. The default is 3 seconds.

• Timeout - This parameter specifies how many seconds the Brocade device waits for a response from a TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ servers are unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 - 15 seconds. The default is 3 seconds.

Setting the TACACS+ key

The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the TACACS+ server. The key can be from 1 - 32 characters in length and cannot include any space characters.

NOTE

The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Brocade device.

FastIron Ethernet Switch Security Configuration Guide 49 53-1003088-03

Setting the retransmission limit

To specify a TACACS+ server key, enter a command such as following.

device(config)#tacacs-server key rkwong

Syntax: tacacs-server key [ 0 ] string

When you display the configuration of the Brocade device, the TACACS+ keys are encrypted. For example.

device(config)# tacacs-server key abc device(config)#write terminal ... tacacs-server host 10.2.3.5 auth-port 49 tacacs key 2$!2d

NOTE

Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.

Setting the retransmission limit

The retransmit parameter specifies how many times the Brocade device will resend an authentication request when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 - 5 times. The default is 3 times.

To set the TACACS and TACACS+ retransmit limit, enter a command such as the following.

device(config)#tacacs-server retransmit 5

Syntax: tacacs-server retransmit number

Setting the timeout parameter

The timeout parameter specifies how many seconds the Brocade device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 - 15 seconds. The default is 3 seconds.

device(config)#tacacs-server timeout 5

Syntax: tacacs-server timeout number

Configuring authentication-method lists forTACACS and TACACS+

You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication method.

Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If TACACS/TACACS + authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

50 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Security Access

When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and CONFIG levels of the CLI.

To create an authentication method list that specifies TACACS/TACACS+ as the primary authentication method for securing Telnet/SSH access to the CLI.

device(config)#enable telnet authentication device(config)#aaa authentication login default tacacs local

The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is performed using local user accounts instead.

To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.

device(config)#aaa authentication enable default tacacs local none

The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.

Syntax: [no] aaa authentication { enable | login default } method 1 [ method 2-7 ]

The web-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.

Authentication method values TABLE 3

Method parameter Description

line Authenticate using the password you configured for Telnet access. The Telnet password is

configured using the enable telnet password... command. Refer to Setting a Telnet

password on page 32.

enable Authenticate using the password you configured for the Super User privilege level. This

password is configured using the enable super-user-password... command. Refer to Setting

passwords for management privilege levels on page 32.

local Authenticate using a local user name and password you configured on the device. Local user

names and passwords are configured using the username... command. Refer to Local user

account configuration on page 40.

tacacs Authenticate using the database on a TACACS server. You also must identify the server to

the device using the tacacs-server command.

tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to

the device using the tacacs-server command.

radius Authenticate using the database on a RADIUS server. You also must identify the server to the

device using the radius-server command.

FastIron Ethernet Switch Security Configuration Guide 51 53-1003088-03

Entering privileged EXEC mode after a Telnet or SSH login

Authentication method values (Continued)TABLE 3

Method parameter Description

none Do not use any authentication method. The device automatically permits access.

NOTE

For examples of how to define authentication-method lists for types of authentication other than TACACS/TACACS+, refer to Authentication-method lists on page 75.

Entering privileged EXEC mode after a Telnet or SSH login

By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. To do this, use the following command.

device(config)#aaa authentication login privilege-mode

Syntax: aaa authentication login privilege-mode

The user privilege level is based on the privilege level granted during login.

Configuring enable authentication to prompt for password only

If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. You can configure the Brocade device to prompt only for a password. The device uses the username entered at login, if one is available. If no username was entered at login, the device prompts for both username and password.

To configure the Brocade device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI.

device(config)#aaa authentication enable implicit-user

Syntax: [no] aaa authentication enable implicit-user

Telnet and SSH prompts when the TACACS+ Server is unavailable

When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server. If a user attempts to login through Telnet or SSH, but none of the configured TACACS+ servers are available, the following takes place:

• If the next method in the authentication method list is "enable", the login prompt is skipped, and the user is prompted for the Enable password (that is, the password configured with the enable super- user-password command).

• If the next method in the authentication method list is "line", the login prompt is skipped, and the user is prompted for the Line password (that is, the password configured with the enable telnet password command).

52 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Configuring TACACS+ authorization

Brocade devices support TACACS+ authorization for controlling access to management functions in the CLI. Two kinds of TACACS+ authorization are supported:

• Exec authorization determines a user privilege level when they are authenticated

• Command authorization consults a TACACS+ server to get authorization for commands entered by the user

Configuring exec authorization

When TACACS+ exec authorization is performed, the Brocade device consults a TACACS+ server to determine the privilege level of the authenticated user. To configure TACACS+ exec authorization on the Brocade device, enter the following command.

device(config)#aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+[none]

If you specify none , or omit the aaa authorization exec command from the device configuration, no exec authorization is performed.

A user privilege level is obtained from the TACACS+ server in the "foundry-privlvl" A-V pair. If the aaa authorization exec default tacacs+ command exists in the configuration, the device assigns the user the privilege level specified by this A-V pair. If the command does not exist in the configuration, then the value in the "foundry-privlvl" A-V pair is ignored, and the user is granted Super User access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the "foundryprivlvl" A-V pair received from the TACACS+ server. If the aaa authorization exec default tacacs+ command does not exist in the configuration, then the value in the "foundry-privlvl" A-V pair is ignored, and the user is granted Super User access.Also note that in order for the aaa authorization exec default tacacs+ command to work, either theaaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode command must also exist in the configuration.

Configuring an Attribute-Value pair on the TACACS+ server

During TACACS+ exec authorization, the Brocade device expects the TACACS+ server to send a response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the Brocade device receives the response, it extracts an A-V pair configured for the Exec service and uses it to determine the user privilege level.

To set a user privilege level, you can configure the "foundry-privlvl" A-V pair for the Exec service on the TACACS+ server.

user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { foundry-privlvl = 0 } }

In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values

FastIron Ethernet Switch Security Configuration Guide 53 53-1003088-03

Security Access

are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for the user. See your TACACS+ documentation for the configuration syntax relevant to your server.

If the foundry-privlvl A-V pair is not present, the Brocade device extracts the last A-V pair configured for the Exec service that has a numeric value. The Brocade device uses this A-V pair to determine the user privilege level.

user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { privlvl = 15 } }

The attribute name in the A-V pair is not significant; the Brocade device uses the last one that has a numeric value. However, the Brocade device interprets the value for a non-"foundry-privlvl" A-V pair differently than it does for a "foundry-privlvl" A-V pair. The following table lists how the Brocade device associates a value from a non-"foundry-privlvl" A-V pair with a Brocade privilege level.

Brocade equivalents for non-"foundry-privlvl" A-V pair values TABLE 4

Value for non-"foundry-privlvl" A-V pair Brocade privilege level

15 0 (super-user)

From 14 - 1 4 (port-config)

Any other number or 0 5 (read-only)

In the example above, the A-V pair configured for the Exec service is privlvl = 15 . The Brocade device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the user full read-write access.

In a configuration that has both a "foundry-privlvl" A-V pair and a non-"foundry-privlvl" A-V pair for the Exec service, the non-"foundry-privlvl" A-V pair is ignored.

user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { foundry-privlvl = 4 privlvl = 15 } }

In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl = 15 A-V pair is ignored by the Brocade device.

If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used.

54 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Configuring command authorization

When TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ server to get authorization for commands entered by the user.

You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Brocade device to perform authorization for the commands available at the Super User privilege level (that is, all commands on the device), enter the following command.

device(config)#aaa authorization commands 0 default tacacs+

Syntax: aaa authorization commands privilege-level default [ tacacs+ | radius | none ]

The privilege-level parameter can be one of the following:

• 0 - Authorization is performed for commands available at the Super User level (all commands)

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands)

• 5 - Authorization is performed for commands available at the Read Only level (read-only commands)

NOTE

TACACS+ command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.

TACACS+ command authorization is not performed for the following commands:

• At all levels: exit , logout , end , and quit .

• At the Privileged EXEC level: enable or enable text , where text is the password configured for the Super User privilege level.

If configured, command accounting is performed for these commands.

AAA support for console commands

AAA support for commands entered at the console includes the following:

• Login prompt that uses AAA authentication, using authentication-method Lists

• Exec Authorization

• Exec Accounting

• Command authorization

• Command accounting

• System Accounting

To enable AAA support for commands entered at the console, enter the following command.

device(config)#enable aaa console

Syntax: [no] enable aaa console

TACACS+ accounting configuration

Brocade devices support TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a Brocade device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.

FastIron Ethernet Switch Security Configuration Guide 55 53-1003088-03

Configuring TACACS+ accounting for Telnet/SSH (Shell) access

To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the user logs out.

device(config)#aaa accounting exec default start-stop tacacs+

Syntax: aaa accounting exec default start-stop [ tacacs+ | radius | none ]

Configuring TACACS+ accounting for CLI commands

You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Brocade device to perform TACACS+ accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.

device(config)#aaa accounting commands 0 default start-stop tacacs+

An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an Accounting Stop packet is sent when the service provided by the command is completed.

NOTE

If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.

Syntax: aaa accounting commands privilege-level default start-stop [ radius | tacacs+ | none ]

The privilege-level parameter can be one of the following:

• 0 - Records commands available at the Super User level (all commands)

• 4 - Records commands available at the Port Configuration level (port-config and read-only commands)

• 5 - Records commands available at the Read Only level (read-only commands)

Configuring TACACS+ accounting for system events

You can configure TACACS+ accounting to record when system events occur on the Brocade device. System events include rebooting and when changes to the active configuration are made.

The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.

device(config)#aaa accounting system default start-stop tacacs+

Syntax: aaa accounting system default start-stop [ radius | tacacs+ | none ]

Configuring an interface as the source for allTACACS and TACACS+ packets

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3

56 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Displaying TACACS/TACACS+ statistics andconfiguration information

Switch. For configuration details, see "Specifying a single source interface for specified packet types" section in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide .

Displaying TACACS/TACACS+ statistics andconfiguration information

The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.

device#show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 10.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 10.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4 no connection

The following table describes the TACACS/TACACS+ information displayed by the show aaa command.

Output of the show aaa command for TACACS/TACACS+TABLE 5

Field Description

Tacacs+ key The setting configured with the tacacs-server key command. At the Super User privilege

Tacacs+ retries The setting configured with the tacacs-server retransmit command.

Tacacs+ timeout The setting configured with the tacacs-server timeout command.

Tacacs+ dead-time The setting configured with the tacacs-server dead-time command.

Tacacs+ Server For each TACACS/TACACS+ server, the IP address, port, and the following statistics are

connection The current connection status. This can be "no connection" or "connection active".

level, the actual text of the key is displayed. At the other privilege levels, a string of periods

(....) is displayed instead of the text.

displayed:

• opens - Number of times the port was opened for communication with the server

• closes - Number of times the port was closed normally

• timeouts - Number of times port was closed due to a timeout

• errors - Number of times an error occurred while opening the port

• packets in - Number of packets received from the server

• packets out - Number of packets sent to the server

FastIron Ethernet Switch Security Configuration Guide 57 53-1003088-03

RADIUS security

You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the Brocade Layer 2 Switch or Layer 3 Switch:

• Telnet access

• SSH access

• Access to the Privileged EXEC level and CONFIG levels of the CLI

RADIUS authentication, authorization, and accounting

When RADIUS authentication is implemented, the Brocade device consults a RADIUS server to verify user names and passwords. You can optionally configure RADIUS authorization , in which the Brocade device consults a list of commands supplied by the RADIUS server to determine whether a user can issue a command he or she has entered, as well as accounting , which causes the Brocade device to log information on a RADIUS accounting server when specified events occur on the device.

RADIUS authentication

When RADIUS authentication takes place, the following events occur.

1. A user attempts to gain access to the Brocade device by doing one of the following:

• ‐ Logging into the device using Telnet or SSH

‐ Entering the Privileged EXEC level or CONFIG level of the CLI

2. The user is prompted for a username and password.

3. The user enters a username and password.

4. The Brocade device sends a RADIUS Access-Request packet containing the username and password to the RADIUS server.

5. The RADIUS server validates the Brocade device using a shared secret (the RADIUS key).

6. The RADIUS server looks up the username in its database.

7. If the username is found in the database, the RADIUS server validates the password.

8. If the password is valid, the RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

• ‐ The privilege level of the user

‐ A list of commands ‐ Whether the user is allowed or denied usage of the commands in the list

The last two attributes are used with RADIUS authorization, if configured.

9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on the Brocade device. The user is granted the specified privilege level. If you configure RADIUS authorization, the user is allowed or denied usage of the commands in the list.

RADIUS authorization

When RADIUS authorization takes place, the following events occur.

1. A user previously authenticated by a RADIUS server enters a command on the Brocade device.

2. The Brocade device looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization.

58 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

RADIUS accounting

3. If the command belongs to a privilege level that requires authorization, the Brocade device looks at the list of commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of the commands in the list.)

NOTE

After RADIUS authentication takes place, the command list resides on the Brocade device. The RADIUS server is not consulted again once the user has been authenticated. This means that any changes made to the user command list on the RADIUS server are not reflected until the next time the user is authenticated by the RADIUS server, and the new command list is sent to the Brocade device.

4. If the command list indicates that the user is authorized to use the command, the command is executed.

RADIUS accounting

RADIUS accounting works as follows.

1. One of the following events occur on the Brocade device:

• ‐ A user logs into the management interface using Telnet or SSH

‐ A user enters a command for which accounting has been configured ‐ A system event occurs, such as a reboot or reloading of the configuration file

2. The Brocade device checks its configuration to see if the event is one for which RADIUS accounting is required.

3. If the event requires RADIUS accounting, the Brocade device sends a RADIUS Accounting Start packet to the RADIUS accounting server, containing information about the event.

4. The RADIUS accounting server acknowledges the Accounting Start packet.

5. The RADIUS accounting server records information about the event.

6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the RADIUS accounting server.

7. The RADIUS accounting server acknowledges the Accounting Stop packet.

AAA operations for RADIUS

The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a Brocade device that has RADIUS security configured.

User action

User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI

User logs in using Telnet/SSH Login authentication:

FastIron Ethernet Switch Security Configuration Guide 59 53-1003088-03

Applicable AAA operations

Enable authentication:

aaa authentication enable default method-list

System accounting start:

aaa accounting system default start-stop method-list

aaa authentication login default method-list

AAA security for commands pasted Into the running-config

User action Applicable AAA operations

User logs out of Telnet/SSH session Command authorization for logout command:

EXEC accounting Start:

aaa accounting exec default start-stop method-list

System accounting Start:

aaa accounting system default start-stop method-list

aaa authorization commands privilege-level default method-list

Command accounting:

aaa accounting commands privilege-level default start-stop methodlist

EXEC accounting stop:

aaa accounting exec default start-stop method-list

User enters system commands

(for example, reload , boot system )

User enters the command:

[no] aaa accounting system defaultstart-stop method-list

User enters other commands Command authorization:

Command authorization:

aaa authorization commands privilege -level default method-list

Command accounting:

aaa accounting commands privilege-level default start-stop methodlist

System accounting stop:

aaa accounting system default start-stop method-list

Command authorization:

aaa authorization commands privilege-level default method-list

Command accounting:

aaa accounting commands privilege-level default start-stop methodlist

System accounting start:

aaa accounting system default start-stop method-list

aaa authorization commands privilege-level default method-list

Command accounting:

aaa accounting commands privilege-level default start-stop methodlist

AAA security for commands pasted Into the running-config

If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually.

When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands. The

60 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

RADIUS configuration considerations

AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the running-config file. If the device determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The remaining commands may not be issued if command authorization is configured.

NOTE

Since RADIUS command authorization relies on a list of commands received from the RADIUS server when authentication is performed, it is important that you use RADIUS authentication when you also use RADIUS command authorization.

RADIUS configuration considerations

• You must deploy at least one RADIUS server in your network.

• Brocade devices support authentication using up to eight RADIUS servers, including those used for

802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the Brocade device tries the next one in the list. Servers are tried in the same sequence each time there is a request.

• You can optionally configure a RADIUS server as a port server , indicating that the server will be used only to authenticate users on ports to which it is mapped, as opposed to globally authenticating users on all ports of the device. In earlier releases, all configured RADIUS servers are "global" servers and apply to users on all ports of the device. Refer to RADIUS server per port on page 64.

• You can map up to eight RADIUS servers to each port on the Brocade device. The port will authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS servers mapped to a port, it will use the "global" servers for authentication. In earlier releases, all RADIUS servers are "global" servers and cannot be bound to individual ports. Refer to RADIUS

server to individual ports mapping on page 65.

• You can select only one primary authentication method for each type of access to a device (CLI through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.

Configuring RADIUS

Follow the procedure given below to configure a Brocade device for RADIUS.

1. Configure Brocade vendor-specific attributes on the RADIUS server. Refer to Brocade-specific

attributes on the RADIUS server on page 62.

2. Identify the RADIUS server to the Brocade device. Refer to Identifying the RADIUS server to the

Brocade device on page 64.

3. Optionally specify different servers for individual AAA functions. Refer to Specifying different servers

for individual AAA functions on page 64.

4. Optionally configure the RADIUS server as a "port only" server. Refer to RADIUS server per port on page 64.

5. Optionally bind the RADIUS servers to ports on the Brocade device. Refer to RADIUS server to

individual ports mapping on page 65.

6. Set RADIUS parameters. Refer to RADIUS parameters on page 66.

7. Configure authentication-method lists. Refer to Setting authentication-method lists for RADIUS on page 67.

FastIron Ethernet Switch Security Configuration Guide 61 53-1003088-03

Brocade-specific attributes on the RADIUS server

8. Optionally configure RADIUS authorization. Refer to RADIUS authorization on page 69.

9. Optionally configure RADIUS accounting. Refer to RADIUS accounting on page 71.

Brocade-specific attributes on the RADIUS server

NOTE

For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication.

During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

• The privilege level of the user

• A list of commands

• Whether the user is allowed or denied usage of the commands in the list

You must add these three Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the Brocade device.

Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendorspecific attributes.

Brocade vendor-specific attributes for RADIUS TABLE 6

Attribute name Attribute ID Data type Description

foundry-privilegelevel

foundry-commandstring

1 integer Specifies the privilege level for the user. This attribute can be set

to one of the following:

• 0 - Super User level - Allows complete read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.

• 4 - Port Configuration level - Allows read-and-write access for specific ports but not for global (system-wide) parameters.

• 5 - Read Only level - Allows access to the Privileged EXEC mode and User EXEC mode of the CLI but only with read access.

2 string Specifies a list of CLI commands that are permitted or denied to

the user when RADIUS authorization is configured.

The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string.

For example, the following command list specifies all show and debug ip commands, as well as the write terminal command:

show *; debug ip *; write term*

62 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Brocade vendor-specific attributes for RADIUS (Continued)TABLE 6

Attribute name Attribute ID Data type Description

Enabling SNMP to configure RADIUS

foundry-commandexception-flag

foundry-access-list 5 string Specifies the access control list to be used for RADIUS

foundry-MACauthent-needs-802x

foundry-802.1x-validlookup

3 integer Specifies whether the commands indicated by the foundry-

command-string attribute are permitted or denied to the user. This attribute can be set to one of the following:

• 0 - Permit execution of the commands indicated by foundrycommand-string, deny all other commands.

• 1 - Deny execution of the commands indicated by foundrycommand-string, permit all other commands.

authorization. Enter the access control list in the following format.

type=string, value="ipacl.[e|s].[in|out] = [ acl-name | acl-number ] separator macfilter.in = [ acl-name | acl-number ]

Where:

• separator can be a space, newline, semicolon, comma, or null characater

• ipacl.e is an extended ACL; ipacl.s is a standard ACL.

6 integer Specifies whether or not 802.1x authentication is required and

enabled.

0 - Disabled

1 - Enabled

7 integer Specifies if 802.1x lookup is enabled:

0 - Disabled

1 - Enabled

foundry-MAC-basedVLAN-QOS

8 integer Specifies the priority for MAC-based VLAN QOS:

0 - qos_priority_0

1 - qos_priority_1

2 - qos_priority_2

3 - qos_priority_3

4 - qos_priority_4

5 - qos_priority_5

6 - qos_priority_6

7 - qos_priority_7

Enabling SNMP to configure RADIUS

To enable SNMP access to RADIUS MIB objects on the device, enter a command such as the following.

device(config)#enable snmp config-radius

Syntax: [no] enable snmp [ config-radius |config-tacacs ]

FastIron Ethernet Switch Security Configuration Guide 63 53-1003088-03

Identifying the RADIUS server to the Brocade device

The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default.

The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default.

Identifying the RADIUS server to the Brocade device

To use a RADIUS server to authenticate access to a Brocade device, you must identify the server to the Brocade device.

device(config)#radius-server host 10.157.22.99

Syntax: radius-server host { ip-addr |ipv6-addr | hostname } [ auth-port number ]

The host ip-addr | ipv6-addr | server-name parameter is either an IP address or an ASCII text string.

The auth-port parameter is the Authentication port number. The default is 1645.

The acct-port parameter is the Accounting port number. The default is 1646.

Specifying different servers for individual AAA functions

In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key for each server.

To specify different RADIUS servers for authentication, authorization, and accounting, enter commands such as the following.

device(config)# radius-server host 10.2.3.4 authentication-only key abc device(config)# radius-server host 10.2.3.5 authorization-only key def device(config)# radius-server host 10.2.3.6 accounting-only key ghi

Syntax: radius-server host { ip-addr | ipv6-addr | server-name } [ auth-port number ] [ acct-port number ] [ authentication-only | authorization-only | accounting-only | default ] [ key { [ 0 | 2 ] string } ]

The default parameter causes the server to be used for all AAA functions.

RADIUS server per port

You can optionally configure a RADIUS server per port, indicating that it will be used only to authenticate users on ports to which it is mapped. A RADIUS server that is not explicitly configured as a RADIUS server per port is a global server , and can be used to authenticate users on ports to which no RADIUS servers are mapped.

64 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

RADIUS server per port configuration notes

• This feature works with 802.1X and multi-device port authentication only.

• You can define up to eight RADIUS servers per Brocade device.

RADIUS configuration example and command syntax

The following shows an example configuration.

device(config)#radius-server host 10.10.10.103 auth-port 1812 acct-port 1813 default key mykeyword dot1x port-only device(config)#radius-server host 10.10.10.104 auth-port 1812 acct-port 1813 default key mykeyword dot1x port-only device(config)#radius-server host 10.10.10.105 auth-port 1812 acct-port 1813 default key mykeyword dot1x device(config)#radius-server host 10.10.10.106 auth-port 1812 acct-port 1813 default key mykeyword dot1x

The above configuration has the following affect:

• RADIUS servers 10.10.10.103 and 10.10.10.104 will be used only to authenticate users on ports to which the servers are mapped. To map a RADIUS server to a port, refer to RADIUS server to

individual ports mapping on page 65.

• RADIUS servers 10.10.10.105 and 10.10.10.106 will be used to authenticate users on ports to which no RADIUS servers are mapped. For example, port e 9, to which no RADIUS servers are mapped, will send a RADIUS request to the first configured RADIUS server, 10.10.10.105. If the request fails, it will go to the second configured RADIUS server, 10.10.10.106. It will not send requests to

10.10.10.103 or 10.10.10.104, since these servers are configured as port servers.

Syntax: radius-server host { ip-addr | server-name } [ auth-port number ] [ acct-portnumber] [default key string dot1x] [port-only]

The host ip-addr is the IPv4 address.

The auth-port number parameter is the Authentication port number; it is an optional parameter. The default is 1645.

The acct-port number parameter is the Accounting port number; it is an optional parameter. The default is 1646.

The default key string dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUS server that supports the 802.1X standard can also be used to authenticate non-802.1X authentication requests.

The port-only parameter is optional and specifies that the server will be used only to authenticate users on ports to which it is mapped.

RADIUS server to individual ports mapping

You can map up to eight RADIUS servers to each port on the Brocade device. The port will authenticate users using only the RADIUS servers to which the port is mapped. If there are no RADIUS servers mapped to a port, it will use the "global" servers for authentication.

As in previous releases, a port goes through the list of servers in the order in which it was mapped or configured, until a server that can perform the requested function is found, or until every server in the list has been tried.

FastIron Ethernet Switch Security Configuration Guide 65 53-1003088-03

RADIUS server-to-ports configuration notes

• This feature works with 802.1X and multi-device port authentication only.

• You can map a RADIUS server to a physical port only. You cannot map a RADIUS server to a VE.

RADIUS server-to-ports configuration example and command syntax

To map a RADIUS server to a port, enter commands such as the following.

device(config)#int e 3 device(config-if-e1000-3)#dot1x port-control auto device(config-if-e1000-3)#use-radius-server 10.10.10.103 device(config-if-e1000-3)#use-radius-server 10.10.10.110

With the above configuration, port e 3 would send a RADIUS request to 10.10.10.103 first, since it is the first server mapped to the port. If it fails, it will go to 10.10.10.110.

Syntax: use-radius-server ip-addr

The host ip-addr is an IPv4 address.

RADIUS parameters

You can set the following parameters in a RADIUS configuration:

• RADIUS key - This parameter specifies the value that the Brocade device sends to the RADIUS server when trying to authenticate user access.

• Retransmit interval - This parameter specifies how many times the Brocade device will resend an authentication request when the RADIUS server does not respond. The retransmit value can be from 1 - 5 times. The default is 3 times.

• Timeout - This parameter specifies how many seconds the Brocade device waits for a response from a RADIUS server before either retrying the authentication request, or determining that the RADIUS servers are unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 - 15 seconds. The default is 3 seconds.

Setting the RADIUS key

The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the RADIUS server. The key can be from 1 - 32 characters in length and cannot include any space characters.

To specify a RADIUS server key, enter a command such as the following.

device(config)#radius-server key mirabeau

Syntax: radius-server key [ 0 ] string

When you display the configuration of the Brocade device, the RADIUS key is encrypted.

Brocade(config)#radius-server key abc Brocade(config)#write terminal ... Brocade(config)#sh run | in radius radius-server key abc

66 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Setting the retransmission limit

NOTE

Encryption of the RADIUS keys is done by default and the default value is 2 ( SIMPLE_ENCRYPTION_BASE64). The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.

Setting the retransmission limit

The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the Brocade software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 retries. The range of retransmit values is from 1 - 5.

To set the RADIUS retransmit limit, enter a command such as the following.

device(config)#radius-server retransmit 5

Syntax: tacacs-server retransmit number

Setting the timeout parameter

The timeout parameter specifies how many seconds the Brocade device waits for a response from the RADIUS server before either retrying the authentication request, or determining that the RADIUS server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 - 15 seconds. The default is 3 seconds.

device(config)#radius-server timeout 5

Syntax: radius-server timeout number

Setting RADIUS over IPv6

Brocade devices support the ability to send RADIUS packets over an IPv6 network.

To enable the Brocade device to send RADIUS packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI.

device(config)#radius-server host ipv6 2001:DB8::300

Syntax: radius-server host ipv6 ipv6-host-address

The ipv6-host address is the IPv6 address of the RADIUS server. When you enter the IPv6 host address, you do not need to specify the prefix length. A prefix length of 128 is implied.

Setting authentication-method lists for RADIUS

You can use RADIUS to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring RADIUS authentication, you create authentication-method lists specifically for these access methods, specifying RADIUS as the primary authentication method.

Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

FastIron Ethernet Switch Security Configuration Guide 67 53-1003088-03

Security Access

When you configure authentication-method lists for RADIUS, you must create a separate authentication-method list for Telnet or SSH CLI access and for CLI access to the Privileged EXEC level and CONFIG levels of the CLI.

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing Telnet access to the CLI.

device(config)#enable telnet authentication device(config)#aaa authentication login default radius local

The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.

To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.

device(config)#aaa authentication enable default radius local none

The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.

Syntax: [no] aaa authentication { enable | login default } method 1 [ method 2-7 ]

The aaa authentication | enable | login parameter specifies the type of access this authenticationmethod list controls. You can configure one authentication-method list for each type of access.

Authentication method values TABLE 7

Method parameter Description

line Authenticate using the password you configured for Telnet access. The Telnet password is

configured using the enable telnet password... command. Refer to Setting a Telnet

password on page 32.

enable Authenticate using the password you configured for the Super User privilege level. This

password is configured using the enable super-user-password... command. Refer to

Setting passwords for management privilege levels on page 32.

local Authenticate using a local user name and password you configured on the device. Local

user names and passwords are configured using the username... command. Refer to Local

user account configuration on page 40.

tacacs Authenticate using the database on a TACACS server. You also must identify the server to

the device using the tacacs-server command.

tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to

the device using the tacacs-server command.

radius Authenticate using the database on a RADIUS server. You also must identify the server to

the device using the radius-server command.

68 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Entering privileged EXEC mode after a Telnet or SSH login

Authentication method values (Continued)TABLE 7

Method parameter Description

none Do not use any authentication method. The device automatically permits access.

NOTE

For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to Authentication-method lists on page 75.

Entering privileged EXEC mode after a Telnet or SSH login

device(config)#aaa authentication login privilege-mode

Syntax: aaa authentication login privilege-mode

The user privilege level is based on the privilege level granted during login.

Configuring enable authentication to prompt for password only

To configure the Brocade device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI.

device(config)#aaa authentication enable implicit-user

Syntax: [no] aaa authentication enable implicit-user

RADIUS authorization

Brocade devices support RADIUS authorization for controlling access to management functions in the CLI. Two kinds of RADIUS authorization are supported:

• Exec authorization determines a user privilege level when they are authenticated

• Command authorization consults a RADIUS server to get authorization for commands entered by the user

Configuring exec authorization

When RADIUS exec authorization is performed, the Brocade device consults a RADIUS server to determine the privilege level of the authenticated user. To configure RADIUS exec authorization on the Brocade device, enter the following command.

device(config)#aaa authorization exec default radius

FastIron Ethernet Switch Security Configuration Guide 69 53-1003088-03

Configuring command authorization

Syntax: aaa authorization exec default [ radius | none ]

If you specify none , or omit the aaa authorization exec command from the device configuration, no exec authorization is performed.

NOTE

If the aaa authorization exec default radius command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the foundryprivilege-level attribute received from the RADIUS server. If the aaa authorization exec default radius command does not exist in the configuration, then the value in the foundry-privilege-level attribute is ignored, and the user is granted Super User access.Also note that in order for the aaa

authorization exec default radius command to work, either theaaa authentication enable default radius command, or the aaa authentication login privilege-mode command must also exist in the

configuration.

Configuring command authorization

When RADIUS command authorization is enabled, the Brocade device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can issue a command he or she has entered.

You enable RADIUS command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Brocade device to perform authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.

device(config)#aaa authorization commands 0 default radius

Syntax: aaa authorization commands privilege-level default [ tacacs+ | radius | none ]

The privilege-level parameter can be one of the following:

• 0 - Authorization is performed (that is, the Brocade device looks at the command list) for commands available at the Super User level (all commands)

• 4 - Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands)

• 5 - Authorization is performed for commands available at the Read Only level (read-only commands)

NOTE

RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.

NOTE

Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

70 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Command authorization and accounting for console commands

The Brocade device supports command authorization and command accounting for CLI commands entered at the console. To configure the device to perform command authorization and command accounting for console commands, enter the following.

device(config)#enable aaa console

Syntax: [no] enable aaa console

CAUTION

If you have previously configured the device to perform command authorization using a RADIUS server, entering the enable aaa console command may prevent the execution of any subsequent commands entered on the console. This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS authentication is performed only if you have configured Enable authentication and specified RADIUS as the authentication method (for example, with the aaa authentication enable default radius command). If RADIUS authentication is never performed, the list of allowable commands is never obtained from the RADIUS server. Consequently, there would be no allowable commands on the console.

RADIUS accounting

Brocade devices support RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on a Brocade device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.

Configuring RADIUS accounting for Telnet/SSH (Shell) access

To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the user logs out.

device(config)#aaa accounting exec default start-stop radius

Syntax: aaa accounting exec default start-stop [ radius | tacacs+ | none ]

Configuring RADIUS accounting for CLI commands

You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Brocade device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.

device(config)#aaa accounting commands 0 default start-stop radius

An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command, and an Accounting Stop packet is sent when the service provided by the command is completed.

FastIron Ethernet Switch Security Configuration Guide 71 53-1003088-03

Configuring RADIUS accounting for system events

NOTE

If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.

Syntax: aaa accounting commands privilege-level default start-stop [ radius | tacacs | none ]

The privilege-level parameter can be one of the following:

• 0 - Records commands available at the Super User level (all commands)

• 4 - Records commands available at the Port Configuration level (port-config and read-only commands)

• 5 - Records commands available at the Read Only level (read-only commands)

Configuring RADIUS accounting for system events

You can configure RADIUS accounting to record when system events occur on the Brocade device. System events include rebooting and when changes to the active configuration are made.

The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.

device(config)#aaa accounting system default start-stop radius

Syntax: aaa accounting system default start-stop [ radius | tacacs+ | none ]

Configuring an interface as the source for allRADIUS packets

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Layer 3 Switch. For configuration details, see "Specifying a single source interface for specified packet types" section in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide .

Displaying RADIUS configuration information

The show aaa command displays information about all TACACS/TACACS+ and RADIUS servers identified on the device.

device#show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ Server: 10.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius Server: 10.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4 no connection

The following table describes the RADIUS information displayed by the show aaa command.

72 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Output of the show aaa command for RADIUS TABLE 8

Field Description

SSL security

Radius key The setting configured with the radius-server key command. At the Super User privilege level,

the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is

displayed instead of the text.

Radius retries The setting configured with the radius-server retransmit command.

Radius timeout The setting configured with the radius-server timeout command.

Radius Server For each RADIUS server, the IP address, and the following statistics are displayed:

Auth Port RADIUS authentication port number (default 1645)

Acct Port RADIUS accounting port number (default 1646)

• opens - Number of times the port was opened for communication with the server

• closes - Number of times the port was closed normally

• timeouts - Number of times port was closed due to a timeout

• errors - Number of times an error occurred while opening the port

• packets in - Number of packets received from the server

• packets out - Number of packets sent to the server

connection The current connection status. This can be "no connection" or "connection active".

SSL security

The Brocade device supports Secure Sockets Layer / Transport Level Security (SSL 3.0 / TLS 1.0).

When enabled, the SSL protocol uses digital certificates and public-private key pairs to establish a secure connection to the Brocade device. Digital certificates serve to prove the identity of a connecting client, and public-private key pairs provide a means to encrypt data sent between the device and the client.

Configuring SSL consists of the following tasks:

1. Importing an RSA certificate and private key file from a client (optional)

2. Generating a certificate

Specifying a port for SSL communication

By default, SSL protocol exchanges occur on TCP port 443. You can optionally change the port number used for SSL communication.

For example, the following command causes the device to use TCP port 334 for SSL communication.

Brocade(config)#ip ssl port 334

Syntax: [no] ip ssl port port-number

The default port for SSL communication is 443.

FastIron Ethernet Switch Security Configuration Guide 73 53-1003088-03

Changing the SSL server certificate key size

The default key size for Brocade-issued and imported digital certificates is 1024 bits. If desired, you can change the default key size to a value of 512, 2048, or 4096 bits. To do so, enter a command such as the following at the Global CONFIG level of the CLI.

Brocade(config)#ip ssl cert-key-size 512

Syntax: ip ssl cert-key-size <512/ 1024/ 2048/ 4096>

NOTE

The SSL server certificate key size applies only to digital certificates issued by Brocade and does not apply to imported certificates.

Support for SSL digital certificates larger than 2048 bits

Brocade devices have the ability to store and retrieve SSL digital certificates that are up to 4000 bits in size.

Support for SSL certificates larger than 2048 bits is automatically enabled. You do not need to perform any configuration procedures to enable it.

Importing digital certificates and RSA private key files

To allow a client to communicate with other Brocade device using an SSL connection, you configure a set of digital certificates and RSA public-private key pairs on the device. A digital certificate is used for identifying the connecting client to the server. It contains information about the issuing Certificate Authority, as well as a public key. You can either import digital certificates and private keys from a server, or you can allow the Brocade device to create them.

If you want to allow the Brocade device to create the digital certificates, refer to the next section,

Generating an SSL certificate on page 75. If you choose to import an RSA certificate and private key

file from a client, you can use TFTP to transfer the files.

For example, to import a digital certificate using TFTP, enter a command such as the following:

Brocade(config)#ip ssl certificate-data-file tftp 192.168.9.210 certfile

Syntax: [no] ip ssl certificate-data-file tftpip-address certificate-filename

To import an RSA private key from a client using TFTP, enter a command such as the following:

Brocade(config)#ip ssl private-key-file tftp 192.168.9.210 keyfile

Syntax: [no] ip ssl private-key-file tftp ip-address key-filename

The ip-address is the IP address of a TFTP server that contains the digital certificate or private key.

NOTE

The RSA key can be up to 4096 bits.

74 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Generating an SSL certificate

If the certificate does not automatically generate, enter the following command to generate it.

Brocade(config)#crypto-ssl certificate generate

Syntax: [no] crypto-ssl certificate generate

If you did not already import a digital certificate from a client, the device can create a default certificate. To do this, enter the following command.

Brocade(config)#crypto-ssl certificate generate default_cert

Syntax: [no] crypto-ssl certificate generate default_cert

Deleting the SSL certificate

To delete the SSL certificate, enter the following command.

Brocade(config)#crypto-ssl certificate zeroize

Syntax: [no] crypto-ssl certificate zeroize

Authentication-method lists

To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.

In an authentication-method list, you specify the access method (Telnet, SNMP, and so on) and the order in which the device tries one or more of the following authentication methods:

• Local Telnet login password

• Local password for the Super User privilege level

• Local user accounts configured on the device

• Database on a TACACS or TACACS+ server

• Database on a RADIUS server

• No authentication

NOTE

The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported for SNMP access.

NOTE

To authenticate Telnet access to the CLI, you also must enable the authentication by entering the

enable telnet authentication command at the global CONFIG level of the CLI.

NOTE

You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses. Refer to ACL usage to restrict remote access on page 23 or Remote access restrictions on page 25.

FastIron Ethernet Switch Security Configuration Guide 75 53-1003088-03

Configuration considerations for authentication-method lists

In an authentication-method list for a particular access method, you can specify up to seven authentication methods. If the first authentication method is successful, the software grants access and stops the authentication process. If the access is rejected by the first authentication method, the software denies access and stops checking.

However, if an error occurs with an authentication method, the software tries the next method on the list, and so on. For example, if the first authentication method is the RADIUS server, but the link to the server is down, the software will try the next authentication method in the list.

NOTE

If an authentication method is working properly and the password (and user name, if applicable) is not known to that method, this is not an error. The authentication attempt stops, and the user is denied access.

The software will continue this process until either the authentication method is passed or the software reaches the end of the method list. If the Super User level password is not rejected after all the access methods in the list have been tried, access is granted.

Configuration considerations for authentication-method lists

• For CLI access, you must configure authentication-method lists if you want the device to authenticate access using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally based password for the Super User privilege level.

Examples of authentication-method lists

The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is "local". The device will authenticate access attempts using the locally configured usernames and passwords.

The command syntax for each of the following examples is provided in the Command Syntax section.

Example 1

To configure an authentication-method list for SNMP, enter a command such as the following.

device(config)#aaa authentication snmp-server default local

This command allows certain incoming SNMP SET operations to be authenticated using the locally configured usernames and passwords. When this command is enabled, community string validation is not performed for incoming SNMP V1 and V2c packets. This command takes effect as long as the first varbind for SNMP packets is set to one of the following:

• snAgGblPassword=" username password " (for AAA method local)

• snAgGblPassword=" password " (for AAA method line, enable)

NOTE

Certain SNMP objects need additional validation. These objects include but are not limited to:

snAgReload , snAgWriteNVRAM , snAgConfigFromNVRAM , snAgImgLoad , snAgCfgLoad and snAgGblTelnetPassword . For more information, see snAgGblPassword in the IronWare MIB

Reference Guide>.

If AAA is set up to check both the username and password, the string contains the username, followed by a space then the password. If AAA is set up to authenticate with the current Enable or Line password, the string contains the password only.

76 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Security Access

Note that the above configuration can be overridden by the command no snmp-server pw-check , which disables password checking for SNMP SET requests.

Example 2

To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command.

device(config)#aaa authentication enable default local

This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.

Example 3

To configure the device to consult a RADIUS server first to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is unavailable, enter the following command.

device(config)#aaa authentication enable default radius local

Command Syntax

The following is the command syntax for the preceding examples.

Syntax: [no] aaa authentication { snmp-server | web-server | enable | login default } method 1 [ method 2-7 ]

The snmp-server | web-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

NOTE

Web management is not supported in Release 8.0.00a and later releases. If web management is enabled, you must configure the no web-management command to disable it.

NOTE

TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters.

Authentication method values TABLE 9

Method parameter Description

line Authenticate using the password you configured for Telnet access. The Telnet password is

configured using the enable telnet password... command. Refer to Setting a Telnet

password on page 32.

enable Authenticate using the password you configured for the Super User privilege level. This

password is configured using the enable super-user-password... command. Refer to Setting

passwords for management privilege levels on page 32.

FastIron Ethernet Switch Security Configuration Guide 77 53-1003088-03

TCP Flags - edge port security

Method parameter Description

local Authenticate using a local user name and password you configured on the device. Local user

tacacs Authenticate using the database on a TACACS server. You also must identify the server to

tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to

radius Authenticate using the database on a RADIUS server. You also must identify the server to the

none Do not use any authentication method. The device automatically permits access.

Authentication method values (Continued)TABLE 9

names and passwords are configured using the username... command. Refer to Local user

account configuration on page 40.

the device using the tacacs-server command.

device using the radius-server command. Refer to RADIUS security on page 58.

TCP Flags - edge port security

NOTE

This feature is not supported on FastIron X Series devices.

The edge port security feature works in combination with IP ACL rules, and supports all 6 TCP flags present in the offset 13 of the TCP header:

• +|- urg = Urgent

• +|- ack = Acknowledge

• +|- psh = Push

• +|- rst = Reset

• +|- syn = Synchronize

• +|- fin = Finish

TCP flags can be combined with other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when designing ACLs.

The TCP flags feature offers two options, match-all and match-any:

• Match-any - Indicates that incoming TCP traffic must be matched against any of the TCP flags configured as part of the match-any ACL rule. In CAM hardware, the number of ACL rules will match the number of configured flags.

• Match-all - Indicates that incoming TCP traffic must be matched against all of the TCP flags configured as part of the match-all ACL rule. In CAM hardware, there will be only one ACL rule for all configured flags.

device(config-ext-nACL)#permit tcp 10.1.1.1 0.0.0.255 eq 100 10.2.2.2 0.0.0.255 eq 300 match-all +urg +ack +syn -rst

This command configures a single rule in CAM hardware. This rule will contain all of the configured TCP flags (urg, ack, syn, and rst).

78 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Using TCP Flags in combination with other ACL features

The TCP Flags feature has the added capability of being combined with other ACL features.

device(config-ext-nACL)#permit tcp any any match-all +urg +ack +syn -rst trafficpolicy test

This command configures the ACL to match incoming traffic with the TCP Flags urg, ack, and syn and also to apply the traffic policy (rate, limit, etc.) to the matched traffic.

device(config-ext-nACL)#permit tcp any any match-all +urg +ack +syn -rst tos normal

This command configures the ACL to match incoming traffic with the flags urg, ack, and syn, and also sets the tos bit to normal when the traffic exits the device.

NOTE

TCP Flags combines the functionality of older features such as TCP Syn Attack and TCP Establish. Avoid configuring these older features on a port where you have configured TCP Flags. TCP Flags can perform all of the functions of TCP Syn Attack and TCP Establish, and more. However, if TCP Syn Attack is configured on a port along with TCP Flags, TCP Syn Attack will take precedence.

NOTE

If an ACL clause with match-any exists, and the system runs out of CAM, if the total number of TCP rules to TCP Flags will not fit within 1021 entries (the maximum rules allowed per device), then none of the TCP Flag rules will be programmed into the CAM hardware.

NOTE

If a range option and match-any TCP-flags are combined in the same ACL, the total number of rules will be calculated as: Total number of rules in CAM hardware = (number of rules for range)* (number of rules for match-any TCP-flags).

FastIron Ethernet Switch Security Configuration Guide 79 53-1003088-03

Using TCP Flags in combination with other ACL features

80 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

SSH2 and SCP

● Supported SSH2 and Secure Copy features.................................................................. 81

● SSH version 2 overview.................................................................................................. 81

● SSH2 authentication types..............................................................................................83

● Optional SSH parameters............................................................................................... 88

● Filtering SSH access using ACLs................................................................................... 90

● Terminating an active SSH connection........................................................................... 90

● Displaying SSH information............................................................................................ 90

● Secure copy with SSH2.................................................................................................. 93

● SSH2 client..................................................................................................................... 96

Supported SSH2 and Secure Copy features

Lists SSH2 and Secure Copy features supported in FastIron devices.

The following table lists individual Brocade switches and the SSH2 and Secure Copy features they support.

Feature ICX 6430 ICX 6450 FCX ICX 6610 ICX 6650 FSX 800

FSX 1600

Secure Shell (SSH) version 2 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

AES encryption for SSHv2 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Optional parameters for SSHv2 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Using secure copy (SCP) with SSHv2 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Filtering SSHv2 access using ACLs 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Terminating an active SSHv2 connection 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

SSH client 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

Boot image download over SCP 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.01 08.0.10

ICX 7750

SSH version 2 overview

Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a Brocade device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the device.

The Brocade SSH2 implementation is compatible with all versions of the SSH2 protocol (2.1, 2.2, and so on). At the beginning of an SSH session, the Brocade device negotiates the version of SSH2 to be

FastIron Ethernet Switch Security Configuration Guide 53-1003088-03

Tested SSH2 clients

used. The highest version of SSH2 supported by both the Brocade device and the client is the version that is used for the session. Once the SSH2 version is negotiated, the encryption algorithm with the highest security ranking is selected to be used for the session.

Brocade devices also support Secure Copy (SCP) for securely transferring files between a Brocade device and SCP-enabled remote hosts.

NOTE

The SSH feature includes software that is copyright Allegro Software Development Corporation.

SSH2 is supported in the Layer 2 and Layer 3 codes.

SSH2 is a substantial revision of Secure Shell, comprising the following hybrid protocols and definitions:

• SSH Transport Layer Protocol

• SSH Authentication Protocol

• SSH Connection Protocol

• SECSH Public Key File Format

• SSH Fingerprint Format

• SSH Protocol Assigned Numbers

• SSH Transport Layer Encryption Modes

• SCP/SSH URI Format

Tested SSH2 clients

The following SSH clients have been tested with SSH2:

• SSH Secure Shell 3.2.3

• Van Dyke SecureCRT 5.2.2

• F-Secure SSH Client 5.3 and 6.0

• PuTTY 0.62

NOTE

SSH session may drop when using PuTTY on Windows system and left idle for more than 45 minutes.

• OpenSSH 4.3p2

• Brocade FastIron SSH Client

NOTE

Supported SSH client public key sizes are 1024 or 2048 bits for DSA keys and RSA keys.

SSH2 supported features

SSH2 (Secure Shell version 2 protocol) provides an SSH server and an SSH client. The SSH server allows secure remote access management functions on a Brocade device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection.

Brocade SSH2 support includes the following:

• Key exchange methods are diffie-hellman-group1-sha1.

• The supported public key algorithms are ssh-dss and ssh-rsa .

82 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

• Encryption is provided with 3des-cbc , aes128-cbc , aes192-cbc or aes256-cbc . AES encryption has been adopted by the U.S. Government as an encryption standard.

• Data integrity is ensured with hmac-sha1.

• Supported authentication methods are Password , interactive, and Key authentication.

• Five inbound SSH connection at one time are supported.

• Five outbound SSH is supported.

SSH2 unsupported features

The following are not supported with SSH2:

• Compression

• TCP/IP port forwarding, X11 forwarding, and secure file transfer

• SSH version 1

SSH2 authentication types

SSH2 unsupported features

The Brocade implementation of SSH2 supports the following types of user authentication:

• DSA challenge-response authentication , where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH.

• RSA challenge-response authentication , where a collection of public keys are stored on the device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH.

• Password authentication , where users attempting to gain access to the device using an SSH client are authenticated with passwords stored on the device or on a TACACS or TACACS+ server or a RADIUS server.

• Interactive-authentication

• Keyboard-interactive authentication

Configuring SSH2

You can configure the device to use any combination of these authentication types. The SSH server and client negotiate which type to use.

To configure SSH2, follow these steps:

1. Generate a host Digital Signature Algorithm (DSA) or Ron Rivest, Adi Shamir and Leonard Adleman Algorithm (RSA), and private key pair for the device.

See the section Enabling and disabling SSH by generating and deleting host keys on page 84.

2. Configure DSA or RSA challenge-response authentication.

See the section Configuring DSA or RSA challenge-response authentication on page 86.

3. Set optional parameters.

See the section Optional SSH parameters on page 88.

FastIron Ethernet Switch Security Configuration Guide 83 53-1003088-03

Enabling and disabling SSH by generating and deleting host keys

To enable SSH, you generate a DSA or RSA host key on the device. The SSH server on the Brocade device uses this host DSA or RSA key, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.

While the SSH listener exists at all times, sessions can not be started from clients until a host key is generated. After a host key is generated, clients can start sessions.

To disable SSH, you delete all of the host keys from the device.

When a host key is generated, it is saved to the flash memory of all management modules. When a host key is is deleted, it is deleted from the flash memory of all management modules.

The time to initially generate SSH keys varies depending on the configuration, and can be from a under a minute to several minutes.

SSHv2 RSA host key format is different between FastIron 07.x.xx, 08.0.00 and 08.0.00a software versions .

• When you upgrade from FastIron 07.x.xx, 08.0.00 to 08.0.00a software version , if RSA key is present in FastIron 07.x.xx or 08.0.00 software version, same size will be regenerated in FastIron

08.0.00a software version. Old SSHv2 host key is retained unless they are cleared by the crypto key zeroize command.

• When you downgrade the FastIron software from version 08.0.00a to 08.0.00 or 07.x.xx, consider the following scenarios:

‐ SSHv2 RSA host key created in FastIron 07.x.xx or 08.0.00 software version and retained

in FastIron 08.0.00a-- In this case, booting up with FastIron 07.x.xx or 08.0.00 software versions reads the old format SSHv2 RSA host keys and enables the SSHv2 RSA server on the switch.

‐ SSHv2 RSA host key created in FastIron 08.0.00a--In this case, booting up with FastIron

07.x.xx or 08.0.00 software versions does not read the new format SSHv2 RSA host keys and SSHv2 server is not enabled on the switch.

SSH host keys created with DSA method is interoperable between FastIron 07.x.xx, 08.0.00 and

08.0.00a software versions.

Generating and deleting a DSA key pair

To generate a DSA key pair, enter the following command.

device(config)#crypto key generate dsa

To delete the DSA host key pair, enter the following command.

device(config)#crypto key zeroize dsa

Syntax: crypto key { generate | zeroize } dsa

The generate keyword places a host key pair in the flash memory and enables SSH on the device, if it is not already enabled.

The zeroize keyword deletes the host key pair from the flash memory. This disables SSH if no other server host keys exist on the device.

The dsa keyword specifies a DSA host key pair. This keyword is optional. If you do not enter it, the command crypto key generate generates a DSA key pair by default, and the command crypto key zeroize works as described in Deleting DSA and RSA key pairs on page 85.

84 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Generating and deleting an RSA key pair

To generate an RSA key pair, enter a command such as the following:

device(config)#crypto key generate rsa modulus 2048

To delete the RSA host key pair, enter the following command.

device(config)#crypto key zeroize rsa

Syntax: crypto key { generate | zeroize } rsa [ modulus modulus-size ]

The generate keyword places an RSA host key pair in the flash memory and enables SSH on the device, if it is not already enabled.

The optional [modulus modulus-size ] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048. The default value is 1024.

The zeroize keyword deletes the RSA host key pair from the flash memory. This disables SSH if no other authentication keys exist on the device.

The rsa keyword specifies an RSA host key pair.

NOTE

OnICX 6430 and ICX 6450 devices, the crypto key generate command can take up to 16 minutes to complete.

Deleting DSA and RSA key pairs

To delete DSA and RSA key pairs from the flash memory, enter the following command:

device(config)#crypto key zeroize

Syntax: crypto key zeroize

The zeroize keyword deletes the host key pair from the flash memory. This disables SSH.

Providing the public key to clients

The host DSA or RSA key pair is stored in the system-config file of the Brocade device. Only the public key is readable. Some SSH client programs add the public key to the known hosts file automatically. In other cases, you must manually create a known hosts file and place the public key of the Brocade device in it.

If you are using SSH to connect to a Brocade device from a UNIX system, you may need to add the public key on the Brocade device to a “known hosts” file on the client UNIX system; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.

AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV

FastIron Ethernet Switch Security Configuration Guide 85 53-1003088-03

Configuring DSA or RSA challenge-response authentication

With DSA or RSA challenge-response authentication, a collection of clients’ public keys are stored on the Brocade device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.

When DSA or RSA challenge-response authentication is enabled, the following events occur when a client attempts to gain access to the device using SSH:

1. The client sends its public key to the Brocade device.

2. The Brocade device compares the client public key to those stored in memory.

3. If there is a match, the Brocade device uses the public key to encrypt a random sequence of bytes.

4. The Brocade device sends these encrypted bytes to the client.

5. The client uses its private key to decrypt the bytes.

6. The client sends the decrypted bytes back to the Brocade device.

7. The Brocade device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client private key corresponds to an authorized public key, and the client is authenticated.

Setting up DSA or RSA challenge-response authentication consists of the following steps.

Importing authorized public keys into the Brocade device

SSH clients that support DSA or RSA authentication normally provide a utility to generate a DSA or RSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected. You must import the client public key for each client into the Brocade device.

Collect one public key of each key type (DSA and/or RSA) from each client to be granted access to the Brocade device and place all of these keys into one file. This public key file may contain up to 16 keys. The following is an example of a public key file containing one public key:

---- BEGIN SSH2 PUBLIC KEY ----

Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV

---- END SSH2 PUBLIC KEY ----

NOTE

Each key in the public key file must begin and end with the first and last lines in this example. If your client does not include these lines in the public key, you must manually add them.

Import the authorized public keys into the Brocade device active configuration by loading this public key file from a TFTP server.

To load a public key file called pkeys.txt from a TFTP server, enter a command such as the following:

device(config)#ip ssh pub-key-file tftp 10.168.1.234 pkeys.txt

Syntax: ip ssh pub-key-file { tftp tftp-server-ip-addr filename | remove }

86 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Enabling DSA or RSA challenge-response authentication

The tftp-server-ip-addr variable is the IP address of the tftp server that contains the public key file that you want to import into the Brocade device.

The filename variable is the name of the public key file that you want to import into the Brocade device.

The remove parameter deletes the public keys from the device.

To display the currently loaded public keys, enter the following command.

device#show ip client-pub-key

---- BEGIN SSH2 PUBLIC KEY ---Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV

---- END SSH2 PUBLIC KEY ----

Syntax: show ip client-pub-key [ begin expression | exclude expression | include expression ]

To clear the public keys from the buffers, enter the following command.

device#clear public-key

Syntax: clear public-key

Enabling DSA or RSA challenge-response authentication

DSA and RSA challenge-response authentication is enabled by default. You can disable or re-enable it manually.

To enable DSA and RSA challenge-response authentication.

device(config)#ip ssh password-authentication yes

To disable DSA and RSA challenge-response authentication.

device(config)#ip ssh password-authentication no

Syntax: ip ssh password-authentication{ yes | no }

To enable keyboard-interactive authentication:

device(config)#ip ssh interactive-authentication yes

To disable keyboard interactive authentication:

device(config)#ip ssh interactive-authentication no

Syntax: ip ssh interactive--authentication{ yes | no }

To enable public key authentication:

device(config)#ip ssh key-authentication yes

To disable public key authentication:

device(config)#ip ssh key-authentication no

Syntax: ip ssh interactive--authentication { yes | no }

FastIron Ethernet Switch Security Configuration Guide 87 53-1003088-03

Optional SSH parameters

You can adjust the following SSH settings on the Brocade device:

• The number of SSH authentication retries

• The user authentication method the Brocade device uses for SSH connections

• Whether the Brocade device allows users to log in without supplying a password

• The port number for SSH connections

• The SSH login timeout value

• A specific interface to be used as the source for all SSH traffic from the device

• The maximum idle time for SSH sessions

Setting the number of SSH authentication retries

By default, the Brocade device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1 - 5.

NOTE

The ip ssh authentication-retries command is not applicable on Brocade devices which acts as an SSH client. When the Brocade device acts as an SSH client and when you try to establish an SSH connection with wrong credentials, the session is not be established. The connection is terminated. The device does not check the SSH authentication retry configuration set using the ip ssh authentication-retries command. The command is applicable only to SSH clients like PUTTY, Secure CRT, and so on.

For example, the following command changes the number of authentication retries to 5.

device(config)#ip ssh authentication-retries 5

Syntax: ip ssh interactive--authentication-retries number

Deactivating user authentication

After the SSH server on the Brocade device negotiates a session key and encryption method with the connecting client, user authentication takes place. The Brocade implementation of SSH supports DSA or RSA challenge-response authentication and password authentication.

With password authentication, users are prompted for a password when they attempt to log into the device (provided empty password logins are not allowed). If there is no user account that matches the user name and password supplied by the user, the user is not granted access.

You can deactivate one or both user authentication methods for SSH. Note that deactivating both authentication methods essentially disables the SSH server entirely.

To disable DSA or RSA challenge-response authentication, enter the following command.

device(config)#ip ssh key-authentication no

Syntax: ip ssh key--authentication { yes | no }

88 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Enabling empty password logins

The default is yes .

To deactivate password authentication, enter the following command.

device(config)#ip ssh password-authentication no

Syntax: ip ssh password--authentication { no | yes }

The default is yes .

Enabling empty password logins

By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password. Without a user name and password, a user is not granted access.

If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password.

To enable empty password logins, enter the following command.

device(config)#ip ssh permit-empty-passwd yes

Syntax: ip ssh permit-empty-passwd { no | yes }

Setting the SSH port number

By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following command changes the SSH port number to 2200.

device(config)#ip ssh port 2200

Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH port number, Brocade recommends that you change it to a port number greater than

1024.

Syntax: ip ssh port number

Setting the SSH login timeout value

When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can change this timeout value to between 1 - 120 seconds. For example, to change the timeout value to 60 seconds, enter the following command.

device(config)#ip ssh timeout 60

Syntax: ip ssh timeout seconds

FastIron Ethernet Switch Security Configuration Guide 89 53-1003088-03

Designating an interface as the source for all SSH packets

You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH packets from the device. For details, see "Specifying a single source interface for specified packet types" section in the FastIron Ethernet Switch Layer 3 Routing Configuration Guide .

Configuring the maximum idle time for SSH sessions

By default, SSH sessions do not time out. Optionally, you can set the amount of time an SSH session can be inactive before the Brocade device closes it. For example, to set the maximum idle time for SSH sessions to 30 minutes, enter the following command.

device(config)#ip ssh idle-time 30

Syntax: ip ssh idle-time minutes

If an established SSH session has no activity for the specified number of minutes, the Brocade device closes it. An idle time of 0 minutes (the default value) means that SSH sessions never time out. The maximum idle time for SSH sessions is 240 minutes.

Filtering SSH access using ACLs

You can permit or deny SSH access to the Brocade device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL

Enter commands such as the following.

device(config)#access-list 10 permit host 10.168.144.241 device(config)#access-list 10 deny host 10.168.144.242 log device(config)#access-list 10 permit host 10.168.144.243 device(config)#access-list 10 deny any device(config)#ssh access-group 10

Syntax: ssh access-group { standard-named-acl | standard-numbered-acl }

Terminating an active SSH connection

To terminate one of the active SSH connections, enter the following command

device#kill ssh 1

Syntax: kill ssh connection-id

Displaying SSH information

Up to five SSH connections can be active on the Brocade device.

90 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Displaying SSH connection information

To display information about SSH connections, enter the show ip ssh command.

device#show ip ssh Connection Version Encryption Username HMAC Server Hostkey IP Address Inbound: 1 SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2 Outbound: 6 SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15 SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)

Syntax: show ip ssh [ begin expression | exclude expression | include expression ]

This display shows the following information about the active SSH connections.

SSH connection information TABLE 10

Field Description

Inbound Connections listed under this heading are inbound.

Outbound Connections listed under this heading are outbound.

Connection The SSH connection ID.

Version The SSH version number.

Encryption The encryption method used for the connection.

Username The user name for the connection.

HMAC The HMAC version

Server Hostkey The type of server hostkey. This can be DSA or RSA.

IP Address The IP address of the SSH client

SSH-v2.0 enabled Indicates that SSHv2 is enabled.

hostkey Indicates that at least one host key is on the device. It is followed by a list of the the host key

types and modulus sizes.

Displaying SSH configuration information

To display SSH configuration information, use the show ip ssh config command:

Brocade# show ip ssh config SSH server : Disabled SSH port : tcp\22 Host Key : Encryption : AES-256, AES-192, AES-128, 3-DES Permit empty password : No Authentication methods : Password, Public-key, Interactive Authentication retries : 3 Login timeout (seconds) : 120 Idle timeout (minutes) : 0

FastIron Ethernet Switch Security Configuration Guide 91 53-1003088-03

SSH2 and SCP

SCP : Enabled SSH IPv4 clients : All SSH IPv6 clients : All SSH IPv4 access-group : SSH IPv6 access-group : SSH Client Keys : Brocade#

Syntax: show ip ssh config

This display shows the following information.

Field Description

SSH server SSH server is enabled or disabled

SSH port SSH port number

Encryption The encryption used for the SSH connection. The following values are displayed when

AES only is enabled:

• AES-256, AES-192, and AES-128 indicate the different AES methods used for encryption.

• 3-DES indicates 3-DES algorithm is used for encryption.

Permit empty password Empty password login is allowed or not allowed.

Authentication methods The authentication methods used for SSH. The authentication can have one or more of

the following values:

• Password - indicates that you are prompted for a password when attempting to log into the device.

• Public-key - indicates that DSA or RSA challenge-response authentication is enabled.

• Interactive - indicates the interactive authentication si enabled.

Authentication retries The number of authentication retries. This number can be from 1 to 5.

Idle timeout (minutes) SSH idle timeout value in minutes. This can be from 0 to 240.

Strict management VRF Strict management VRF is enabled or disabled.

SCP SCP is enabled or disabled.

SSH IPv4 clients The list of IPv4 addresses to which SSH access is allowed. The default is "All".

SSH IPv6 clients The list of IPv4 addresses to which SSh access is allowed. Default "All".

SSH IPv4 access-list The IPv4 ACL used to permit or deny access using SSH.

SSH IPv6 access-list The IPv6 ACL used to permit or deny access to device using SSH.

92 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Displaying additional SSH connection information

The show who command also displays information about SSH connections:

device#show who Console connections: Established you are connecting to this session 2 minutes 56 seconds in idle SSH server status: Enabled SSH connections (inbound):

1. established, client ip address 10.2.2.1, server hostkey DSA 1 minutes 15 seconds in idle

2. established, client ip address 10.2.2.2, server hostkey RSA 2 minutes 25 seconds in idle SSH connection (outbound):

3. established, server ip address 10.37.77.15, server hostkey RSA 7 seconds in idle

Syntax: show who { begin expression | exclude expression | include expression }

Secure copy with SSH2

Displaying additional SSH connection information

Secure Copy (SCP) uses security built into SSH to transfer image and configuration files to and from the device. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. No additional configuration is required for SCP on top of SSH.

You can use SCP to copy files on the Brocade device, including the startup configuration and running configuration files, to or from an SCP-enabled remote host.

Enabling and disabling SCP

SCP is enabled by default and can be disabled. To disable SCP, enter the following command.

device(config)#ip ssh scp disable

Syntax: ip ssh [ scp ] { disable | enable }

NOTE

If you disable SSH, SCP is also disabled.

Secure copy configuration notes

• When using SCP, enter the scp commands on the SCP-enabled client, rather than the console on the Brocade device.

• Certain SCP client options, including -p and -r, are ignored by the SCP server on the Brocade device. If an option is ignored, the client is notified.

• An SCP AES copy of the running or start configuration file from the Brocade device to Linux WS 4 or 5 may fail if the configuration size is less than 700 bytes. To work around this issue, use PuTTY to copy the file.

• SCP does not support running config overwite except acl configuration.

FastIron Ethernet Switch Security Configuration Guide 93 53-1003088-03

Example file transfers using SCP

The following are examples of using SCP to transfer files to and from a Brocade device.

Copying a file to the running config

To copy a configuration file (c:\cfg\brocade.cfg) to the running configuration file on a Brocade device at

10.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client.

C:\> scp c:\cfg\brocade.cfg terry@10.168.1.50:runConfig

If password authentication is enabled for SSH, the user is prompted for user terry password before the file transfer takes place.

Copying a file to the startup config

To copy the configuration file to the startup configuration file, enter the following command.

C:\> scp c:\cfg\brocade.cfg terry@10.168.1.50:startConfig

Copying the running config file to an SCP-enabled client

To copy the running configuration file on the Brocade device to a file called c:\cfg\fdryrun.cfg on the SCP-enabled client, enter the following command.

C:\> scp terry@10.168.1.50:runConfig c:\cfg\brcdrun.cfg

Copying the startup config file to an SCP-enabled client

To copy the startup configuration file on the Brocade device to a file called c:\cfg\brcdestart.cfg on the SCP-enabled client, enter the following command.

C:\> scp terry@10.168.1.50:startConfig c:\cfg\brcdstart.cfg

To overwrite the running configuration file

C:\> scp c:\cfg\brocade.cfg terry@10.168.1.50:runConfig-overwrite

Copying a software image file to flash memory

The scp command syntax differs between device series. Use the command syntax in the appropriate section.

Brocade FCX Series, ICX 6610, and FastIron X Series Devices

To copy a software image file from an SCP-enabled client to the primary flash on these devices, enter one of the following commands.

C:\> scp FCXR08000.bin terry@10.168.1.50:flash:primary

C:\>scp FCXR08000.bin terry@10.168.1.50:flash:pri:FCXR08000.bin

94 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Copying a Software Image file from flash memory

To copy a software image file from an SCP-enabled client to the secondary flash on these devices, enter one of the following commands.

C:\> scp FCXR08000.bin terry@10.168.1.50:flash:secondary

c:\> scp FCXR08000.bin terry@10.168.1.50:flash:sec:FCXR08000.bin

NOTE

After the copy operation is completed at the host, you do not get the command prompt back because the switch is synchronizing the image to flash. To ensure that you have successfully copied the file, issue the show flash command. If the copy operation is not complete, the show flash command output will show the partition (primary or secondary) as EMPTY.

NOTE

The Brocade device supports only one SCP copy session at a time.

Copying a Software Image file from flash memory

The scp command syntax differs between device series. Use the command syntax in the appropriate section.

To copy a software image file from the primary flash on these devices to an SCP-enabled client, enter a command such as the following.

C:\> scp terry@10.168.1.50:flash:primary FCXR08000.bin

To copy a software image file from the secondary flash on these devices to an SCP-enabled client, enter a command such as the following.

C:\> scp terry@10.168.1.50:flash:secondary FCXR08000.bin

Importing a digital certificate using SCP

To import a digital certificate using SCP, enter a command such as the following one:

C:\> scp certfile user@10.168.89.210:sslCert

Syntax: scp certificate-filenameuser@ip-address :sslCert

The ip-address variable is the IP address of the server from which the digital certificate file is downloaded.

The certificate-filename variable is the file name of the digital certificate that you are importing to the device.

The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent functionality to the ip ssl certificate-data-file tftp .

FastIron Ethernet Switch Security Configuration Guide 95 53-1003088-03

Importing an RSA private key

To import an RSA private key from a client using SCP, enter a command such as the following one:

C:\> scp keyfile user@10.168.9.210:sslPrivKey

Syntax: scp key-filenameuser@ip-address sslPrivKey

The ip-address variable is the IP address of the server that contains the private key file.

The key-filename variable is the file name of the private key that you want to import into the device.

The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent functionality to the ip ssl private-key-file tftp command.

Importing a DSA or RSA public key

To import a DSA or RSA public key from a client using SCP, enter a command such as the following one:

C:\> scp pkeys.txt user@10.168.1.234:sshPubKey

Syntax: scp key-filenameuser@ip-address :sshPubKey

The ip-address variable is the IP address of the server that contains the public key file.

The key-filename variable is the name of the DSA or RSA public key file that you want to import into the device.

The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent function to the ip ssh pub-key- file tftp command. For more information on the ip ssh pub-key-file tftp command, refer to Importing authorized public keys into the Brocade device on page 86.

Copying license files

To copy the license files from a client using SCP, enter commands such as the following:

For FSX:

C:\> scp license.xml user@10.168.1.234:license

For stacking products:

C:\> scp license.xml user@10.168.1.234:license:3 (unit3)

Syntax: scp license-filenameuser@ip-address :license

SSH2 client

SSH2 client allows you to connect from a Brocade device to an SSH2 server, including another Brocade device that is configured as an SSH2 server. You can start an outbound SSH2 client session

96 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Enabling SSH2 client

while you are connected to the device by any connection method (SSH2, Telnet, console). Brocade devices support one outbound SSH2 client session at a time.

The supported SSH2 client features are as follows:

• Encryption algorithms, in the order of preference:

‐ aes256-cbc ‐ aes192-cbc ‐ aes128-cbc ‐ 3des-cbc

• SSH2 client session authentication algorithms:

‐ Password authentication ‐ Public Key authentication

• Message Authentication Code (MAC) algorithm: hmac-sha1

• Key exchange algorithm: diffie-hellman-group1-sha1

• No compression algorithms are supported.

• The client session can be established through either in-band or out-of-band management ports.

• The client session can be established through IPv4 or IPv6 protocol access.

• The client session can be established to a server listening on a non-default SSH port.

Enabling SSH2 client

To use SSH2 client, you must first enable SSH2 server on the device. See SSH2 authentication types on page 83.

When SSH2 server is enabled, you can use SSH client to connect to an SSH server using password authentication.

Configuring SSH2 client public key authentication

To use SSH client for public key authentication, you must generate SSH client authentication keys and export the public key to the SSH servers to which you want to connect.

The following sections describe how to configure SSH client public key authentication:

• Generating and deleting a client DSA key pair on page 97

• Generating and deleting a client RSA key pair on page 98

• Exporting client public keys on page 98

Generating and deleting a client DSA key pair

To generate a client DSA key pair, enter the following command.

device(config)#crypto key client generate dsa

To delete the DSA host key pair, enter the following command.

device(config)#crypto key client zeroize dsa

Syntax: crypto key client { generate | zeroize } dsa

The generate keyword places a host key pair in the flash memory.

The zeroize keyword deletes the host key pair from the flash memory.

The dsa keyword specifies a DSA host key pair.

FastIron Ethernet Switch Security Configuration Guide 97 53-1003088-03

Generating and deleting a client RSA key pair

To generate a client RSA key pair, enter a command such as the following:

device(config)#crypto key client generate rsa modulus 2048

To delete the RSA host key pair, enter the following command.

device(config)#crypto key client zeroize rsa

Syntax: crypto key client { generate | zeroize } rsa [ modulus modulus-size ]

The generate keyword places an RSA host key pair in the flash memory.

The zeroize keyword deletes the RSA host key pair from the flash memory.

The optional [modulus modulus-size ] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048. It is used only with the generate parameter. The default value is 1024.

The rsa keyword specifies an RSA host key pair.

Exporting client public keys

Client public keys are stored in the following files in flash memory:

• A DSA key is stored in the file $$sshdsapub.key .

• An RSA key is stored in the file $$sshrsapub.key .

To copy key files to a TFTP server, you can use the copy flash tftp command.

You must copy the public key to the SSH server. If the SSH server is a brocade device, see the section Importing authorized public keys into the Brocade device on page 86.

Using SSH2 client

To start an SSH2 client connection to an SSH2 server using password authentication, enter a command such as the following:

device# ssh 10.10.10.2

To start an SSH2 client connection to an SSH2 server using public key authentication, enter a command such as the following:

device# ssh 10.10.10.2 public-key dsa

Syntax: ssh ipv4Addr | ipv6Addr | host-name [ public-key [ dsa | rsa ] ] [ port portnum ]

The ipv4Addr , ipv6Addr , and host-name variables identify an SSH2 server. You identify the server to connect to by entering its IPv4 or IPv6 address or its hostname.

The optional [public-key [dsa | rsa]] parameter specifies the type of public key authentication to use for the connection, either DSA or RSA. If you do not enter this parameter, the default authentication type is password.

The optional port portnum parameter specifies that the SSH2 connection will use a non-default SSH2 port, where portnum is the port number. The default port number is 22.

98 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Displaying SSH2 client information

For information about displaying SSH2 client information, see the following sections:

• Displaying SSH connection information on page 91

• Displaying additional SSH connection information on page 93

FastIron Ethernet Switch Security Configuration Guide 99 53-1003088-03

Displaying SSH2 client information

100 FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

Brocade FastIron Ethernet Switch Security Configuration Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Preface

Document conventions

Text formatting conventions

Command syntax conventions

Notes, cautions, and warnings

Brocade resources

Getting technical help

Document feedback

About This Document

What’s new in this document

How command information is presented in this guide

Security Access

Supported security access features

Securing access methods

Remote access to management function restrictions

ACL usage to restrict remote access

Using an ACL to restrict Telnet access

Using an ACL to restrict SSH access

Using ACLs to restrict SNMP access

Defining the console idle time

Remote access restrictions

Restricting Telnet access to a specific IP address

Restricting SSH access to a specific IP address

Restricting SNMP access to a specific IP address

Restricting all remote management access to a specific IP address

Restricting access to the device based on IP orMAC address

Restricting Telnet connection

Restricting SSH connection

Defining the Telnet idle time

Specifying the maximum number of login attemptsfor Telnet access

Changing the login timeout period for Telnet sessions

Restricting remote access to the device tospecific VLAN IDs

Restricting Telnet access to a specific VLAN

Restricting SNMP access to a specific VLAN

Restricting TFTP access to a specific VLAN

Designated VLAN for Telnet management sessionsto a Layer 2 Switch

Device management security

Allowing SSHv2 access to the Brocade device

Allowing SNMP access to the Brocade device

Disabling specific access methods

Disabling Telnet access

Disabling SNMP access

Disabling TFTP access

Passwords used to secure access

Setting a Telnet password

Suppressing Telnet connection rejection messages

Setting passwords for management privilege levels

Augmenting management privilege levels

Recovering from a lost password

Displaying the SNMP community string

Specifying a minimum password length

Local user accounts

Enhancements to username and password

Enabling enhanced user password combination requirements

Enabling user password masking

Enabling user password aging

Configuring password history

Enhanced login lockout

Setting passwords to expire

Requirement to accept the message of the day

Local user account configuration

Local user accounts with no passwords

Local user accounts with unencrypted passwords

Changing a local user password

TACACS and TACACS+ security

How TACACS+ differs from TACACS

TACACS/TACACS+ authentication, authorization,and accounting

Configuring TACACS/TACACS+ for devices in a Brocade traditional stack

TACACS authentication

TACACS+ authentication

TACACS+ authorization

TACACS+ accounting

AAA operations for TACACS/TACACS+

AAA security for commands pasted into the running-config

TACACS/TACACS+ configuration considerations