How it Works
Brocade Communications Systems
Loading...
6650
User Manual
330 pgs2.99 Mb0
User Manual
332 pgs4 Mb0
Table of contents
Loading...

Brocade Communications Systems 6650 User Manual

Download
53-1002601-01
®
28 September 2012
Brocade ICX 6650
Security Configuration Guide
Supporting FastIron Software Release 07.5.00
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved.
Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning any equipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this document at any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not be currently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained in this document may require an export license from the United States government.
The authors and Brocade Communications Systems, Inc. shall have no liability or responsibility to any person or entity with respect to any loss, cost, liability, or damages arising from the information contained in this book or the computer programs that accompany it.
The product described by this document may contain “open source” software covered by the GNU General Public License or other open source license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable to the open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.
Brocade Communications Systems, Incorporated
Corporate and Latin American Headquarters Brocade Communications Systems, Inc. 130 Holger Way San Jose, CA 95134 Tel: 1-408-333-8000 Fax: 1-408-333-8101 E-mail: info@brocade.com
European Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour B - 4ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 5640 Fax: +41 22 799 5641 E-mail: emea-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems China HK, Ltd. No. 1 Guanghua Road Chao Yang District Units 2718 and 2818 Beijing 100020, China Tel: +8610 6588 8888 Fax: +8610 6588 9999 E-mail: china-info@brocade.com
Asia-Pacific Headquarters Brocade Communications Systems Co., Ltd. (Shenzhen WFOE) Citic Plaza No. 233 Tian He Road North Unit 1308 – 13th Floor Guangzhou, China Tel: +8620 3891 2000 Fax: +8620 3891 2111 E-mail: china-info@brocade.com
Document History
Title Publication number Summary of changes Date
Brocade ICX 6650 Security Configuration Guide
53-1002601-01 Release 07.4.00 document
updated with enhancements in Release
07.5.00
September 2012

Contents

About This Document
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Brocade ICX 6650 slot and port numbering . . . . . . . . . . . . . . . . . . . .xi
How this document is organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii
Document conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Text formatting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Command syntax conventions . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Notes, cautions, and warnings . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Brocade resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Other industry resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Getting technical help. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Document feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Chapter 1 Security Access
Securing access methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Remote access to management function restrictions . . . . . . . . . . . . 3
ACL usage to restrict remote access . . . . . . . . . . . . . . . . . . . . . . 3
Defining the console idle time . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Remote access restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Restricting access to the device based on IP or
MAC address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Defining the Telnet idle time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Changing the login timeout period for Telnet sessions . . . . . . . . 8
Specifying the maximum number of login attempts
for Telnet access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Changing the login timeout period for Telnet sessions . . . . . . . . 9
Restricting remote access to the device to
specific VLAN IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Designated VLAN for Telnet management sessions
to a Layer 2 switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Device management security . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Disabling specific access methods. . . . . . . . . . . . . . . . . . . . . . . 12
Brocade ICX 6650 Security Configuration Guide iii 53-1002601-01
Passwords used to secure access . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Setting a Telnet password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Setting passwords for management privilege levels . . . . . . . . . 14
Recovering from a lost password . . . . . . . . . . . . . . . . . . . . . . . . 16
Displaying the SNMP community string . . . . . . . . . . . . . . . . . . . 16
Specifying a minimum password length. . . . . . . . . . . . . . . . . . . 16
Local user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Enhancements to username and password . . . . . . . . . . . . . . . 17
Local user account configuration . . . . . . . . . . . . . . . . . . . . . . . .21
Creating a password option. . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Changing a local user password . . . . . . . . . . . . . . . . . . . . . . . . .24
TACACS and TACACS+ security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
How TACACS+ differs from TACACS. . . . . . . . . . . . . . . . . . . . . . .24
TACACS/TACACS+ authentication, authorization,
and accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
TACACS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
TACACS/TACACS+ configuration considerations . . . . . . . . . . . .30
Enabling TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Identifying the TACACS/TACACS+ servers. . . . . . . . . . . . . . . . . . 31
Specifying different servers for individual AAA functions . . . . . 32
Setting optional TACACS and TACACS+ parameters . . . . . . . . . 32
Configuring authentication-method lists for
TACACS and TACACS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Configuring TACACS+ authorization . . . . . . . . . . . . . . . . . . . . . .36
TACACS+ accounting configuration. . . . . . . . . . . . . . . . . . . . . . . 39
Configuring an interface as the source for all
TACACS and TACACS+ packets . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Displaying TACACS/TACACS+ statistics and
configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
RADIUS security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
RADIUS authentication, authorization, and accounting . . . . . . 41
RADIUS configuration considerations. . . . . . . . . . . . . . . . . . . . .44
Configuring RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Brocade-specific attributes on the RADIUS server . . . . . . . . . .45
Enabling SNMP to configure RADIUS . . . . . . . . . . . . . . . . . . . . . 47
Identifying the RADIUS server to the Brocade device . . . . . . . . 47
Specifying different servers for individual AAA functions . . . . . 48
RADIUS server per port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
RADIUS server to individual ports mapping . . . . . . . . . . . . . . . .49
RADIUS parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Setting authentication-method lists for RADIUS . . . . . . . . . . . . 51
RADIUS authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
RADIUS accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring an interface as the source for all
RADIUS packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Displaying RADIUS configuration information . . . . . . . . . . . . . .56
Authentication-method lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Examples of authentication-method lists. . . . . . . . . . . . . . . . . .58
TCP Flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Using TCP Flags in combination with other ACL features . . . . . 61
iv Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Chapter 2 SSH2 and SCP
SSH version 2 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Tested SSH2 clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
SSH2 supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
SSH2 unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
SSH2 authentication types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Configuring SSH2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Enabling and disabling SSH by generating and
deleting host keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Configuring DSA or RSA challenge-response authentication . .67
Optional SSH parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Setting the number of SSH authentication retries . . . . . . . . . .70
Deactivating user authentication . . . . . . . . . . . . . . . . . . . . . . . . 70
Enabling empty password logins. . . . . . . . . . . . . . . . . . . . . . . . . 71
Setting the SSH port number . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Setting the SSH login timeout value. . . . . . . . . . . . . . . . . . . . . . 71
Designating an interface as the source for all SSH packets. . . 71
Configuring the maximum idle time for SSH sessions . . . . . . . 71
Filtering SSH access using ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Terminating an active SSH connection . . . . . . . . . . . . . . . . . . . . . . . 72
Displaying SSH information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Displaying SSH connection information . . . . . . . . . . . . . . . . . . .72
Displaying SSH configuration information . . . . . . . . . . . . . . . . . 73
Displaying additional SSH connection information . . . . . . . . . . 74
Secure copy with SSH2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Enabling and disabling SCP . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Secure copy configuration notes . . . . . . . . . . . . . . . . . . . . . . . .75
Example file transfers using SCP . . . . . . . . . . . . . . . . . . . . . . . . 75
SSH2 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Enabling SSH2 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configuring SSH2 client public key authentication . . . . . . . . . . 78
Using SSH2 client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Displaying SSH2 client information . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 3 Rule-Based IP ACLs
ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
ACL IDs and entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Numbered and named ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Default ACL action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
How hardware-based ACLs work . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
How fragmented packets are processed . . . . . . . . . . . . . . . . . .84
Hardware aging of Layer 4 CAM entries . . . . . . . . . . . . . . . . . . .84
ACL configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Brocade ICX 6650 Security Configuration Guide v 53-1002601-01
Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . . . 86
Standard numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . .86
Configuration example for standard numbered ACLs . . . . . . . . 87
Standard named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . . 87
Standard named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuration example for standard named ACLs . . . . . . . . . . . 90
Extended numbered ACL configuration . . . . . . . . . . . . . . . . . . . . . . . 90
Extended numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuration examples for extended numbered ACLs . . . . . . . 95
Extended named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . .96
Extended named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Applying egress ACLs to Control (CPU) traffic . . . . . . . . . . . . . . . . .101
Preserving user input for ACL TCP/UDP port numbers. . . . . . . . . .101
ACL comment text management . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Adding a comment to an entry in a numbered ACL. . . . . . . . .102
Adding a comment to an entry in a named ACL. . . . . . . . . . . .103
Deleting a comment from an ACL entry . . . . . . . . . . . . . . . . . .103
Viewing comments in an ACL . . . . . . . . . . . . . . . . . . . . . . . . . .103
Applying an ACL to a virtual interface in a protocol-
or subnet-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuration notes for ACL logging . . . . . . . . . . . . . . . . . . . . .105
Configuration tasks for ACL logging . . . . . . . . . . . . . . . . . . . . .106
Example ACL logging configuration. . . . . . . . . . . . . . . . . . . . . .106
Displaying ACL Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Enabling strict control of ACL filtering of fragmented packets. . . .108
Enabling ACL support for switched traffic in the router image . . .109
Enabling ACL filtering based on VLAN membership or VE port
membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Configuration notes for ACL filtering. . . . . . . . . . . . . . . . . . . . .109
Applying an IPv4 ACL to specific VLAN members on
a port (Layer 2 devices only) . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Applying an IPv4 ACL to a subset of ports on a virtual
interface (Layer 3 devices only) . . . . . . . . . . . . . . . . . . . . . . . .110
ACLs to filter ARP packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Configuration considerations for filtering ARP packets. . . . . .112
Configuring ACLs for ARP filtering . . . . . . . . . . . . . . . . . . . . . . .112
Displaying ACL filters for ARP . . . . . . . . . . . . . . . . . . . . . . . . . .113
Clearing the filter count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Filtering on IP precedence and ToS values . . . . . . . . . . . . . . . . . . .113
TCP flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . .114
QoS options for IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Configuration notes for QoS options on Brocade ICX 6650 . .115
Using an IP ACL to mark DSCP values (DSCP marking). . . . . .115
DSCP matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ACL-based rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
vi Brocade ICX 6650 Security Configuration Guide
53-1002601-01
ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
ACLs to control multicast features . . . . . . . . . . . . . . . . . . . . . . . . . .118
Enabling and viewing hardware usage statistics for an ACL . . . . .118
Displaying ACL information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Policy Based Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Configuration considerations for policy-based routing . . . . . .120
Configuring a PBR policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Configuring the ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configuring the route map. . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Enabling PBR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Configuration examples for PBR. . . . . . . . . . . . . . . . . . . . . . . .124
Setting the next hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Setting the output interface to the null interface . . . . . . . . . .125
Trunk formation with PBR policy . . . . . . . . . . . . . . . . . . . . . . . .126
Chapter 4 IPv6 ACLs
IPv6 ACL overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
IPv6 ACL traffic filtering criteria . . . . . . . . . . . . . . . . . . . . . . . .128
IPv6 protocol names and numbers. . . . . . . . . . . . . . . . . . . . . .128
IPv6 ACL configuration notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Configuring an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Example IPv6 configurations. . . . . . . . . . . . . . . . . . . . . . . . . . .129
Default and implicit IPv6 ACL action. . . . . . . . . . . . . . . . . . . . .131
Creating an IPv6 ACL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Syntax for creating an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . .132
Enabling IPv6 on an interface to which an ACL will be applied . . .137
Applying an IPv6 ACL to an interface . . . . . . . . . . . . . . . . . . . . . . . .137
Syntax for applying an IPv6 ACL . . . . . . . . . . . . . . . . . . . . . . . .138
Applying an IPv6 ACL to a trunk group . . . . . . . . . . . . . . . . . . .138
Applying an IPv6 ACL to a virtual interface in a
protocol-based or subnet-based VLAN . . . . . . . . . . . . . . . . . . .138
Adding a comment to an IPv6 ACL entry . . . . . . . . . . . . . . . . . . . . .138
Deleting a comment from an IPv6 ACL entry . . . . . . . . . . . . . . . . .139
Support for ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Displaying IPv6 ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Chapter 5 ACL-based Rate Limiting
ACL-based rate limiting overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Types of ACL-based rate limiting . . . . . . . . . . . . . . . . . . . . . . . .141
Traffic policies overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Traffic policy structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Configuration notes for traffic policies . . . . . . . . . . . . . . . . . . .143
Configuring fixed rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Brocade ICX 6650 Security Configuration Guide vii 53-1002601-01
Configuring adaptive rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . .144
Marking Class of Service parameters in adaptive rate limiting145
Handling packets that exceed the rate limit . . . . . . . . . . . . . . . . . .147
Dropping packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Permitting packets at low priority . . . . . . . . . . . . . . . . . . . . . . .148
Enabling and using ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . .148
Enabling ACL statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Enabling ACL statistics with rate limiting traffic policies. . . . .150
Viewing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . . .150
Clearing ACL and rate limit counters . . . . . . . . . . . . . . . . . . . .151
Viewing traffic policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Chapter 6 802.1X Port Security
IETF RFC support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
How 802.1X port security works . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Device roles in an 802.1X configuration . . . . . . . . . . . . . . . . .154
Communication between the devices . . . . . . . . . . . . . . . . . . .155
Controlled and uncontrolled ports . . . . . . . . . . . . . . . . . . . . . .155
Message exchange during authentication. . . . . . . . . . . . . . . .157
Authenticating multiple hosts connected to the same port . .159
802.1X port security and sFlow . . . . . . . . . . . . . . . . . . . . . . . .162
802.1X accounting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
802.1X port security configuration . . . . . . . . . . . . . . . . . . . . . . . . .163
Configuring an authentication method list for 802.1X . . . . . .164
Setting RADIUS parameters . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Dynamic VLAN assignment for 802.1X port configuration . . .166 Dynamically applying IP ACLs and MAC address filters
to 802.1X ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170
Enabling 802.1X port security. . . . . . . . . . . . . . . . . . . . . . . . . . 174
Setting the port control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring periodic re-authentication . . . . . . . . . . . . . . . . . . . 175
Re-authenticating a port manually . . . . . . . . . . . . . . . . . . . . . . 176
Setting the quiet period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Specifying the wait interval and number of EAP-request/
identity frame retransmissions from the Brocade device. . . . 176
Wait interval and number of EAP-request/
identity frame retransmissions from the RADIUS server . . . .177
Specifying a timeout for retransmission of messages
to the authentication server . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Initializing 802.1X on a port . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Allowing access to multiple hosts. . . . . . . . . . . . . . . . . . . . . . . 179
MAC address filters for EAP frames . . . . . . . . . . . . . . . . . . . . .182
Configuring VLAN access for non-EAP-capable clients . . . . . .182
802.1X accounting configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .182
802.1X accounting attributes for RADIUS . . . . . . . . . . . . . . . .183
Enabling 802.1X accounting. . . . . . . . . . . . . . . . . . . . . . . . . . .183
viii Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Displaying 802.1X information. . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Displaying 802.1X configuration information . . . . . . . . . . . . .184
Displaying 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Clearing 802.1X statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Displaying dynamically assigned VLAN information . . . . . . . .188
Displaying information about dynamically applied
MAC address filters and IP ACLs . . . . . . . . . . . . . . . . . . . . . . . .189
Displaying 802.1X multiple-host
authentication information . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Sample 802.1X configurations. . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Point-to-point configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Hub configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197
802.1X authentication with dynamic VLAN assignment . . . . .198
Multi-device port authentication and 802.1X
security on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Chapter 7 MAC Port Security
MAC port security overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Local and global resources used for MAC port security . . . . .202
Configuration notes and feature limitations
for MAC port security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
MAC port security configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . .203
Enabling the MAC port security feature . . . . . . . . . . . . . . . . . .203
Setting the maximum number of secure
MAC addresses for an interface . . . . . . . . . . . . . . . . . . . . . . . .204
Setting the port security age timer . . . . . . . . . . . . . . . . . . . . . .204
Specifying secure MAC addresses . . . . . . . . . . . . . . . . . . . . . .205
Autosaving secure MAC addresses to the
startup configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Specifying the action taken when a security
violation occurs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
Clearing port security statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Clearing restricted MAC addresses. . . . . . . . . . . . . . . . . . . . . .207
Clearing violation statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Displaying port security information . . . . . . . . . . . . . . . . . . . . . . . .208
Displaying port security settings . . . . . . . . . . . . . . . . . . . . . . . .208
Displaying the secure MAC addresses . . . . . . . . . . . . . . . . . . .208
Displaying port security statistics . . . . . . . . . . . . . . . . . . . . . . .209
Displaying restricted MAC addresses on a port . . . . . . . . . . . .210
Chapter 8 MAC-based VLANs
MAC-based VLAN overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Static and dynamic hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
MAC-based VLAN feature structure . . . . . . . . . . . . . . . . . . . . .212
Brocade ICX 6650 Security Configuration Guide ix 53-1002601-01
Dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
Configuration notes and feature limitations
for dynamic MAC-based VLAN. . . . . . . . . . . . . . . . . . . . . . . . . .213
Dynamic MAC-based VLAN CLI commands . . . . . . . . . . . . . . .213
Dynamic MAC-based VLAN configuration example . . . . . . . . .214
MAC-based VLAN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
Using MAC-based VLANs and 802.1X security
on the same port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Configuring generic and Brocade vendor-specific
attributes on the RADIUS server. . . . . . . . . . . . . . . . . . . . . . . .216
Aging for MAC-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Disabling aging for MAC-based VLAN sessions . . . . . . . . . . . .218
Configuring the maximum MAC addresses per port . . . . . . . .219
Configuring a MAC-based VLAN for a static host . . . . . . . . . . .219
Configuring MAC-based VLAN for a dynamic host . . . . . . . . . .220
Configuring dynamic MAC-based VLAN . . . . . . . . . . . . . . . . . .220
Configuring MAC-based VLANs using SNMP . . . . . . . . . . . . . . . . . .221
Displaying information about MAC-based VLANs . . . . . . . . . . . . . .221
Displaying the MAC-VLAN table. . . . . . . . . . . . . . . . . . . . . . . . .221
Displaying the MAC-VLAN table for a specific MAC address . .222
Displaying allowed MAC addresses . . . . . . . . . . . . . . . . . . . . .222
Displaying denied MAC addresses . . . . . . . . . . . . . . . . . . . . . .223
Displaying detailed MAC-VLAN data . . . . . . . . . . . . . . . . . . . . .224
Displaying MAC-VLAN information for a specific interface . . .225
Displaying MAC addresses in a MAC-based VLAN . . . . . . . . . .226
Displaying MAC-based VLAN logging . . . . . . . . . . . . . . . . . . . .227
Clearing MAC-VLAN information. . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Sample MAC-based VLAN application . . . . . . . . . . . . . . . . . . . . . . .227
Chapter 9 Multi-Device Port Authentication
How multi-device port authentication works. . . . . . . . . . . . . . . . . .231
RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232
Authentication-failure actions . . . . . . . . . . . . . . . . . . . . . . . . . .232
Supported RADIUS attributes . . . . . . . . . . . . . . . . . . . . . . . . . .232
Support for dynamic VLAN assignment . . . . . . . . . . . . . . . . . .233
Support for dynamic ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Support for authenticating multiple MAC addresses
on an interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Support for dynamic ARP inspection with dynamic ACLs . . . .233
Support for DHCP snooping with dynamic ACLs . . . . . . . . . . .234
Support for source guard protection. . . . . . . . . . . . . . . . . . . . .234
Multi-device port authentication and 802.1X
security on the same port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Configuring Brocade-specific attributes on the
RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
x Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Multi-device port authentication configuration. . . . . . . . . . . . . . . .236
Enabling multi-device port authentication . . . . . . . . . . . . . . . .237
Specifying the format of the MAC addresses sent to the
RADIUS server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Specifying the authentication-failure action . . . . . . . . . . . . . .238
Generating traps for multi-device port authentication . . . . . .239
Defining MAC address filters. . . . . . . . . . . . . . . . . . . . . . . . . . .239
Configuring dynamic VLAN assignment . . . . . . . . . . . . . . . . . .239
Dynamically applying IP ACLs to authenticated
MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Enabling denial of service attack protection . . . . . . . . . . . . . .245
Enabling source guard protection . . . . . . . . . . . . . . . . . . . . . . .246
Clearing authenticated MAC addresses. . . . . . . . . . . . . . . . . .247
Disabling aging for authenticated MAC addresses . . . . . . . . .248
Changing the hardware aging period for blocked
MAC addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249
Specifying the aging time for blocked MAC addresses . . . . . .250
Specifying the RADIUS timeout action . . . . . . . . . . . . . . . . . . .250
Multi-device port authentication password override . . . . . . . .251
Limiting the number of authenticated MAC addresses. . . . . .252
Displaying multi-device port authentication information . . . . . . . .252
Displaying authenticated MAC address information . . . . . . . .252
Displaying multi-device port authentication
configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Displaying multi-device port authentication information
for a specific MAC address or port . . . . . . . . . . . . . . . . . . . . . .254
Displaying the authenticated MAC addresses . . . . . . . . . . . . .255
Displaying the non-authenticated MAC addresses . . . . . . . . .256
Displaying multi-device port authentication information
for a port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Displaying multi-device port authentication settings
and authenticated MAC addresses . . . . . . . . . . . . . . . . . . . . .257
Example port authentication configurations . . . . . . . . . . . . . . . . . .260
Multi-device port authentication with dynamic
VLAN assignment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Examples of multi-device port authentication and 802.1X
authentication configuration on the same port . . . . . . . . . . . .263
Chapter 10 DoS Attack Protection
Smurf attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
Avoiding being an intermediary in a Smurf attack. . . . . . . . . .268
Avoiding being a victim in a Smurf attack . . . . . . . . . . . . . . . .268
TCP SYN attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
TCP security enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Displaying statistics about packets dropped
because of DoS attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Brocade ICX 6650 Security Configuration Guide xi 53-1002601-01
Chapter 11 Rate Limiting and Rate Shaping
Port-based rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
How port-based fixed rate limiting works. . . . . . . . . . . . . . . . . 274
Rate limiting in hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Configuration notes for port-based fixed rate limiting. . . . . . .275
Configuring a port-based fixed rate limiting policy . . . . . . . . .275
Displaying the port-based fixed rate limiting configuration . .275
Rate shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Configuration notes for rate shaping . . . . . . . . . . . . . . . . . . . . 276
Configuring outbound rate shaping for a port . . . . . . . . . . . . . 276
Configuring outbound rate shaping for a specific priority. . . . 277
Configuring outbound rate shaping for a trunk port . . . . . . . .277
Displaying rate shaping configurations . . . . . . . . . . . . . . . . . .277
CPU rate-limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Chapter 12 DHCP
Dynamic ARP inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
ARP poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Dynamic ARP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Configuration notes and feature limitations for DAI . . . . . . . .281
Dynamic ARP inspection configuration . . . . . . . . . . . . . . . . . .282
Displaying ARP inspection status and ports . . . . . . . . . . . . . .283
Displaying the ARP table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
How DHCP snooping works . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
System reboot and the binding database . . . . . . . . . . . . . . . .285
Configuration notes and feature limitations
for DHCP snooping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Configuring DHCP snooping . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Clearing the DHCP binding database . . . . . . . . . . . . . . . . . . . .287
Displaying DHCP snooping status and ports . . . . . . . . . . . . . .287
Displaying the DHCP snooping binding database . . . . . . . . . .287
Displaying DHCP binding entry and status. . . . . . . . . . . . . . . .287
DHCP snooping configuration example . . . . . . . . . . . . . . . . . .288
DHCP relay agent information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Configuration notes for DHCP option 82 . . . . . . . . . . . . . . . . .289
DHCP option 82 sub-options. . . . . . . . . . . . . . . . . . . . . . . . . . .289
DHCP option 82 configuration . . . . . . . . . . . . . . . . . . . . . . . . .291
Viewing information about DHCP option 82 processing . . . . .293
IP source guard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Configuration notes and feature limitations
for IP source guard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Enabling IP source guard on a port . . . . . . . . . . . . . . . . . . . . .296
Defining static IP source bindings . . . . . . . . . . . . . . . . . . . . . .296
Enabling IP source guard per-port-per-VLAN . . . . . . . . . . . . . .297
Enabling IP source guard on a VE. . . . . . . . . . . . . . . . . . . . . . .297
Displaying learned IP addresses. . . . . . . . . . . . . . . . . . . . . . . .297
xii Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Chapter 13 Limiting Broadcast, Multicast, and Unknown
Unicast Traffic
Broadcast, unknown Unicast, and Multicast rate limiting . . . . . . .299
Configuration notes and feature limitations . . . . . . . . . . . . . .299
Configuring rate limiting for BUM traffic. . . . . . . . . . . . . . . . . .299
Viewing rate limits set on BUM traffic . . . . . . . . . . . . . . . . . . .300
Index
Brocade ICX 6650 Security Configuration Guide xiii 53-1002601-01
xiv Brocade ICX 6650 Security Configuration Guide
53-1002601-01

About This Document

Slot 1
The Brocade ICX 6650 is a ToR (Top of Rack) Ethernet switch for campus LAN and classic Ethernet data center environments.

Audience

This document is designed for system administrators with a working knowledge of Layer 2 and Layer 3 switching and routing.
If you are using a Brocade Layer 3 Switch, you should be familiar with the following protocols if applicable to your network: IP, RIP, OSPF, BGP, ISIS, PIM, and VRRP.

Supported hardware and software

This document is specific to the Brocade ICX 6650 running FastIron 7.5.00.

Brocade ICX 6650 slot and port numbering

Many CLI commands require users to enter port numbers as part of the command syntax, and many show command outputs display port numbers. The port numbers are entered and displayed in stack-unit/slot number/port number format. In all Brocade ICX 6650 inputs and outputs, the stack-unit number is always 1.
The Brocade ICX 6650 contains the following slots and Ethernet ports:
Slot 1 is located on the front of the Brocade ICX 6650 device and contains ports 1 through 56.
Ports 1 through 32 are 10 GbE. Ports 33 through 56 are 1/10 GbE SFP+ ports. Refer to the following figure.
xi
Brocade ICX 6650 slot and port numbering
Slot 2
Slot 2 Slot 3
Slot 2 is located on the back of the Brocade ICX 6650 device and contains ports 1 through 3
on the top row and port 4 on the bottom row. These ports are 2x40 GbE QSFP+. Refer to the following figure.
Slot 3 is located on the back of the Brocade ICX 6650 device and contains ports 1 through 8.
These ports are 4 x 10 GbE breakout ports and require the use of a breakout cable. Refer to the previous figure.

How this document is organized

This document is organized to help you find the information that you want as quickly and easily as possible.
The document contains the following components:
“Security Access” on page 1
“SSH2 and SCP” on page 63
“Rule-Based IP ACLs” on page 81
“IPv6 ACLs” on page 127
“ACL-based Rate Limiting” on page 141
“802.1X Port Security” on page 153
“MAC Port Security” on page 201
“MAC-based VLANs” on page 211
“Multi-Device Port Authentication” on page 231
“DoS Attack Protection” on page 267
“Rate Limiting and Rate Shaping” on page 273
“DHCP” on page 279
“Limiting Broadcast, Multicast, and Unknown Unicast Traffic” on page 299
xii

Document conventions

NOTE
This section describes text formatting conventions and important notice formats used in this document.

Text formatting

The narrative-text formatting conventions that are used are as follows:
bold text Identifies command names
italic text Provides emphasis
code text Identifies CLI output
Brocade ICX 6650 slot and port numbering
Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI
Identifies variables Identifies paths and Internet addresses Identifies document titles
Identifies command syntax examples
For readability, command names in the narrative portions of this guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is all lowercase.

Command syntax conventions

Command syntax in this manual follows these conventions:
command Commands are printed in bold.
--option, option Command options are printed in bold.
-argument, arg Arguments.
[ ] Optional elements appear in brackets.
variable Variables are printed in italics. In the help pages, values are underlined
enclosed in angled brackets < >.
... Repeat the previous element, for example “member[;member...]”
value Fixed values following arguments are printed in plain font. For example,
--show WWN
| Boolean. Elements are exclusive. Example:
--show -mode egress | ingress
or

Notes, cautions, and warnings

The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards.
A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information.
Brocade ICX 6650 Security Configuration Guide xiii 53-1002601-01
Brocade ICX 6650 slot and port numbering
ATTENTION
CAUTION
DANGER
An Attention statement indicates potential damage to hardware or data.
A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
A Danger statement indicates conditions or situations that can be potentially lethal or extremely hazardous to you. Safety labels are also attached directly to products to warn of these conditions or situations.

Notice to the reader

This document might contain references to the trademarks of the following corporations. These trademarks are the properties of their respective companies and corporations.
These references are made for informational purposes only.
Corporation Referenced Trademarks and Products
Microsoft Corporation Windows, Windows NT, Internet Explorer
Oracle Corporation Oracle, Java
Netscape Communications Corporation Netscape
Mozilla Corporation Mozilla Firefox
Sun Microsystems, Inc. Sun, Solaris
Red Hat, Inc. Red Hat, Red Hat Network, Maximum RPM, Linux Undercover

Related publications

The following Brocade documents supplement the information in this guide:
Brocade ICX 6650 Release Notes
Brocade ICX 6650 Hardware Installation Guide New
Brocade ICX 6650 Administration Guide
Brocade ICX 6650 Platform and Layer 2 Configuration Guide
Brocade ICX 6650 Layer 3 Routing Configuration Guide
Brocade ICX 6650 Security Configuration Guide
Brocade ICX 6650 IP Multicast Configuration Guide
xiv
Brocade ICX 6650 Diagnostic Reference
Unified IP MIB Reference
Ports-on-Demand Licensing for the Brocade ICX 6650
The latest versions of these guides are posted at http://www.brocade.com/ethernetproducts.

Additional information

This section lists additional Brocade and industry-specific documentation that you might find helpful.

Brocade resources

To get up-to-the-minute information, go to http://my.brocade.com to register at no cost for a user ID and password.
White papers, online demonstrations, and data sheets are available through the Brocade website at:
Brocade ICX 6650 slot and port numbering
http://www.brocade.com/products-solutions/products/index.page
For additional Brocade documentation, visit the Brocade website:
http://www.brocade.com
Release notes are available on the MyBrocade website.

Other industry resources

For additional resource information, visit the Technical Committee T11 website. This website provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications:
http://www.t11.org
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association website:
http://www.fibrechannel.org

Getting technical help

To co n tact Technical Su p por t, g o to
http://www.brocade.com/services-support/index.page
for the latest e-mail and telephone contact information.
Brocade ICX 6650 Security Configuration Guide xv 53-1002601-01
Brocade ICX 6650 slot and port numbering

Document feedback

Quality is our first concern at Brocade and we have made every effort to ensure the accuracy and completeness of this document. However, if you find an error or an omission, or you think that a topic needs further development, we want to hear from you. Forward your feedback to:
documentation@brocade.com
Provide the title and version number of the document and as much detail as possible about your comment, including the topic heading and page number and your suggestions for improvement.
xvi
Chapter
NOTE

Security Access

Tab le 1 lists the security access features supported on Brocade ICX 6650. These features are
supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
TABLE 1 Supported security access features
Feature Brocade ICX 6650
Authentication, Authorization and Accounting (AAA):
RADIUS
TACACS/TACACS+
AAA support for console commands Yes
Restricting remote access to management functions
Disabling TFTP access Yes
Using ACLs to restrict remote access Yes
Local user accounts Yes
Local user passwords Yes
AAA authentication-method lists Yes
Packet filtering on TCP flags Yes
1
Yes
Yes
This chapter explains how to secure access to management functions on a Brocade device.
For the Brocade ICX 6650, RADIUS Challenge is supported for 802.1x authentication but not for login authentication. Also, multiple challenges are supported for TACACS+ login authentication.

Securing access methods

The following table lists the management access methods available on a Brocade device, how they are secured by default, and the ways in which they can be secured.
TABLE 2 Ways to secure management access to Brocade devices
Access method How the access
method is secured by default
Serial access to the CLI Not secured Establish passwords for management privilege levels
Brocade ICX 6650 Security Configuration Guide 1 53-1002601-01
Ways to secure the access method
Securing access methods
TABLE 2 Ways to secure management access to Brocade devices (Continued)
Access method How the access
Ways to secure the access method method is secured by default
Access to the Privileged EXEC and CONFIG levels of the CLI
Telnet access Not secured Regulate Telnet access using ACLs
Secure Shell (SSH) access Not configured Configure SSH
Not secured Establish a password for Telnet access to the CLI
Establish passwords for management privilege levels
Set up local user accounts
Configure TACACS/TACACS+ security
Configure RADIUS security
Allow Telnet access only from specific IP addresses
Restrict Telnet access based on a client MAC address
Allow Telnet access only from specific MAC addresses
Define the Telnet idle time
Change the Telnet login timeout period
Specify the maximum number of login attempts for
Telnet access
Disable Telnet access
Establish a password for Telnet access
Establish passwords for privilege levels of the CLI
Set up local user accounts
Configure TACACS/TACACS+ security
Configure RADIUS security
Regulate SSH access using ACLs
Allow SSH access only from specific IP addresses
Allow SSH access only from specific MAC addresses
Establish passwords for privilege levels of the CLI
Set up local user accounts
Configure TACACS/TACACS+ security
Configure RADIUS security
2 Brocade ICX 6650 Security Configuration Guide
53-1002601-01

Remote access to management function restrictions

TABLE 2 Ways to secure management access to Brocade devices (Continued)
Access method How the access
method is secured by default
Ways to secure the access method
SNMP access SNMP read or
read-write community strings and the password to the Super User privilege level
NOTE: SNMP read
or read-write community strings are always required for SNMP access to the device.
TFTP access Not secured Allow TFTP access only to clients connected to a
Access for Stacked Devices
Access to multiple consoles must be secured after AAA is enabled
Regulate SNMP access using ACLs
Allow SNMP access only from specific IP addresses
Disable SNMP access
Allow SNMP access only to clients connected to a
specific VLAN
Establish passwords to management levels of the CLI
Set up local user accounts
Establish SNMP read or read-write community strings
specific VLAN
Disable TFTP access
Extra steps must be taken to secure multiple consoles
in an IronStack.
Remote access to management function restrictions
You can restrict access to management functions from remote sources, including Telnet and SNMP. The following methods for restricting remote access are supported:
Using ACLs to restrict Telnet or SNMP access
Allowing remote access only from specific IP addresses
Allowing Telnet and SSH access only from specific MAC addresses
Allowing remote access only to clients connected to a specific VLAN
Specifically disabling Telnet or SNMP access to the device
The following sections describe how to restrict remote access to a Brocade device using these methods.

ACL usage to restrict remote access

You can use standard ACLs to control the following access methods to management functions on a Brocade device:
Teln et
SSH
SNMP
Brocade ICX 6650 Security Configuration Guide 3 53-1002601-01
Remote access to management function restrictions
Brocade(config)# access-list 12 deny host 10.157.22.98 log Brocade(config)# access-list 12 deny 10.157.23.0 0.0.0.255 log Brocade(config)# access-list 12 deny 10.157.24.0/24 log Brocade(config)# access-list 12 permit any Brocade(config)# ssh access-group 12 Brocade(config)# write memory
Consider the following to configure access control for these management access methods.
1. Configure an ACL with the IP addresses you want to allow to access the device.
2. Configure a Telnet access group, SSH access group, and SNMP community strings. Each of these configuration items accepts an ACL as a parameter. The ACL contains entries that identify the IP addresses that can use the access method.
The following sections present examples of how to secure management access using ACLs. Refer to Chapter 3, “Rule-Based IP ACLs” for more information on configuring ACLs.
Using an ACL to restrict Telnet access
To configure an ACL that restricts Telnet access to the device, enter commands such as the following.
Brocade(config)# access-list 10 deny host 10.157.22.32 log Brocade(config)# access-list 10 deny 10.157.23.0 0.0.0.255 log Brocade(config)# access-list 10 deny 10.157.24.0 0.0.0.255 log Brocade(config)# access-list 10 deny 10.157.25.0/24 log Brocade(config)# access-list 10 permit any Brocade(config)# telnet access-group 10 Brocade(config)# write memory
Syntax: telnet access-group num
The num parameter specifies the number of a standard ACL and must be from 1–99.
The commands above configure ACL 10, then apply the ACL as the access list for Telnet access. The device allows Telnet access to all IP addresses except those listed in ACL 10.
To configure a more restrictive ACL, create permit entries and omit the permit any entry at the end of the ACL.
Example
Brocade(config)# access-list 10 permit host 10.157.22.32 Brocade(config)# access-list 10 permit 10.157.23.0 0.0.0.255 Brocade(config)# access-list 10 permit 10.157.24.0 0.0.0.255 Brocade(config)# access-list 10 permit 10.157.25.0/24 Brocade(config)# telnet access-group 10 Brocade(config)# write memory
The ACL in this example permits Telnet access only to the IP addresses in the permit entries and denies Telnet access from all other IP addresses.
Using an ACL to restrict SSH access
To configure an ACL that restricts SSH access to the device, enter commands such as the following.
Syntax: ssh access-group num
4 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Remote access to management function restrictions
NOTE
NOTE
NOTE
Brocade(config)# access-list 25 deny host 10.157.22.98 log Brocade(config)# access-list 25 deny 10.157.23.0 0.0.0.255 log Brocade(config)# access-list 25 deny 10.157.24.0 0.0.0.255 log Brocade(config)# access-list 25 permit any Brocade(config)# access-list 30 deny 10.157.25.0 0.0.0.255 log Brocade(config)# access-list 30 deny 10.157.26.0/24 log Brocade(config)# access-list 30 permit any Brocade(config)# snmp-server community public ro 25 Brocade(config)# snmp-server community private rw 30 Brocade(config)# write memory
The num parameter specifies the number of a standard ACL and must be from 1–99.
These commands configure ACL 12, then apply the ACL as the access list for SSH access. The device denies SSH access from the IP addresses listed in ACL 12 and permits SSH access from all other IP addresses. Without the last ACL entry for permitting all packets, this ACL would deny SSH access from all IP addresses.
In this example, the command ssh access-group 10 could have been used to apply the ACL configured in the example for Telnet access. You can use the same ACL multiple times.
Using ACLs to restrict SNMP access
To restrict SNMP access to the device using ACLs, enter commands such as the following.
The syntax for using ACLs for SNMP access is different from the syntax for controlling Telnet, SSH, access using ACLs.
Syntax: snmp-server community string ro | rw num
The string parameter specifies the SNMP community string you must enter to gain SNMP access.
The ro parameter indicates that the community string is for read-only (“get”) access. The rw parameter indicates the community string is for read-write (“set”) access.
The num parameter specifies the number of a standard ACL and must be from 1 – 99.
These commands configure ACLs 25 and 30, then apply the ACLs to community strings.
ACL 25 is used to control read-only access using the “public” community string. ACL 30 is used to control read-write access using the “private” community string.
When snmp-server community is configured, all incoming SNMP packets are validated first by their community strings and then by their bound ACLs.

Defining the console idle time

Brocade ICX 6650 Security Configuration Guide 5 53-1002601-01
By default, a Brocade device does not time out serial console sessions. A serial session remains open indefinitely until you close it. You can however define how many minutes a serial management session can remain idle before it is timed out.
Remote access to management function restrictions
NOTE
NOTE
You must enable AAA support for console commands, AAA authentication, and Exec authorization in order to set the console idle time.
To configure the idle time for a serial console session, use the following command.
Brocade(config)# console timeout 120
Syntax: [no] console timeout minutes
Possible values for the minutes variable: 0–240 minutes
Default value: 0 minutes (no timeout)
In RADIUS, the standard attribute Idle-Timeout is used to define the console session timeout value. The attribute Idle-Timeout value is specified in seconds. Within the switch, it is truncated to the nearest minute, because the switch configuration is defined in minutes.

Remote access restrictions

By default, a Brocade device does not control remote management access based on the IP address of the managing device. You can restrict remote management access to a single IP address for the following access methods:
Teln et access
SSH access
SNMP access
In addition, you can restrict all access methods to the same IP address using a single command.
The following examples show the CLI commands for restricting remote access. You can specify only one IP address with each command. However, you can enter each command ten times to specify up to ten IP addresses.
Restricting Telnet access to a specific IP address
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.
Brocade(config)# telnet-client 10.157.22.39
Syntax: [no] telnet-client ip-addr | ipv6-addr
Restricting SSH access to a specific IP address
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39, enter the following command.
Brocade(config)# ip ssh client 10.157.22.39
Syntax: [no] ip ssh client ip-addr | ipv6-addr
6 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Remote access to management function restrictions
Restricting SNMP access to a specific IP address
To allow SNMP access only to the host with IP address 10.157.22.14, enter the following command.
Brocade(config)# snmp-client 10.157.22.14
Syntax: [no] snmp-client ip-addr | ipv6-addr
Restricting all remote management access to a specific IP address
To allow Telnet and SNMP management access to the Brocade device only to the host with IP address 10.157.22.69, enter three separate commands (one for each access type) or enter the following command.
Brocade(config)# all-client 10.157.22.69
Syntax: [no] all-client ip-addr | ipv6-addr

Restricting access to the device based on IP or MAC address

You can restrict remote management access to the Brocade device, using Telnet, SSH, HTTP, and HTTPS, based on the connecting client IP or MAC address.
Restricting Telnet connection
You can restrict Telnet connection to a device based on the client IP address or MAC address.
To allow Telnet access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.
Brocade(config)# telnet client 10.157.22.39 0000.000f.e9a0
Syntax: [no] telnet client ip-addr | ipv6-addr mac-addr
The following command allows Telnet access to the Brocade device to a host with any IP address and MAC address 0000.000f.e9a0.
Brocade(config)# telnet client any 0000.000f.e9a0
Syntax: [no] telnet client any mac-addr
Restricting SSH connection
You can restrict SSH connection to a device based on the client IP address or MAC address.
To allow SSH access to the Brocade device only to the host with IP address 10.157.22.39 and MAC address 0000.000f.e9a0, enter the following command.
Brocade(config)# ip ssh client 10.157.22.39 0000.000f.e9a0
Syntax: [no] ip ssh client ip-addr | ipv6-addr mac-addr
Brocade ICX 6650 Security Configuration Guide 7 53-1002601-01
Remote access to management function restrictions
To allow SSH access to the Brocade device to a host with any IP address and MAC address
0000.000f.e9a0, enter the following command.
Brocade(config)# ip ssh client any 0000.000f.e9a0
Syntax: [no] ip ssh client any mac-addr
Restricting HTTP and HTTPS connection
You can restrict an HTTP or HTTPS connection to a device based on the client IP address or MAC address.
To allow HTTP and HTTPS access to the Brocade device only to the host with IP address
10.157.22.40 and MAC address 0000.000f.ab1c, enter the following command.
Brocade(config)# web client 10.157.22.40 0000.000f.ab1c
Syntax: [no] web client ip-addr | ipv6-addr mac-addr
The following command allows HTTP and HTTPS access to the Brocade device to a host with any IP address and MAC address 0000.000f.10ba.
Brocade(config)# web client any 0000.000f.10ba
Syntax: [no] web client any mac-addr

Defining the Telnet idle time

You can define how many minutes a Telnet session can remain idle before it is timed out. An idle Telnet session is a session that is still sending TCP ACKs in response to keepalive messages from the device, but is not being used to send data.
To configure the idle time for a Telnet session, use the following command.
Brocade(config)# telnet timeout 120
Syntax: [no] telnet timeout minutes
For minutes enter a value from 0–240. The default value is 0 minutes (no timeout).

Changing the login timeout period for Telnet sessions

By default, the login timeout period for a Telnet session is 1 minute. To change the login timeout period, use the following command.
Brocade(config)# telnet login-timeout 5
Syntax: [no] telnet login-timeout minutes
For minutes, enter a value from 1 to 10. The default timeout period is 1 minute.
8 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Remote access to management function restrictions

Specifying the maximum number of login attempts for Telnet access

If you are connecting to the Brocade device using Telnet, the device prompts you for a username and password. By default, you have up to 4 chances to enter a correct username and password. If you do not enter a correct username or password after 4 attempts, the Brocade device disconnects the Telnet session.
You can specify the number of attempts a Telnet user has to enter a correct username and password before the device disconnects the Telnet session. For example, to allow a Telnet user up to 5 chances to enter a correct username and password, enter the following command.
Brocade(config)# telnet login-retries 5
Syntax: [no] telnet login-retries number
You can specify from 0–5 attempts. The default is 4 attempts.

Changing the login timeout period for Telnet sessions

To change the login timeout period for Telnet sessions to 5 minutes, enter the following command:
Brocade(config)# telnet login-timeout 5
Syntax: [no] telnet login-timeout minutes
For minutes, specify a value from 1–10. The default is 2 minutes.

Restricting remote access to the device to specific VLAN IDs

You can restrict management access to a Brocade device to ports within a specific port-based VLAN. VLAN-based access control applies to the following access methods:
Teln et access
SNMP access
TFTP access
By default, access is allowed for all the methods listed above on all ports. After you configure security for a given access method based on VLAN ID, access to the device using that method is restricted to only the ports within the specified VLAN.
VLAN-based access control works in conjunction with other access control methods. For example, suppose you configure an ACL to permit Telnet access only to specific client IP addresses, and you also configure VLAN-based access control for Telnet access. In this case, the only Telnet clients that can access the device are clients that have one of the IP addresses permitted by the ACL and are connected to a port that is in a permitted VLAN. Clients who have a permitted IP address but are connected to a port in a VLAN that is not permitted still cannot access the device through Telnet.
Restricting Telnet access to a specific VLAN
To allow Telnet access only to clients in a specific VLAN, enter a command such as the following.
Brocade ICX 6650 Security Configuration Guide 9 53-1002601-01
Remote access to management function restrictions
Brocade(config)# telnet server enable vlan 10
The command in this example configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
Syntax: [no] telnet server enable vlan vlan-id
Restricting SNMP access to a specific VLAN
To allow SNMP access only to clients in a specific VLAN, enter a command such as the following.
Brocade(config)# snmp-server enable vlan 40
The command in this example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] snmp-server enable vlan vlan-id
Restricting TFTP access to a specific VLAN
To allow TFTP access only to clients in a specific VLAN, enter a command such as the following.
Brocade(config)# tftp client enable vlan 40
The command in this example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
Syntax: [no] tftp client enable vlan vlan-id

Designated VLAN for Telnet management sessions to a Layer 2 switch

Brocade ICX 6650 supports the creation of management VLANs. By default, the management IP address you configure on a Layer 2 switch applies globally to all the ports on the device. This is true even if you divide the device ports into multiple port-based VLANs.
If you want to restrict the IP management address to a specific port-based VLAN, you can make that VLAN the designated management VLAN for the device. When you configure a VLAN to be the designated management VLAN, the management IP address you configure on the device is associated only with the ports in the designated VLAN. To establish a Telnet management session with the device, you must access the device through one of the ports in the designated VLAN.
You also can configure up to five default gateways for the designated VLAN, and associate a metric with each one. The software uses the gateway with the lowest metric. The other gateways reside in the configuration but are not used. To use one of the other gateways, modify the configuration so that the gateway you want to use has the lowest metric.
If more than one gateway has the lowest metric, the gateway that appears first in the running-config is used.
10 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Remote access to management function restrictions
NOTE
If you have already configured a default gateway globally and you do not configure a gateway in the VLAN, the software uses the globally configured gateway and gives the gateway a metric value of 1.
To configure a designated management VLAN, enter commands such as the following.
Brocade(config)# vlan 10 by port Brocade(config-vlan-10)# untag ethernet 1/1/1 to 1/1/4 Brocade(config-vlan-10)# management-vlan Brocade(config-vlan-10)# default-gateway 10.10.10.1 1 Brocade(config-vlan-10)# default-gateway 10.20.20.1 2
These commands configure port-based VLAN 10 to consist of ports 1/1/1–1/1/4 and to be the designated management VLAN. The last two commands configure default gateways for the VLAN. Since the 10.10.10.1 gateway has a lower metric, the software uses this gateway. The other gateway remains in the configuration but is not used. You can use the other one by changing the metrics so that the 10.20.20.1 gateway has the lower metric.
Syntax: [no] default-gateway ip-addr metric
The ip-addr parameters specify the IP address of the gateway router.
The metric parameter specifies the metric (cost) of the gateway. You can specify a value from 1–5. There is no default. The software uses the gateway with the lowest metric.

Device management security

By default, all management access is disabled. Each of the following management access methods must be specifically enabled as required in your installation:
SSHv2
SNMP
The commands for granting access to each of these management interfaces is described in the following.
Allowing SSHv2 access to the Brocade device
To allow SSHv2 access to the Brocade device, you must generate a Crypto Key as shown in the following command.
Brocade(config)# crypto key generate
Syntax: crypto key [generate | zeroize]
The generate parameter generates a dsa key pair.
The zeroize parameter deletes the currently operative dsa key pair.
In addition, you must use AAA authentication to create a password to allow SSHv2 access. For example the following command configures AAA authentication to use TACACS+ for authentication as the default or local if TACACS+ is not available.
Brocade(config)# aaa authentication login default tacacs+ local
Brocade ICX 6650 Security Configuration Guide 11 53-1002601-01
Remote access to management function restrictions
NOTE
Allowing SNMP access to the Brocade device
To allow SNMP access to the Brocade device, enter the following command.
Brocade(config)# snmp-server
Syntax: [no] snmp-server

Disabling specific access methods

You can specifically disable the following access methods:
Teln et access
SNMP access
TFTP
If you disable Telnet access, you will not be able to access the CLI except through a serial connection to the management module. If you disable SNMP access, you wi ll not b e able to use an S NMP-based management applications.
Disabling Telnet access
You can use a Telnet client to access the CLI on the device over the network. If you do not plan to use the CLI over the network and want to disable Telnet access to prevent others from establishing CLI sessions with the device, enter the following command.
Brocade(config)# no telnet server
To re-enable Telnet operation, enter the following command.
Brocade(config)# telnet server
Syntax: [no] telnet server
Disabling SNMP access
To disable SNMP management of the device.
Brocade(config)# no snmp-server
To later re-enable SNMP management of the device.
Brocade(config)# snmp-server
Syntax: no snmp-server
Disabling TFTP access
You can globally disable TFTP to block TFTP client access. By default, TFTP client access is enabled.
To disable TFTP client access, enter the following command at the Global CONFIG level of the CLI.
Brocade(config)# tftp disable
12 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
When TFTP is disabled, you are prohibited from using the copy tftp command to copy files to the
NOTE
system flash. If you enter this command while TFTP is disabled, the system will reject the command and display an error message.
To re-enable TFTP client access once it is disabled, enter the following command.
Brocade(config)# no tftp disable
Syntax: [no] tftp disable

Passwords used to secure access

Passwords can be used to secure the following access methods:
Telnet access can be secured by setting a Telnet password. Refer to “Setting a Telnet
password” on page 13.
Access to the Privileged EXEC and CONFIG levels of the CLI can be secured by setting
passwords for management privilege levels. Refer to “Setting passwords for management
privilege levels” on page 14.
This section also provides procedures for enhancing management privilege levels, recovering from a lost password, and disabling password encryption.
Passwords used to secure access
You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account a management privilege level. Refer to “Local user accounts” on page 17.

Setting a Telnet password

By default, the device does not require a user name or password when you log in to the CLI using Telnet. You can assign a password for Telnet access using one of the following methods.
Set the password “letmein” for Telnet access to the CLI using the following command at the global CONFIG level.
Brocade(config)# enable telnet password letmein
Syntax: [no] enable telnet password string
Suppressing Telnet connection rejection messages
By default, if a Brocade device denies Telnet management access to the device, the software sends a message to the denied Telnet client. You can optionally suppress the rejection message. When you enable the option, a denied Telnet client does not receive a message from the Brocade device. Instead, the denied client simply does not gain access.
To suppress the connection rejection message, use the following CLI method.
To suppress the connection rejection message sent by the device to a denied Telnet client, enter the following command at the global CONFIG level of the CLI.
Brocade(config)# telnet server suppress-reject-message
Brocade ICX 6650 Security Configuration Guide 13 53-1002601-01
Passwords used to secure access
NOTE
NOTE
Syntax: [no] telnet server suppress-reject-message

Setting passwords for management privilege levels

You can set one password for each of the following management privilege levels:
Super User level – Allows complete read-and-write access to the system. This is generally for
system administrators and is the only management privilege level that allows you to configure passwords.
Port Configuration level – Allows read-and-write access for specific ports but not for global
(system-wide) parameters.
Read Only level – Allows access to the Privileged EXEC mode and User EXEC mode of the CLI
but only with read access.
You can assign a password to each management privilege level. You also can configure up to 16 user accounts consisting of a user name and password, and assign each user account to one of the three privilege levels. Refer to “Local user accounts” on page 17.
You must use the CLI to assign a password for management privilege levels.
If you configure user accounts in addition to privilege level passwords, the device will validate a user access attempt using one or both methods (local user account or privilege level password), depending on the order you specify in the authentication-method lists. Refer to
“Authentication-method lists” on page 58.
Follow the steps given below to set passwords for management privilege levels.
1. At the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode.
Brocade> enable Brocade#
2. Access the CONFIG level of the CLI by entering the following command.
Brocade# configure terminal Brocade(config)#
3. Enter the following command to set the Super User level password.
Brocade(config)# enable super-user-password text
You must set the Super User level password before you can set other types of passwords. The Super User level password can be an alphanumeric string, but cannot begin with a number.
4. Enter the following commands to set the Port Configuration level and Read Only level passwords.
Brocade(config)# enable port-config-password text Brocade(config)# enable read-only-password text
Syntax: enable super-user-password text
Syntax: enable port-config-password text
14 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Passwords used to secure access
NOTE
NOTE
Syntax: enable read-only-password text
If you forget your Super User level password, refer to “Recovering from a lost password” on page 16.
Augmenting management privilege levels
Each management privilege level provides access to specific areas of the CLI by default:
Super User level provides access to all commands and displays.
Port Configuration level gives access to:
- The User EXEC and Privileged EXEC levels
- The port-specific parts of the CONFIG level
- All interface configuration levels
Read Only level gives access to:
- The User EXEC and Privileged EXEC levels
You can grant additional access to a privilege level on an individual command basis. To grant the additional access, you specify the privilege level you are enhancing, the CLI level that contains the command, and the individual command.
This feature applies only to management privilege levels on the CLI.
Enhance the Port Configuration privilege level so users also can enter IP commands at the global CONFIG level.
Brocade(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for management privilege level 4 (Port Configuration). All users with Port Configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid Port Configuration level user names and passwords can enter commands that begin with “ip” at the global CONFIG level.
Syntax: [no] privilege cli-level level privilege-level command-string
The cli-level parameter specifies the CLI level and can be one of the following values:
exec – EXEC level; for example, Brocade> or Brocade#
configure – CONFIG level; for example, Brocade(config)#
interface – Interface level; for example, Brocade(config-if-6)#
loopback-interface – loopback interface level
virtual-interface – Virtual-interface level; for example, Brocade(config-vif-6)#
dot1x – 802.1X configuration level
ipv6-access-list – IPv6 access list configuration level
rip-router – RIP router level; for example, Brocade(config-rip-router)#
ospf-router – OSPF router level; for example, Brocade(config-ospf-router)#
pim-router – PIM router level; for example, Brocade(config-pim-router)#
Brocade ICX 6650 Security Configuration Guide 15 53-1002601-01
Passwords used to secure access
NOTE
bgp-router – BGP4 router level; for example, Brocade(config-bgp-router)#
vrrp-router – VRRP configuration level
trunk – trunk configuration level
port-vlan – Port-based VLAN level; for example, Brocade(config-vlan)#
protocol-vlan – Protocol-based VLAN level
The privilege-level indicates the number of the management privilege level you are augmenting. You can specify one of the following:
0 – Super User level (full read-write access)
4 – Port Configuration level
5 – Read Only level
The command-string parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter “?” at that level's command prompt.

Recovering from a lost password

Recovery from a lost password requires direct access to the serial port and a system reset.
You can perform this procedure only from the CLI.
Follow the steps given below to recover from a lost password.
1. Start a CLI session over the serial interface to the device.
2. Reboot the device.
3. At the initial boot prompt at system startup, enter b to enter the boot monitor mode.
4. Enter no password at the prompt. (You cannot abbreviate this command.) This command will cause the device to bypass the system password check.
5. Enter boot system flash primary at the prompt.
6. After the console prompt reappears, assign a new password.

Displaying the SNMP community string

If you want to display the SNMP community string, enter the following commands.
Brocade(config)# enable password-display Brocade# show snmp server
The enable password-display command enables display of the community string, but only in the output of the show snmp server command. Display of the string is still encrypted in the startup-config file and running-config. Enter the command at the global CONFIG level of the CLI.

Specifying a minimum password length

By default, the Brocade device imposes no minimum length on the Line (Telnet), Enable, or Local passwords. You can configure the device to require that Line, Enable, and Local passwords be at least a specified length.
16 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
For example, to specify that the Line, Enable, and Local passwords be at least 8 characters, enter the following command.
Brocade(config)# enable password-min-length 8
Syntax: enable password-min-length number-of-characters
The number-of-characters can be from 1–48.

Local user accounts

You can define up to 16 local user accounts on a Brocade device. User accounts regulate who can access the management functions in the CLI using the following methods:
Teln et access
SNMP access
Local user accounts provide greater flexibility for controlling management access to Brocade devices than do management privilege level passwords and SNMP community strings of SNMP versions 1 and 2. You can continue to use the privilege level passwords and the SNMP community strings as additional means of access authentication. Alternatively, you can choose not to use local user accounts and instead continue to use only the privilege level passwords and SNMP community strings. Local user accounts are backward-compatible with configuration files that contain privilege level passwords. Refer to “Setting passwords for management privilege levels” on page 14.
Local user accounts
If you configure local user accounts, you also need to configure an authentication-method list for Telnet access and SNMP access. Refer to “Authentication-method lists” on page 58.
For each local user account, you specify a user name. You also can specify the following parameters:
A password
A management privilege level, which can be one of the following:
- Super User level (default) – Allows complete read-and-write access to the system. This is
generally for system administrators and is the only privilege level that allows you to configure passwords.
- Port Configuration level – Allows read-and-write access for specific ports but not for global
parameters.
- Read Only level – Allows access to the Privileged EXEC mode and User EXEC mode with
read access only.
You can set additional username and password rules. Refer to “Enhancements to username
and password”.

Enhancements to username and password

This section describes the enhancements to the username and password features introduced in earlier releases.
The following rules are enabled by default:
Users are required to accept the message of the day.
Brocade ICX 6650 Security Configuration Guide 17 53-1002601-01
Local user accounts
NOTE
Users are locked out (disabled) if they fail to login after three attempts. This feature is
automatically enabled. Use the disable-on-login-failure command to change the number of login attempts (up to 10) before users are locked out.
The following rules are disabled by default:
Enhanced user password combination requirements
User password masking
Quarterly updates of user passwords
You can configure the system to store up to 15 previously configured passwords for each user.
You can use the disable-on-login-failure command to change the number of login attempts (up
to 10) before users are locked out.
A password can now be set to expire.
Enabling enhanced user password combination requirements
When strict password enforcement is enabled on the Brocade device, you must enter a minimum of eight characters containing the following combinations when you create an enable and a user password:
At least two upper case characters
At least two lower case characters
At least two numeric characters
At least two special characters
Password minimum and combination requirements are strictly enforced.
Use the enable strict-password-enforcement command to enable the password security feature.
Brocade(config)# enable strict-password-enforcement
Syntax: [no] enable strict-password-enforcement
This feature is disabled by default.
The following security upgrades apply to the enable strict-password-enforcement command:
Passwords must not share four or more concurrent characters with any other password
configured on the router. If the user tries to create a password with four or more concurrent characters, the following error message will be returned.
Error - The substring <str> within the password has been used earlier, please choose a different password.
For example, the previous password was Ma!i4aYa&, the user cannot use any of the following as his or her new password:
- Ma!imai$D because “Mail” were used consecutively in the previous password
- &3B9aYa& because “aYa&” were used consecutively in the previous password
- i4aYEv#8 because “i4aY“were used consecutively in the previous password
If the user tries to configure a password that was previously used, the Local User Account
configuration will not be allowed and the following message will be displayed.
18 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Local user accounts
NOTE
Brocade# show run Current configuration:
....
username waldo password .....
username raveen set-time 2086038248
....
This password was used earlier for same or different user, please choose a different password.
Enabling user password masking
By default, when you use the CLI to create a user password, the password displays on the console as you type it. For enhanced security, you can configure the Brocade device to mask the password characters entered at the CLI. When password masking is enabled, the CLI displays asterisks (*) on the console instead of the actual password characters entered.
The following shows the default CLI behavior when configuring a username and password.
Brocade(config)# username kelly password summertime
The following shows the CLI behavior when configuring a username and password when password-masking is enabled.
Brocade(config)# username kelly password Enter Password: ********
When password masking is enabled, press the [Enter] key before entering the password.
Syntax: username name password [Enter]
For [Enter], press the Enter key. Enter the password when prompted.
If strict-password-enforcement is enabled, enter a password which contains the required character combination. Refer to “Enabling enhanced user password combination requirements” on page 18.
To enable password masking, enter the following command.
Brocade(config)# enable user password-masking
Syntax: [no] enable user password-masking
Enabling user password aging
For enhanced security, password aging enforces quarterly updates of all user passwords. After 180 days, the CLI will automatically prompt users to change their passwords when they attempt to sign on.
When password aging is enabled, the software records the system time that each user password was configured or last changed. The time displays in the output of the show running configuration command, indicated by set-time time.
Example
The password aging feature uses the SNTP server clock to record the set-time. If the network does not have an SNTP server, then set-time will appear as set-time 0 in the output of the show running configuration command.
Brocade ICX 6650 Security Configuration Guide 19 53-1002601-01
Local user accounts
A username set-time configuration is removed when:
The username and password is deleted from the configuration
The username password expires
When a username set-time configuration is removed, it no longer appears in the show running configuration output.
Note that if a username does not have an assigned password, the username will not have a set-time configuration.
Password aging is disabled by default. To enable it, enter the following command at the global CONFIG level of the CLI.
Brocade(config)# enable user password-aging
Syntax: [no] enable user password-aging
Configuring password history
By default, the Brocade device stores the last five user passwords for each user. When changing a user password, the user cannot use any of the five previously configured passwords.
For security purposes, you can configure the Brocade device to store up to 15 passwords for each user, so that users do not use the same password multiple times. If a user attempts to use a password that is stored, the system will prompt the user to choose a different password.
To configure enhanced password history, enter a command such as the following at the global CONFIG level of the CLI.
Brocade(config)# enable user password-history 15
Syntax: [no] enable user password-history 1 – 15
Enhanced login lockout
The CLI provides up to three login attempts. If a user fails to login after three attempts, that user is locked out (disabled). If desired, you can increase or decrease the number of login attempts before the user is disabled. To do so, enter a command such as the following at the global CONFIG level of the CLI.
Brocade(config)# enable user disable-on-login-failure 7
Syntax: enable user disable-on-login-failure 1 – 10
To re-enable a user that has been locked out, do one of the following:
Reboot the Brocade device to re-enable all disabled users.
Enable the user by entering the following command.
Brocade(config)# username sandy enable
20 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Local user accounts
NOTE
Brocade(config)# user sandy enable Brocade# show user Username Password Encrypt Priv Status Expire Time ============================================================================ ==
sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled 0 enabled 90 days
Brocade(config)# username sandy expires 20 Brocade# show user Username Password Encrypt Priv Status Expire Time ================================================================================ == sandy $1$Gz...uX/$wQ44fVGtsqbKWkQknzAZ6. enabled 0 enabled 20 days
Example
Syntax: username name enable
Setting passwords to expire
You can set a user password to expire. Once a password expires, the administrator must assign a new password to the user. To configure a user password to expire, enter the following.
Brocade(config)# username sandy expires 20
Syntax: username name expires days
Enter 1–365 for number of days. The default is 90 days.
Example
Requirement to accept the message of the day
If a message of the day (MOTD) is configured, a user will be required to press the Enter key before he or she can login. MOTD is configured using the banner motd command.
There are no new CLI commands for this feature.
This requirement is disabled by default, unless configured. Users are not required to press Enter after the MOTD banner is displayed. Refer to Brocade ICX 6650 Administration Guide.

Local user account configuration

You can create accounts for local users with or without passwords. Accounts with passwords can have encrypted or unencrypted passwords.
You can assign privilege levels to local user accounts, but on a new device, you must create a local user account that has a Super User privilege before you can create accounts with other privilege levels.
Brocade ICX 6650 Security Configuration Guide 21 53-1002601-01
Local user accounts
NOTE
You must grant Super User level privilege to at least one account before you add accounts with other privilege levels. You need the Super User account to make further administrative changes.
Local user accounts with no passwords
To create a user account without a password, enter the following command at the global CONFIG level of the CLI.
Brocade(config)# username wonka nopassword
Syntax: [no] username user-string privilege privilege-level nopassword
Local user accounts with unencrypted passwords
If you want to use unencrypted passwords for local user accounts, enter a command such as the following at the global CONFIG level of the CLI.
Brocade(config)# username wonka password willy
If password masking is enabled, press the [Enter] key before entering the password.
Brocade(config)# username wonka Enter Password: willy
The above commands add a local user account with the user name “wonka” and the password “willy”. This account has the Super User privilege level; this user has full access to all configuration and display features.
Brocade(config)# username waldo privilege 5 password whereis
This command adds a user account for user name “waldo”, password “whereis”, with the Read Only privilege level. Waldo can look for information but cannot make configuration changes.
Syntax: [no] username user-string privilege privilege-level password | nopassword password-string
You can enter up to 48 characters for user-string.
The privilege privilege-level parameter specifies the privilege level for the account. You can specify one of the following:
0 – Super User level (full read-write access)
4 – Port Configuration level
5 – Read Only level
The default privilege level is 0. If you want to assign Super User level access to the account, you can enter the command without privilege 0, as shown in the command example above.
The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password. You can enter up to 48 characters for password-string. If strict password enforcement is enabled on the device, you must enter a minimum of eight characters containing the following combinations:
At least two upper case characters
At least two lower case characters
At least two numeric characters
22 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Local user accounts
NOTE
NOTE
At least two special characters
You must be logged on with Super User access (privilege level 0) to add user accounts or configure other access parameters.
To display user account information, enter the following command.
Brocade# show users
Syntax: show users
Local accounts with encrypted passwords
You can create local user accounts with MD5 encrypted passwords using one of the following methods:
Issuing the service password-encryption command after creating the local user account with a
username user-string [privilege privilege-level] password 0 command
Using the username user-string create-password command
To create an encrypted all-numeric password, use the username user-string create-password command.
If you create a local user account using the commands discussed in “Local user accounts with
unencrypted passwords” on page 22, you can issue the service password-encryption command to
encrypt all passwords that have been previously entered.
Example
Brocade(config)# username wonka privilege 5 password willy Brocade(config)# service password-encryption

Creating a password option

As an alternative to the commands above, the create-password option allows you to create an encrypted password in one line of command. Also, this new option allows you to create an all-numeric, encrypted password.
You can enter.
Brocade(config)# username wonka privilege 5 create-password willy
Syntax: [no] username user-string [privilege privilege-level] create-password password-string
You can enter up to 48 characters for user-string. This string can be alphanumeric or all-numeric.
The privilege parameter specifies the privilege level for the account. You can specify one of the following:
0 – Super User level (full read-write access)
4 – Port Configuration level
5 – Read Only level
Enter up to 255 alphanumeric characters for password-string.
Brocade ICX 6650 Security Configuration Guide 23 53-1002601-01

TACACS and TACACS+ security

NOTE

Changing a local user password

To change a local user password for an existing local user account, enter a command such as the following at the global CONFIG level of the CLI.
You must be logged on with Super User access (privilege level 0) to change user passwords.
Brocade(config)# username wonka password willy
If password masking is enabled, enter the username, press the [Enter] key, then enter the password.
Brocade(config)# username wonka password Enter Password: willy
The above commands change wonka's user name password to “willy”.
Syntax: [no] username user-string password password-string
Enter up to 48 characters for user-string.
The password-string parameter is the user password. The password can be up to 48 characters and must differ from the current password and two previously configured passwords.
When a password is changed, a message such as the following is sent to the Syslog.
SYSLOG: <14>Jan 1 00:00:00 10.44.9.11 Security: Password has been changed for user tester from console session.
The message includes the name of the user whose password was changed and during which session type, such as Console, Telnet, SSH, SNMP, or others, the password was changed.
TACACS and TACACS+ security
You can use the security protocol Terminal Access Controller Access Control System (TACACS) or TACACS+ to authenticate the following kinds of access to the Brocade device:
Teln et access
SSH access
Console access
Access to the Privileged EXEC level and CONFIG levels of the CLI
The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is sent between a Brocade device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+ services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server running.

How TACACS+ differs from TACACS

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.
24 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
NOTE
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges, which allow any authentication mechanism to be utilized with the Brocade device. TACACS+ is extensible to provide for site customization and future development features. The protocol allows the Brocade device to request very precise access control and allows the TACACS+ server to respond to each component of that request.
TACACS+ provides for authentication, authorization, and accounting, but an implementation or configuration is not required to employ all three.

TACACS/TACACS+ authentication, authorization, and accounting

When you configure a Brocade device to use a TACACS/TACACS+ server for authentication, the device prompts users who are trying to access the CLI for a user name and password, then verifies the password with the TACACS/TACACS+ server.
If you are using TACACS+, Brocade recommends that you also configure authorization, in which the Brocade device consults a TACACS+ server to determine which management privilege level (and which associated set of commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes the Brocade device to log information on the TACACS+ server when specified events occur on the device.
By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level. The user can enter the enable command to get to the Privileged EXEC level.
A user that is successfully authenticated can be automatically placed at the Privileged EXEC level after login. Refer to “Entering privileged EXEC mode after a Telnet or SSH login” on page 35.
Configuring TACACS/TACACS+ for devices in a Brocade IronStack
Because devices operating in a Brocade IronStack topology present multiple console ports, you must take additional steps to secure these ports when configuring TACACS/TACACS+.
The following is a sample AAA console configuration using TACACS+.
aaa authentication login default tacacs+ enable aaa authentication login privilege-mode aaa authorization commands 0 default tacacs+ aaa authorization exec default tacacs+ aaa accounting commands 0 default start-stop tacacs+ aaa accounting exec default start-stop tacacs+ aaa accounting system default start-stop tacacs+ enable aaa console hostname Fred ip address 10.10.6.56/255 tacacs-server host 255.253.255 tacacs-server key 1 $Gsig@U\
Brocade ICX 6650 Security Configuration Guide 25 53-1002601-01
TACACS and TACACS+ security
kill console
Syntax: kill console [all | unit]
all - logs out all console port on stack units that are not the Active Controller
unit - logs out the console port on a specified unit
Once AAA console is enabled, you should log out any open console ports on your IronStack using the kill console command:
Brocade(config)# kill console all
In case a user forgets to log out or a console is left unattended, you can also configure the console timeout (in minutes) on all stack units (including the Active Controller).
Brocade(config)# stack unit 3 Brocade(config-unit-3)# console timeout 5 Brocade(config-unit-3)# exit Brocade(config)# stack unit 4 Brocade(config-unit-4)# console timeout 5
Use the show who and the show telnet commands to confirm the status of console sessions.
stack9# show who Console connections (by unit number): 1 established you are connecting to this session 4 seconds in idle 2 established 1 hours 3 minutes 12 seconds in idle 3 established 1 hours 3 minutes 9 seconds in idle 4 established 1 hours 3 minutes 3 seconds in idle Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9#
stack9# show telnet Console connections (by unit number): 1 established you are connecting to this session 1 minutes 5 seconds in idle 2 established 1 hours 4 minutes 18 seconds in idle 3 established 1 hours 4 minutes 15 seconds in idle 4 established 1 hours 4 minutes 9 seconds in idle
26 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
Telnet connections (inbound): 1 closed 2 closed 3 closed 4 closed 5 closed Telnet connection (outbound): 6 closed SSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed stack9#

TACACS authentication

Also, multiple challenges are supported for TACACS+ login authentication.
When TACACS authentication takes place, the following events occur.
1. A user attempts to gain access to the Brocade device by doing one of the following:
Logging into the device using Telnet or SSH
Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username and password.
3. The user enters a username and password.
4. The Brocade device sends a request containing the username and password to the TACACS server.
5. The username and password are validated in the TACACS server database.
6. If the password is valid, the user is authenticated.
TACACS+ authentication
When TACACS+ authentication takes place, the following events occur.
1. A user attempts to gain access to the Brocade device by doing one of the following:
Logging into the device using Telnet or SSH
Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username.
3. The user enters a username.
4. The Brocade device obtains a password prompt from a TACACS+ server.
5. The user is prompted for a password.
6. The user enters a password.
7. The Brocade device sends the password to the TACACS+ server.
Brocade ICX 6650 Security Configuration Guide 27 53-1002601-01
TACACS and TACACS+ security
8. The password is validated in the TACACS+ server database.
9. If the password is valid, the user is authenticated.
TACACS+ authorization
Brocade devices support two kinds of TACACS+ authorization:
Exec authorization determines a user privilege level when they are authenticated
Command authorization consults a TACACS+ server to get authorization for commands entered
by the user
When TACACS+ exec authorization takes place, the following events occur.
1. A user logs into the Brocade device using Telnet or SSH
2. The user is authenticated.
3. The Brocade device consults the TACACS+ server to determine the privilege level of the user.
4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the privilege level of the user.
5. The user is granted the specified privilege level.
When TACACS+ command authorization takes place, the following events occur.
1. A Telnet or SSH user previously authenticated by a TACACS+ server enters a command on the Brocade device.
2. The Brocade device looks at its configuration to see if the command is at a privilege level that requires TACACS+ command authorization.
3. If the command belongs to a privilege level that requires authorization, the Brocade device consults the TACACS+ server to see if the user is authorized to use the command.
4. If the user is authorized to use the command, the command is executed.
TACACS+ accounting
TACACS+ accounting works as follows.
1. One of the following events occur on the Brocade device:
A user logs into the management interface using Telnet or SSH
A user enters a command for which accounting has been configured
A system event occurs, such as a reboot or reloading of the configuration file
2. The Brocade device checks the configuration to see if the event is one for which TACACS+ accounting is required.
3. If the event requires TACACS+ accounting, the Brocade device sends a TACACS+ Accounting Start packet to the TACACS+ accounting server, containing information about the event.
4. The TACACS+ accounting server acknowledges the Accounting Start packet.
5. The TACACS+ accounting server records information about the event.
6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the TACACS+ accounting server.
7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
28 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
AAA operations for TACACS/TACACS+
The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a Brocade device that has TACACS/TACACS+ security configured.
TABLE 3 AAA operations
User action Applicable AAA operations
User attempts to gain access to the Privileged EXEC and CONFIG levels of the CLI
User logs in using Telnet/SSH Login authentication:
User logs out of Telnet/SSH session Command accounting (TACACS+):
User enters system commands (for example, reload, boot system)
User enters the command:
[no] aaa accounting system default
start-stop method-list
User enters other commands Command authorization (TACACS+):
Enable authentication: aaa authentication enable default method-list
Exec authorization (TACACS+): aaa authorization exec default tacacs+
System accounting start (TACACS+): aaa accounting system default start-stop method-list
aaa authentication login default method-list
Exec authorization (TACACS+): aaa authorization exec default tacacs+
Exec accounting start (TACACS+): aaa accounting exec default method-list System accounting start (TACACS+): aaa accounting system default start-stop method-list
aaa accounting commands privilege-level default start-stop method-list EXEC accounting stop (TACACS+): aaa accounting exec default start-stop method-list
Command authorization (TACACS+): aaa authorization commands privilege-level default method-list
Command accounting (TACACS+): aaa accounting commands privilege-level default start-stop method-list System accounting stop (TACACS+): aaa accounting system default start-stop method-list
Command authorization (TACACS+): aaa authorization commands privilege-level default method-list
Command accounting (TACACS+): aaa accounting commands privilege-level default start-stop method-list System accounting start (TACACS+): aaa accounting system default start-stop method-list
aaa authorization commands privilege-level default method-list
Command accounting (TACACS+): aaa accounting commands privilege-level default start-stop method-list
AAA security for commands pasted into the running-config
If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually.
Brocade ICX 6650 Security Configuration Guide 29 53-1002601-01
TACACS and TACACS+ security
When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands. The AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the running-config file. If the device determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The remaining commands may not be executed if command authorization is configured.

TACACS/TACACS+ configuration considerations

You must deploy at least one TACACS/TACACS+ server in your network.
Brocade devices support authentication using up to eight TACACS/TACACS+ servers. The
device tries to use the servers in the order you add them to the device configuration.
You can select only one primary authentication method for each type of access to a device (CLI
through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary method for the same type of access. However, you can configure backup authentication methods for each access type.
You can configure the Brocade device to authenticate using a TACACS or TACACS+ server, not
both.
Configuring TACACS
Follow the procedure given below for TACACS configurations.
1. Identify TACACS servers. Refer to “Identifying the TACACS/TACACS+ servers” on page 31.
2. Set optional parameters. Refer to “Setting optional TACACS and TACACS+ parameters” on page 32.
3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for
TACACS and TACACS+” on page 34.
Configuring TACACS+
Follow the procedure given below for TACACS+ configurations.
1. Identify TACACS+ servers. Refer to “Identifying the TACACS/TACACS+ servers” on page 31.
2. Set optional parameters. Refer to “Setting optional TACACS and TACACS+ parameters” on page 32.
3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for
TACACS and TACACS+” on page 34.
4. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization” on page 36.
5. Optionally configure TACACS+ accounting. Refer to “TACACS+ accounting configuration” on page 39.
30 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
NOTE

Enabling TACACS

TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must enable TACACS by entering the following command.
Brocade(config)# enable snmp config-tacacs
Syntax: [no] enable snmp config-radius | config-tacacs
The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default.
The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default.

Identifying the TACACS/TACACS+ servers

To use TACACS/TACACS+ servers to authenticate access to a Brocade device, you must identify the servers to the Brocade device.
For example, to identify three TACACS/TACACS+ servers, enter commands such as the following.
Brocade(config)# tacacs-server host 10.94.6.161 Brocade(config)# tacacs-server host 10.94.6.191 Brocade(config)# tacacs-server host 10.94.6.122
Syntax: tacacs-server host ip-addr | ipv6-addr | hostname [auth-port umber]
The ip-addr|ipv6-addr|hostname parameter specifies the IP address or host name of the server. You can enter up to eight tacacs-server host commands to specify up to eight different servers.
To specify the server's host name instead of its IP address, you must first identify a DNS server using the ip dns server-address ip-addr command at the global CONFIG level.
If you add multiple TACACS/TACACS+ authentication servers to the Brocade device, the device tries to reach them in the order you add them. For example, if you add three servers in the following order, the software tries the servers in the same order.
1. 10.94.6.161
2. 10.94.6.191
3. 10.94.6.122
You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For example, to remove 10.94.6.161, enter the following command.
Brocade(config)# no tacacs-server host 10.94.6.161
If you erase a tacacs-server command (by entering “no” followed by the command), make sure you also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer to “Configuring authentication-method lists for TACACS and TACACS+” on page 34.) Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not be able to access the system.
Brocade ICX 6650 Security Configuration Guide 31 53-1002601-01
TACACS and TACACS+ security
Brocade(config)# tacacs-server host 10.2.3.4 auth-port 49 authentication-only key abc Brocade(config)# tacacs-server host 10.2.3.5 auth-port 49 authorization-only key def Brocade(config)# tacacs-server host 10.2.3.6 auth-port 49 accounting-only key ghi
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example, you can designate one TACACS+ server to handle authorization and another TACACS+ server to handle accounting. You can set the TACACS+ key for each server.
To specify different TACACS+ servers for authentication, authorization, and accounting, enter the command such as following.
Syntax: tacacs-server host ip-addr | ipv6-addr | server-name [auth-port num] [authentication-only
| authorization-only | accounting-only | default] [key 0 | 1 string]
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for authorization and accounting. If the authenticating server cannot perform the requested function, then the next server in the configured list of servers is tried; this process repeats until a server that can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS and TACACS+ parameters

You can set the following optional parameters in a TACACS and TACACS+ configuration:
TACACS+ key – This parameter specifies the value that the Brocade device sends to the
TACACS+ server when trying to authenticate user access.
Retransmit interval – This parameter specifies how many times the Brocade device will resend
an authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times.
Dead time – This parameter specifies how long the Brocade device waits for the primary
authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3 seconds.
Timeout – This parameter specifies how many seconds the Brocade device waits for a
response from a TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ servers are unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
32 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
NOTE
Setting the TACACS+ key
The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot include any space characters.
The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Brocade device.
To specify a TACACS+ server key, enter a command such as following.
Brocade(config)# tacacs-server key rkwong
Syntax: tacacs-server key [0 | 1] string
When you display the configuration of the Brocade device, the TACACS+ keys are encrypted. For example.
Brocade(config)# tacacs-server key 1 abc Brocade(config)# write terminal ... tacacs-server host 10.2.3.5 auth-port 49 tacacs key 1 $!2d
Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.
Setting the retransmission limit
The retransmit parameter specifies how many times the Brocade device will resend an authentication request when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default is 3 times.
To set the TACACS and TACACS+ retransmit limit, enter a command such as the following.
Brocade(config)# tacacs-server retransmit 5
Syntax: tacacs-server retransmit number
Setting the timeout parameter
The timeout parameter specifies how many seconds the Brocade device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Brocade(config)# tacacs-server timeout 5
Syntax: tacacs-server timeout number
Brocade ICX 6650 Security Configuration Guide 33 53-1002601-01
TACACS and TACACS+ security

Configuring authentication-method lists for TACACS and TACACS+

You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication method.
Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If TACACS/TACACS+ authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and CONFIG levels of the CLI.
To create an authentication method list that specifies TACACS/TACACS+ as the primary authentication method for securing Telnet/SSH access to the CLI.
Brocade(config)# enable telnet authentication Brocade(config)# aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is performed using local user accounts instead.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Brocade(config)# aaa authentication enable default tacacs local none
The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Syntax: [no] aaa authentication enable | login default method1 [method2] [method3] [method4]
[method5] [method6] [method7]
The enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.
The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.
TABLE 4 Authentication method values
Method parameter Description
line Authenticate using the password you configured for Telnet access. The Telnet password is
configured using the enable telnet password… command. Refer to “Setting a Telnet
password” on page 13.
enable Authenticate using the password you configured for the Super User privilege level. This
password is configured using the enable super-user-password… command. Refer to “Setting
passwords for management privilege levels” on page 14.
34 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
TABLE 4 Authentication method values (Continued)
Method parameter Description
local Authenticate using a local user name and password you configured on the device. Local user
names and passwords are configured using the username… command. Refer to “Local user
account configuration” on page 21.
tacacs Authenticate using the database on a TACACS server. You also must identify the server to the
device using the tacacs-server command.
tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to
the device using the tacacs-server command.
radius Authenticate using the database on a RADIUS server. You also must identify the server to the
device using the radius-server command.
none Do not use any authentication method. The device automatically permits access.
For examples of how to define authentication-method lists for types of authentication other than TACACS/TACACS+, refer to “Authentication-method lists” on page 58.
Entering privileged EXEC mode after a Telnet or SSH login
By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. To do this, use the following command.
Brocade(config)# aaa authentication login privilege-mode
Syntax: aaa authentication login privilege-mode
The user privilege level is based on the privilege level granted during login.
Configuring enable authentication to prompt for password only
If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. You can configure the Brocade device to prompt only for a password. The device uses the username entered at login, if one is available. If no username was entered at login, the device prompts for both username and password.
To configure the Brocade device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI.
Brocade(config)# aaa authentication enable implicit-user
Syntax: [no] aaa authentication enable implicit-user
Telnet and SSH prompts when the TACACS+ server is unavailable
When TACACS+ is the first method in the authentication method list, the device displays the login prompt received from the TACACS+ server. If a user attempts to login through Telnet or SSH, but none of the configured TACACS+ servers are available, the following takes place:
Brocade ICX 6650 Security Configuration Guide 35 53-1002601-01
TACACS and TACACS+ security
NOTE
If the next method in the authentication method list is "enable", the login prompt is skipped,
and the user is prompted for the Enable password (that is, the password configured with the enable super-user-password command).
If the next method in the authentication method list is "line", the login prompt is skipped, and
the user is prompted for the Line password (that is, the password configured with the enable telnet password command).

Configuring TACACS+ authorization

Brocade devices support TACACS+ authorization for controlling access to management functions in the CLI. Two kinds of TACACS+ authorization are supported:
Exec authorization determines a user privilege level when they are authenticated
Command authorization consults a TACACS+ server to get authorization for commands entered
by the user
Configuring EXEC authorization
When TACACS+ EXEC authorization is performed, the Brocade device consults a TACACS+ server to determine the privilege level of the authenticated user. To configure TACACS+ EXEC authorization on the Brocade device, enter the following command.
Brocade(config)# aaa authorization exec default tacacs+
Syntax: aaa authorization exec default tacacs+ | none
If you specify none, or omit the aaa authorization exec command from the device configuration, no EXEC authorization is performed.
A user privilege level is obtained from the TACACS+ server in the “foundry-privlvl” A-V pair. If the aaa authorization exec default tacacs command exists in the configuration, the device assigns the user the privilege level specified by this A-V pair. If the command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User access.
If the aaa authorization exec default tacacs+ command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the “foundry-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default tacacs+ command does not exist in the configuration, then the value in the “foundry-privlvl” A-V pair is ignored, and the user is granted Super User access.
Also note that in order for the aaa authorization exec default tacacs+ command to work, either the aaa authentication enable default tacacs+ command, or the aaa authentication login privilege-mode command must also exist in the configuration.
Configuring an Attribute-Value pair on the TACACS+ server During TACACS+ EXEC authorization, the Brocade device expects the TACACS+ server to send a
response containing an A-V (Attribute-Value) pair that specifies the privilege level of the user. When the Brocade device receives the response, it extracts an A-V pair configured for the Exec service and uses it to determine the user privilege level.
36 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
To set a user privilege level, you can configure the “foundry-privlvl” A-V pair for the Exec service on the TACACS+ server.
Example
user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { foundry-privlvl = 0 } }
In this example, the A-V pair foundry-privlvl = 0 grants the user full read-write access. The value in the foundry-privlvl A-V pair is an integer that indicates the privilege level of the user. Possible values are 0 for super-user level, 4 for port-config level, or 5 for read-only level. If a value other than 0, 4, or 5 is specified in the foundry-privlvl A-V pair, the default privilege level of 5 (read-only) is used. The foundry-privlvl A-V pair can also be embedded in the group configuration for the user. See your TACACS+ documentation for the configuration syntax relevant to your server.
If the foundry-privlvl A-V pair is not present, the Brocade device extracts the last A-V pair configured for the Exec service that has a numeric value. The Brocade device uses this A-V pair to determine the user privilege level.
Example
user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { privlvl = 15 } }
The attribute name in the A-V pair is not significant; the Brocade device uses the last one that has a numeric value. However, the Brocade device interprets the value for a non-”foundry-privlvl” A-V pair differently than it does for a “foundry-privlvl” A-V pair. The following table lists how the Brocade device associates a value from a non-”foundry-privlvl” A-V pair with a Brocade privilege level.
TABLE 5 Brocade equivalents for non-“foundry-privlvl” A-V pair values
Value for non-“foundry-privlvl” A-V pair Brocade privilege level
15 0 (super-user)
From 14 – 1 4 (port-config)
Any other number or 0 5 (read-only)
In the example above, the A-V pair configured for the Exec service is privlvl = 15. The Brocade device uses the value in this A-V pair to set the user privilege level to 0 (super-user), granting the user full read-write access.
In a configuration that has both a “foundry-privlvl” A-V pair and a non-”foundry-privlvl” A-V pair for the Exec service, the non-”foundry-privlvl” A-V pair is ignored.
Brocade ICX 6650 Security Configuration Guide 37 53-1002601-01
TACACS and TACACS+ security
NOTE
Example
user=bob { default service = permit member admin #Global password global = cleartext "cat" service = exec { foundry-privlvl = 4
privlvl = 15
} }
In this example, the user would be granted a privilege level of 4 (port-config level). The privlvl = 15 A-V pair is ignored by the Brocade device.
If the TACACS+ server has no A-V pair configured for the Exec service, the default privilege level of 5 (read-only) is used.
Configuring command authorization
When TACACS+ command authorization is enabled, the Brocade device consults a TACACS+ server to get authorization for commands entered by the user.
You enable TACACS+ command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Brocade device to perform authorization for the commands available at the Super User privilege level (that is, all commands on the device), enter the following command.
Brocade(config)# aaa authorization commands 0 default tacacs+
Syntax: aaa authorization commands privilege-level default tacacs+ | radius | none
The privilege-level parameter can be one of the following:
0 – Authorization is performed for commands available at the Super User level (all commands)
4 – Authorization is performed for commands available at the Port Configuration level
(port-config and read-only commands)
5 – Authorization is performed for commands available at the Read Only level (read-only
commands)
TACACS+ command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.
TACACS+ command authorization is not performed for the following commands:
At all levels: exit, logout, end, and quit.
At the Privileged EXEC level: enable or enable text, where text is the password configured for
the Super User privilege level.
If configured, command accounting is performed for these commands.
AAA support for console commands AAA support for commands entered at the console includes the following:
Login prompt that uses AAA authentication, using authentication-method lists
38 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
NOTE
Exec Authorization
Exec Accounting
Command authorization
Command accounting
System accounting
To enable AAA support for commands entered at the console, enter the following command.
Brocade(config)# enable aaa console
Syntax: [no] enable aaa console

TACACS+ accounting configuration

Brocade devices support TACACS+ accounting for recording information about user activity and system events. When you configure TACACS+ accounting on a Brocade device, information is sent to a TACACS+ accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring TACACS+ accounting for Telnet/SSH (Shell) access
To send an Accounting Start packet to the TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the user logs out.
Brocade(config)# aaa accounting exec default start-stop tacacs+
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring TACACS+ accounting for CLI commands
You can configure TACACS+ accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Brocade device to perform TACACS+ accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Brocade(config)# aaa accounting commands 0 default start-stop tacacs+
An Accounting Start packet is sent to the TACACS+ accounting server when a user enters a command, and an Accounting Stop packet is sent when the service provided by the command is completed.
If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands privilege-level default start-stop radius | tacacs+ | none
The privilege-level parameter can be one of the following:
0 – Records commands available at the Super User level (all commands)
Brocade ICX 6650 Security Configuration Guide 39 53-1002601-01
TACACS and TACACS+ security
Brocade# show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 10.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 10.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4 no connection
4 – Records commands available at the Port Configuration level (port-config and read-only
commands)
5 – Records commands available at the Read Only level (read-only commands)
Configuring TACACS+ accounting for system events
You can configure TACACS+ accounting to record when system events occur on the Brocade device. System events include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.
Brocade(config)# aaa accounting system default start-stop tacacs+
Syntax: aaa accounting system default start-stop radius | tacacs+ | none

Configuring an interface as the source for all TACACS and TACACS+ packets

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all TACACS/TACACS+ packets from the Layer 3 switch. For configuration details, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

Displaying TACACS/TACACS+ statistics and configuration information

The show aaa command displays information about all TACACS+ and RADIUS servers identified on the device.
40 Brocade ICX 6650 Security Configuration Guide
The following table describes the TACACS/TACACS+ information displayed by the show aaa command.
53-1002601-01

RADIUS security

TABLE 6 Output of the show aaa command for TACACS/TACACS+
Field Description
Tacacs+ key The setting configured with the tacacs-server key command. At the Super User privilege level,
the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is
displayed instead of the text.
Tacacs+ retries The setting configured with the tacacs-server retransmit command.
Tacacs+ timeout The setting configured with the tacacs-server timeout command.
Tacacs+ dead-time
Tacacs+ Server For each TACACS/TACACS+ server, the IP address, port, and the following statistics are
The setting configured with the tacacs-server dead-time command.
displayed:
opens - Number of times the port was opened for communication with the server
closes - Number of times the port was closed normally
timeouts - Number of times port was closed due to a timeout
errors - Number of times an error occurred while opening the port
packets in - Number of packets received from the server
packets out - Number of packets sent to the server
connection The current connection status. This can be “no connection” or “connection active”.
RADIUS security
You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of access to the Brocade Layer 2 switch or Layer 3 switch:
Teln et access
SSH access
Access to the Privileged EXEC level and CONFIG levels of the CLI

RADIUS authentication, authorization, and accounting

When RADIUS authentication is implemented, the Brocade device consults a RADIUS server to verify user names and passwords. You can optionally configure RADIUS authorization, in which the Brocade device consults a list of commands supplied by the RADIUS server to determine whether a user can execute a command he or she has entered, as well as accounting, which causes the Brocade device to log information on a RADIUS accounting server when specified events occur on the device.
RADIUS authentication
When RADIUS authentication takes place, the following events occur.
1. A user attempts to gain access to the Brocade device by doing one of the following:
Logging into the device using Telnet or SSH
Entering the Privileged EXEC level or CONFIG level of the CLI
2. The user is prompted for a username and password.
3. The user enters a username and password.
Brocade ICX 6650 Security Configuration Guide 41 53-1002601-01
RADIUS security
NOTE
4. The Brocade device sends a RADIUS Access-Request packet containing the username and
5. The RADIUS server validates the Brocade device using a shared secret (the RADIUS key).
6. The RADIUS server looks up the username in its database.
7. If the username is found in the database, the RADIUS server validates the password.
8. If the password is valid, the RADIUS server sends an Access-Accept packet to the Brocade
9. The user is authenticated, and the information supplied in the Access-Accept packet for the
password to the RADIUS server.
device, authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:
The privilege level of the user
A list of commands
Whether the user is allowed or denied usage of the commands in the list
The last two attributes are used with RADIUS authorization, if configured.
user is stored on the Brocade device. The user is granted the specified privilege level. If you configure RADIUS authorization, the user is allowed or denied usage of the commands in the list.
RADIUS authorization
When RADIUS authorization takes place, the following events occur.
1. A user previously authenticated by a RADIUS server enters a command on the Brocade device.
2. The Brocade device looks at its configuration to see if the command is at a privilege level that requires RADIUS command authorization.
3. If the command belongs to a privilege level that requires authorization, the Brocade device looks at the list of commands delivered to it in the RADIUS Access-Accept packet when the user was authenticated. (Along with the command list, an attribute was sent that specifies whether the user is permitted or denied usage of the commands in the list.)
After RADIUS authentication takes place, the command list resides on the Brocade device. The RADIUS server is not consulted again once the user has been authenticated. This means that any changes made to the user command list on the RADIUS server are not reflected until the next time the user is authenticated by the RADIUS server, and the new command list is sent to the Brocade device.
4. If the command list indicates that the user is authorized to use the command, the command is executed.
RADIUS accounting
RADIUS accounting works as follows.
1. One of the following events occur on the Brocade device:
A user logs into the management interface using Telnet or SSH
A user enters a command for which accounting has been configured
A system event occurs, such as a reboot or reloading of the configuration file
42 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
2. The Brocade device checks its configuration to see if the event is one for which RADIUS accounting is required.
3. If the event requires RADIUS accounting, the Brocade device sends a RADIUS Accounting Start packet to the RADIUS accounting server, containing information about the event.
4. The RADIUS accounting server acknowledges the Accounting Start packet.
5. The RADIUS accounting server records information about the event.
6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the RADIUS accounting server.
7. The RADIUS accounting server acknowledges the Accounting Stop packet.
AAA operations for RADIUS
The following table lists the sequence of authentication, authorization, and accounting operations that take place when a user gains access to a Brocade device that has RADIUS security configured.
TABLE 7 AAA operations for RADIUS
User action Applicable AAA operations
Us er a ttemp ts to ga in acce ss t o the Privileged EXEC and CONFIG levels of the CLI
User logs in using Telnet/SSH Login authentication:
User logs out of Telnet/SSH session
User enters system commands (for example, reload, boot system)
User enters the command: [no] aaa accounting system default start-stop method-list
Enable authentication: aaa authentication enable default method-list
System accounting start: aaa accounting system default start-stop method-list
aaa authentication login default method-list
EXEC accounting Start: aaa accounting exec default start-stop method-list System accounting Start: aaa accounting system default start-stop method-list
Command authorization for logout command: aaa authorization commands privilege-level default method-list
Command accounting: aaa accounting commands privilege-level default start-stop method-list EXEC accounting stop: aaa accounting exec default start-stop method-list
Command authorization: aaa authorization commands privilege-level default method-list
Command accounting: aaa accounting commands privilege-level default start-stop method-list System accounting stop: aaa accounting system default start-stop method-list
Command authorization: aaa authorization commands privilege-level default method-list
Command accounting: aaa accounting commands privilege-level default start-stop method-list System accounting start: aaa accounting system default start-stop method-list
Brocade ICX 6650 Security Configuration Guide 43 53-1002601-01
RADIUS security
NOTE
TABLE 7 AAA operations for RADIUS
User action Applicable AAA operations
User enters other commands Command authorization:
AAA security for commands pasted Into the running-config
If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA operations as if they were entered manually.
When you paste commands into the running-config, and AAA command authorization or accounting, or both, are configured on the device, AAA operations are performed on the pasted commands. The AAA operations are performed before the commands are actually added to the running-config. The server performing the AAA operations should be reachable when you paste the commands into the running-config file. If the device determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The remaining commands may not be executed if command authorization is configured.
aaa authorization commands privilege-level default method-list
Command accounting: aaa accounting commands privilege-level default start-stop method-list
Since RADIUS command authorization relies on a list of commands received from the RADIUS server when authentication is performed, it is important that you use RADIUS authentication when you also use RADIUS command authorization.

RADIUS configuration considerations

You must deploy at least one RADIUS server in your network.
Brocade devices support authentication using up to eight RADIUS servers, including those
used for 802.1X authentication and for management. The device tries to use the servers in the order you add them to the device configuration. If one RADIUS server times out (does not respond), the Brocade device tries the next one in the list. Servers are tried in the same sequence each time there is a request.
You can optionally configure a RADIUS server as a port server, indicating that the server will be
used only to authenticate users on ports to which it is mapped, as opposed to globally authenticating users on all ports of the device. In earlier releases, all configured RADIUS servers are “global” servers and apply to users on all ports of the device. Refer to “RADIUS
server per port” on page 48.
You can map up to eight RADIUS servers to each port on the Brocade device. The port will
authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS servers mapped to a port, it will use the “global” servers for authentication. In earlier releases, all RADIUS servers are “global” servers and cannot be bound to individual ports. Refer to
“RADIUS server to individual ports mapping” on page 49.
You can select only one primary authentication method for each type of access to a device (CLI
through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as the primary authentication method for Telnet CLI access, but you cannot also select TACACS+ authentication as the primary method for the same type of access. However, you can configure backup authentication methods for each access type.
44 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
NOTE

Configuring RADIUS

Follow the procedure given below to configure a Brocade device for RADIUS.
1. Configure Brocade vendor-specific attributes on the RADIUS server. Refer to “Brocade-specific
attributes on the RADIUS server” on page 45.
2. Identify the RADIUS server to the Brocade device. Refer to “Identifying the RADIUS server to the
Brocade device” on page 47.
3. Optionally specify different servers for individual AAA functions. Refer to “Specifying different
servers for individual AAA functions” on page 48.
4. Optionally configure the RADIUS server as a “port only” server. Refer to “RADIUS server per
port” on page 48.
5. Optionally bind the RADIUS servers to ports on the Brocade device. Refer to “RADIUS server to
individual ports mapping” on page 49.
6. Set RADIUS parameters. Refer to “RADIUS parameters” on page 50.
7. Configure authentication-method lists. Refer to “Setting authentication-method lists for
RADIUS” on page 51.
8. Optionally configure RADIUS authorization. Refer to “RADIUS authorization” on page 53.
9. Optionally configure RADIUS accounting. “RADIUS accounting” on page 55.

Brocade-specific attributes on the RADIUS server

For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login authentication.
During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:
The privilege level of the user
A list of commands
Whether the user is allowed or denied usage of the commands in the list
You must add these three Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the Brocade device.
Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-specific attributes.
Brocade ICX 6650 Security Configuration Guide 45 53-1002601-01
RADIUS security
TABLE 8 Brocade vendor-specific attributes for RADIUS
Attribute name Attribute ID Data type Description
foundry-privilege-level 1 integer Specifies the privilege level for the user. This
foundry-command-string 2 string Specifies a list of CLI commands that are
foundry-command-exception-flag3 integer Specifies whether the commands indicated by
foundry-access-list 5 string Specifies the access control list to be used for
foundry-MAC-authent-needs-802x6 integer Specifies whether or not 802.1x authentication is
attribute can be set to one of the following:
0 - Super User level – Allows complete
read-and-write access to the system. This is generally for system administrators and is the only management privilege level that allows you to configure passwords.
4 - Port Configuration level – Allows
read-and-write access for specific ports but not for global (system-wide) parameters.
5 - Read Only level – Allows access to the
Privileged EXEC mode and User EXEC mode of the CLI but only with read access.
permitted or denied to the user when RADIUS authorization is configured.
The commands are delimited by semi-colons (;). You can specify an asterisk (*) as a wildcard at the end of a command string. For example, the following command list specifies all show and debug ip commands, as well as the write terminal command:
show *; debug ip *; write term*
the foundry-command-string attribute are permitted or denied to the user. This attribute can be set to one of the following:
0 - Permit execution of the commands
indicated by foundry-command-string, deny all other commands.
1 - Deny execution of the commands
indicated by foundry-command-string, permit all other commands.
RADIUS authorization. Enter the access control list in the following format.
type=string, value="ipacl.[e|s].[in|out] = [<acl-name>|<acl-number>] <separator> macfilter.in = [<acl-name>|<acl-number>]
Where:
separator can be a space, newline,
semicolon, comma, or null character
ipacl.e is an extended ACL; ipacl.s is a
standard ACL.
required and enabled. 0 - Disabled 1 - Enabled
46 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
TABLE 8 Brocade vendor-specific attributes for RADIUS (Continued)
Attribute name Attribute ID Data type Description
foundry-802.1x-valid-lookup 7 integer Specifies if 802.1x lookup is enabled:
0 - Disabled 1 - Enabled
foundry-MAC-based-VLAN-QOS 8 integer Specifies the priority for MAC-based VLAN QOS:
0 - qos_priority_0 1 - qos_priority_1 2 - qos_priority_2 3 - qos_priority_3 4 - qos_priority_4 5 - qos_priority_5 6 - qos_priority_6 7 - qos_priority_7

Enabling SNMP to configure RADIUS

To enable SNMP access to RADIUS MIB objects on the device, enter a command such as the following.
Brocade(config)# enable snmp config-radius
Syntax: [no] enable snmp config-radius | config-tacac>
The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by default.
The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by default.

Identifying the RADIUS server to the Brocade device

To use a RADIUS server to authenticate access to a Brocade device, you must identify the server to the Brocade device.
Example
Brocade(config)# radius-server host 10.157.22.99
Syntax: radius-server host ip-addr | iipv6-addr | server-name [auth-port number] [acct-port
number]
The host ip-addr | ipv6-addr | server-name parameter is either an IP address or an ASCII text string.
The auth-port parameter is the Authentication port number. The default is 1645.
The acct-port parameter is the Accounting port number. The default is 1646.
Brocade ICX 6650 Security Configuration Guide 47 53-1002601-01
RADIUS security

Specifying different servers for individual AAA functions

In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key for each server.
To specify different RADIUS servers for authentication, authorization, and accounting, enter commands such as the following.
Brocade(config)# radius-server host 10.2.3.4 authentication-only key abc Brocade(config)# radius-server host 10.2.3.5 authorization-only key def Brocade(config)# radius-server host 10.2.3.6 accounting-only key ghi
Syntax: radius-server host ip-addr | ipv6-addr | server-name [auth-port number] [acct-port
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for authorization and accounting. If the authenticating server cannot perform the requested function, then the next server in the configured list of servers is tried; this process repeats until a server that can perform the requested function is found, or every server in the configured list has been tried.
number] [authentication-only | accounting-only | default] [key 0 | 1 string]

RADIUS server per port

You can optionally configure a RADIUS server per port, indicating that it will be used only to authenticate users on ports to which it is mapped. A RADIUS server that is not explicitly configured as a RADIUS server per port is a global server, and can be used to authenticate users on ports to which no RADIUS servers are mapped.
RADIUS server per port configuration notes
This feature works with 802.1X and multi-device port authentication only.
You can define up to eight RADIUS servers per Brocade device.
RADIUS configuration example and command syntax
The following shows an example configuration.
Brocade(config)# radius-server host 10.10.10.103 auth-port 1812 acct-port 1813 default key mykeyword dot1x port-only Brocade(config)# radius-server host 10.10.10.104 auth-port 1812 acct-port 1813 default key mykeyword dot1x port-only Brocade(config)# radius-server host 10.10.10.105 auth-port 1812 acct-port 1813 default key mykeyword dot1x Brocade(config)# radius-server host 10.10.10.106 auth-port 1812 acct-port 1813 default key mykeyword dot1x
The above configuration has the following affect:
RADIUS ser vers 10.10.10.103 and 10.10.10.104 will be used only to authenticate users on
ports to which the servers are mapped. To map a RADIUS server to a port, refer to “RADIUS
server to individual ports mapping” on page 49.
48 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
RADIUS ser vers 10.10.10.105 and 10.10.10.106 will be used to authenticate users on ports to
which no RADIUS servers are mapped. For example, port e 9, to which no RADIUS servers are mapped, will send a RADIUS request to the first configured RADIUS server, 10.10.10.105. If the request fails, it will go to the second configured RADIUS server, 10.10.10.106. It will not send requests to 10.10.10.103 or 10.10.10.104, since these servers are configured as port servers.
Syntax: radius-server host ip-addr | server-name [auth-port number] [acct-port number] [default
key string dot1x] [port-only]
The host ip-addr is the IPv4 address.
The auth-port number parameter is the Authentication port number; it is an optional parameter. The default is 1645.
The acct-port number parameter is the Accounting port number; it is an optional parameter. The default is 1646.
The default key string dot1x parameter indicates that this RADIUS server supports the 802.1X standard. A RADIUS server that supports the 802.1X standard can also be used to authenticate non-802.1X authentication requests.
The port-only parameter is optional and specifies that the server will be used only to authenticate users on ports to which it is mapped.

RADIUS server to individual ports mapping

You can map up to eight RADIUS servers to each port on the Brocade device. The port will authenticate users using only the RADIUS servers to which the port is mapped. If there are no RADIUS servers mapped to a port, it will use the “global” servers for authentication.
As in previous releases, a port goes through the list of servers in the order in which it was mapped or configured, until a server that can perform the requested function is found, or until every server in the list has been tried.
RADIUS server-to-ports configuration notes
This feature works with 802.1X and multi-device port authentication only.
You can map a RADIUS server to a physical port only. You cannot map a RADIUS server to a VE.
RADIUS server-to-ports configuration example and command syntax
To map a RADIUS server to a port, enter commands such as the following.
Brocade(config)# int e 3 Brocade(config-if-e1000-3)# dot1x port-control auto Brocade(config-if-e1000-3)# use-radius-server 10.10.10.103 Brocade(config-if-e1000-3)# use-radius-server 10.10.10.110
With the above configuration, port e 3 would send a RADIUS request to 10.10.10.103 first, since it is the first server mapped to the port. If it fails, it will go to 10.10.10.110.
Syntax: use-radius-server ip-addr
The host ip-addr is an IPv4 address.
Brocade ICX 6650 Security Configuration Guide 49 53-1002601-01
RADIUS security
NOTE

RADIUS parameters

You can set the following parameters in a RADIUS configuration:
RADIUS key – This parameter specifies the value that the Brocade device sends to the RADIUS
Retransmit interval – This parameter specifies how many times the Brocade device will resend
Timeout – This parameter specifies how many seconds the Brocade device waits for a
Setting the RADIUS key
The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over the network. The value for the key parameter on the Brocade device should match the one configured on the RADIUS server. The key can be from 1 – 32 characters in length and cannot include any space characters.
server when trying to authenticate user access.
an authentication request when the RADIUS server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times.
response from a RADIUS server before either retrying the authentication request, or determining that the RADIUS servers are unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
To specify a RADIUS server key, enter a command such as the following.
Brocade(config)# radius-server key mirabeau
Syntax: radius-server key [0 | 1] string
When you display the configuration of the Brocade device, the RADIUS key is encrypted.
Example
Brocade(config)# radius-server key 1 abc Brocade(config)# write terminal ... radius-server host 10.2.3.5 radius key 1 $!2d
Encryption of the RADIUS keys is done by default. The 0 parameter disables encryption. The 1 parameter is not required; it is provided for backwards compatibility.
Setting the retransmission limit
The retransmit parameter specifies the maximum number of retransmission attempts. When an authentication request times out, the Brocade software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 retries. The range of retransmit values is from 1 – 5.
To set the RADIUS retransmit limit, enter a command such as the following.
Brocade(config)# radius-server retransmit 5
Syntax: radius-server retransmit number
50 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
Setting the timeout parameter
The timeout parameter specifies how many seconds the Brocade device waits for a response from the RADIUS server before either retrying the authentication request, or determining that the RADIUS server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Brocade(config)# radius-server timeout 5
Syntax: radius-server timeout number
Setting RADIUS over IPv6
Brocade devices support the ability to send RADIUS packets over an IPv6 network.
To enable the Brocade device to send RADIUS packets over IPv6, enter a command such as the following at the Global CONFIG level of the CLI.
Brocade(config)# radius-server host ipv6 3000::300
Syntax: radius-server host ipv6 ipv6-host address
The ipv6-host address is the IPv6 address of the RADIUS server. When you enter the IPv6 host address, you do not need to specify the prefix length. A prefix length of 128 is implied.

Setting authentication-method lists for RADIUS

You can use RADIUS to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring RADIUS authentication, you create authentication-method lists specifically for these access methods, specifying RADIUS as the primary authentication method.
Within the authentication-method list, RADIUS is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If RADIUS authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.
When you configure authentication-method lists for RADIUS, you must create a separate authentication-method list for Telnet or SSH CLI access and for CLI access to the Privileged EXEC level and CONFIG levels of the CLI.
To create an authentication-method list that specifies RADIUS as the primary authentication method for securing Telnet access to the CLI.
Brocade(config)# enable telnet authentication Brocade(config)# aaa authentication login default radius local
The commands above cause RADIUS to be the primary authentication method for securing Telnet access to the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead.
To create an authentication-method list that specifies RADIUS as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Brocade(config)# aaa authentication enable default radius local none
Brocade ICX 6650 Security Configuration Guide 51 53-1002601-01
RADIUS security
NOTE
The command above causes RADIUS to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If RADIUS authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.
Syntax: [no] aaa authentication enable | login default method1 [method2] [method3] [method4]
The enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.
The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.
TABLE 9 Authentication method values
Method parameter Description
line Authenticate using the password you configured for Telnet access. The Telnet password is
enable Authenticate using the password you configured for the Super User privilege level. This
local Authenticate using a local user name and password you configured on the device. Local
tacacs Authenticate using the database on a TACACS server. You also must identify the server to
tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to
radius Authenticate using the database on a RADIUS server. You also must identify the server to
none Do not use any authentication method. The device automatically permits access.
[method5] [method6] [method7]
configured using the enable telnet password… command. Refer to “Setting a Telnet
password” on page 13.
password is configured using the enable super-user-password… command. Refer to
“Setting passwords for management privilege levels” on page 14.
user names and passwords are configured using the username… command. Refer to
“Local user account configuration” on page 21.
the device using the tacacs-server command.
the device using the tacacs-server command.
the device using the radius-server command.
For examples of how to define authentication-method lists for types of authentication other than RADIUS, refer to “Authentication-method lists” on page 58.
52 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
Entering privileged EXEC mode after a Telnet or SSH login
By default, a user enters User EXEC mode after a successful login through Telnet or SSH. Optionally, you can configure the device so that a user enters Privileged EXEC mode after a Telnet or SSH login. To do this, use the following command.
Brocade(config)# aaa authentication login privilege-mode
Syntax: aaa authentication login privilege-mode
The user privilege level is based on the privilege level granted during login.
Configuring enable authentication to prompt for password only
If Enable authentication is configured on the device, when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password. You can configure the Brocade device to prompt only for a password. The device uses the username entered at login, if one is available. If no username was entered at login, the device prompts for both username and password.
To configure the Brocade device to prompt only for a password when a user attempts to gain Super User access to the Privileged EXEC and CONFIG levels of the CLI.
Brocade(config)# aaa authentication enable implicit-user
Syntax: [no] aaa authentication enable implicit-user

RADIUS authorization

Brocade devices support RADIUS authorization for controlling access to management functions in the CLI. Two kinds of RADIUS authorization are supported:
Exec authorization determines a user privilege level when they are authenticated
Command authorization consults a RADIUS server to get authorization for commands entered
by the user
Configuring EXEC authorization
When RADIUS EXEC authorization is performed, the Brocade device consults a RADIUS server to determine the privilege level of the authenticated user. To configure RADIUS EXEC authorization on the Brocade device, enter the following command.
Brocade(config)# aaa authorization exec default radius
Syntax: aaa authorization exec default radius | none
If you specify none, or omit the aaa authorization exec command from the device configuration, no EXEC authorization is performed.
Brocade ICX 6650 Security Configuration Guide 53 53-1002601-01
RADIUS security
NOTE
NOTE
NOTE
If the aaa authorization exec default radius command exists in the configuration, following successful authentication the device assigns the user the privilege level specified by the foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec default radius command does not exist in the configuration, then the value in the foundry-privilege-level attribute is ignored, and the user is granted Super User access.
Also note that in order for the aaa authorization exec default radius command to work, either the aaa authentication enable default radius command, or the aaa authentication login privilege-mode command must also exist in the configuration.
Configuring command authorization
When RADIUS command authorization is enabled, the Brocade device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can execute a command he or she has entered.
You enable RADIUS command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Brocade device to perform authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Brocade(config)# aaa authorization commands 0 default radius
Syntax: aaa authorization commands privilege-level default radius | tacacs+ | none
The privilege-level parameter can be one of the following:
0 – Authorization is performed (that is, the Brocade device looks at the command list) for
commands available at the Super User level (all commands)
4 – Authorization is performed for commands available at the Port Configuration level
(port-config and read-only commands)
5 – Authorization is performed for commands available at the Read Only level (read-only
commands)
RADIUS command authorization can be performed only for commands entered from Telnet or SSH sessions, or from the console.
Since RADIUS command authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Command authorization and accounting for console commands
The Brocade device supports command authorization and command accounting for CLI commands entered at the console. To configure the device to perform command authorization and command accounting for console commands, enter the following.
Brocade(config)# enable aaa console
54 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
RADIUS security
CAUTION
NOTE
Syntax: enable aaa console
If you have previously configured the device to perform command authorization using a RADIUS server, entering the enable aaa console command may prevent the execution of any subsequent commands entered on the console.
This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS server. This list is obtained during RADIUS authentication. For console sessions, RADIUS authentication is performed only if you have configured Enable authentication and specified RADIUS as the authentication method (for example, with the aaa authentication enable default radius command). If RADIUS authentication is never performed, the list of allowable commands is never obtained from the RADIUS server. Consequently, there would be no allowable commands on the console.

RADIUS accounting

Brocade devices support RADIUS accounting for recording information about user activity and system events. When you configure RADIUS accounting on a Brocade device, information is sent to a RADIUS accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS accounting for Telnet/SSH (Shell) access
To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a Telnet or SSH session on the Brocade device, and an Accounting Stop packet when the user logs out.
Brocade(config)# aaa accounting exec default start-stop radius
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring RADIUS accounting for CLI commands
You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Brocade device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command.
Brocade(config)# aaa accounting commands 0 default start-stop radius
An Accounting Start packet is sent to the RADIUS accounting server when you enters a command, and an Accounting Stop packet is sent when the service provided by the command is completed.
If authorization is enabled, and the command requires authorization, then authorization is performed before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands privilege-level default start-stop radius | tacacs | none
Brocade ICX 6650 Security Configuration Guide 55 53-1002601-01
RADIUS security
Brocade# show aaa Tacacs+ key: foundry Tacacs+ retries: 1 Tacacs+ timeout: 15 seconds Tacacs+ dead-time: 3 minutes Tacacs+ Server: 10.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4 no connection Radius key: networks Radius retries: 3 Radius timeout: 3 seconds Radius dead-time: 3 minutes Radius Server: 10.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4 no connection
The privilege-level parameter can be one of the following:
0 – Records commands available at the Super User level (all commands)
4 – Records commands available at the Port Configuration level (port-config and read-only
5 – Records commands available at the Read Only level (read-only commands)
Configuring RADIUS accounting for system events
You can configure RADIUS accounting to record when system events occur on the Brocade device. System events include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed.
Brocade(config)# aaa accounting system default start-stop radius
Syntax: aaa accounting system default start-stop radius | tacacs+ | none
commands)

Configuring an interface as the source for all RADIUS packets

You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual interface as the source IP address for all RADIUS packets from the Layer 3 switch. For configuration details, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

Displaying RADIUS configuration information

The show aaa command displays information about all TACACS/TACACS+ and RADIUS servers identified on the device.
Example
56 Brocade ICX 6650 Security Configuration Guide
The following table describes the RADIUS information displayed by the show aaa command.
53-1002601-01
RADIUS security
TABLE 10 Output of the show aaa command for RADIUS
Field Description
Radius key The setting configured with the radius-server key command. At the Super User privilege level,
the actual text of the key is displayed. At the other privilege levels, a string of periods (....) is
displayed instead of the text.
Radius retries The setting configured with the radius-server retransmit command.
Radius timeout The setting configured with the radius-server timeout command.
Radius dead-time The setting configured with the radius-server dead-time command.
Radius Server For each RADIUS server, the IP address, and the following statistics are displayed:
Auth PortRADIUS authentication port number (default 1645) Acct PortRADIUS accounting port number (default 1646)
opens - Number of times the port was opened for communication with the server
closes - Number of times the port was closed normally
timeouts - Number of times port was closed due to a timeout
errors - Number of times an error occurred while opening the port
packets in - Number of packets received from the server
packets out - Number of packets sent to the server
connection The current connection status. This can be “no connection” or “connection active”.
Brocade ICX 6650 Security Configuration Guide 57 53-1002601-01

Authentication-method lists

NOTE
NOTE
NOTE
NOTE
Authentication-method lists
To implement one or more authentication methods for securing access to the device, you configure authentication-method lists that set the order in which the authentication methods are consulted.
In an authentication-method list, you specify the access method (Telnet, SNMP, and so on) and the order in which the device tries one or more of the following authentication methods:
Local Telnet login password
Local password for the Super User privilege level
Local user accounts configured on the device
Database on a TACACS or TACACS+ server
Database on a RADIUS server
No authentication
The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported for SNMP access.
To authenticate Telnet access to the CLI, you also must enable the authentication by entering the enable telnet authentication command at the global CONFIG level of the CLI.
You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses. Refer to “ACL usage to restrict remote access” on page 3 or “Remote access restrictions” on page 6.
In an authentication-method list for a particular access method, you can specify up to seven authentication methods. If the first authentication method is successful, the software grants access and stops the authentication process. If the access is rejected by the first authentication method, the software denies access and stops checking.
However, if an error occurs with an authentication method, the software tries the next method on the list, and so on. For example, if the first authentication method is the RADIUS server, but the link to the server is down, the software will try the next authentication method in the list.
If an authentication method is working properly and the password (and user name, if applicable) is not known to that method, this is not an error. The authentication attempt stops, and the user is denied access.
The software will continue this process until either the authentication method is passed or the software reaches the end of the method list. If the Super User level password is not rejected after all the access methods in the list have been tried, access is granted.

Examples of authentication-method lists

The following examples show how to configure authentication-method lists. In these examples, the primary authentication method for each is “local”. The device will authenticate access attempts using the locally configured usernames and passwords.
58 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Authentication-method lists
NOTE
NOTE
To configure an authentication-method list for SNMP, enter a command such as the following.
Brocade(config)# aaa authentication snmp-server default local
This command allows certain incoming SNMP SET operations to be authenticated using the locally configured usernames and passwords. When this command is enabled, community string validation is not performed for incoming SNMP V1 and V2c packets. This command takes effect as long as the first varbind for SNMP packets is set to one of the following:
snAgGblPassword=”<username> <password>” (for AAA method local)
snAgGblPassword=”<password>” (for AAA method line, enable)
Certain SNMP objects need additional validation. These objects include but are not limited to: snAgReload, snAgWriteNVRAM, snAgConfigFromNVRAM, snAgImgLoad, snAgCfgLoad and snAgGblTelnetPassword. For more information, see snAgGblPassword in the IronWare MIB
Reference Guide.
If AAA is set up to check both the username and password, the string contains the username, followed by a space then the password. If AAA is set up to authenticate with the current Enable or Line password, the string contains the password only.
Note that the above configuration can be overridden by the command no snmp-server pw-check, which disables password checking for SNMP SET requests.
Example 3
To configure an authentication-method list for the Privileged EXEC and CONFIG levels of the CLI, enter the following command.
Brocade(config)# aaa authentication enable default local
This command configures the device to use the local user accounts to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI.
Example 4
To configure the device to consult a RADIUS server first to authenticate attempts to access the Privileged EXEC and CONFIG levels of the CLI, then consult the local user accounts if the RADIUS server is unavailable, enter the following command.
Brocade(config)# aaa authentication enable default radius local
Command Syntax
The following is the command syntax for the preceding examples.
Syntax: [no] aaa authentication snmp-server | enable | login default method1 [method2]
[method3] [method4] [method5] [method6] [method7]
The snmp-server | enable | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.
TACACS/TACACS+ and RADIUS are supported only with the enable and login parameters.
Brocade ICX 6650 Security Configuration Guide 59 53-1002601-01

TCP Flags - edge port security

The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.
TABLE 11 Authentication method values
Method parameter Description
line Authenticate using the password you configured for Telnet access. The Telnet password is
enable Authenticate using the password you configured for the Super User privilege level. This
local Authenticate using a local user name and password you configured on the device. Local
tacacs Authenticate using the database on a TACACS server. You also must identify the server to
tacacs+ Authenticate using the database on a TACACS+ server. You also must identify the server to
radius Authenticate using the database on a RADIUS server. You also must identify the server to
none Do not use any authentication method. The device automatically permits access.
configured using the enable telnet password… command. Refer to “Setting a Telnet
password” on page 13.
password is configured using the enable super-user-password… command. Refer to
“Setting passwords for management privilege levels” on page 14.
user names and passwords are configured using the username… command. Refer to “Local
user account configuration” on page 21.
the device using the tacacs-server command.
the device using the tacacs-server command.
the device using the radius-server command. Refer to “RADIUS security” on page 41.
TCP Flags - edge port security
The edge port security feature works in combination with IP ACL rules, and supports all 6 TCP flags present in the offset 13 of the TCP header:
+|- urg = Urgent
+|- ack = Acknowledge
+|- psh = Push
+|- rst = Reset
+|- syn = Synchronize
+|- fin = Finish
TCP flags can be combined with other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when designing ACLs.
The TCP flags feature offers two options, match-all and match-any:
Match-any - Indicates that incoming TCP traffic must be matched against any of the TCP flags
configured as part of the match-any ACL rule. In CAM hardware, the number of ACL rules will match the number of configured flags.
Match-all - Indicates that incoming TCP traffic must be matched against all of the TCP flags
configured as part of the match-all ACL rule. In CAM hardware, there will be only one ACL rule for all configured flags.
60 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TCP Flags - edge port security
NOTE
NOTE
NOTE
Example
Brocade(config-ext-nACL)# permit tcp 10.1.1.1 0.0.0.255 eq 100 10.2.2.2
0.0.0.255 eq 300 match-all +urg +ack +syn -rst
This command configures a single rule in CAM hardware. This rule will contain all of the configured TCP flags (urg, ack, syn, and rst).

Using TCP Flags in combination with other ACL features

The TCP Flags feature has the added capability of being combined with other ACL features.
Example
Brocade(config-ext-nACL)# permit tcp any any match-all +urg +ack +syn -rst traffic-policy test
This command configures the ACL to match incoming traffic with the TCP Flags urg, ack, and syn and also to apply the traffic policy (rate, limit, etc.) to the matched traffic.
Brocade(config-ext-nACL)# permit tcp any any match-all +urg +ack +syn -rst tos normal
This command configures the ACL to match incoming traffic with the flags urg, ack, and syn, and also sets the tos bit to normal when the traffic exits the device.
TCP Flags combines the functionality of older features such as TCP Syn Attack and TCP Establish. Avoid configuring these older features on a port where you have configured TCP Flags. TCP Flags can perform all of the functions of TCP Syn Attack and TCP Establish, and more. However, if TCP Syn Attack is configured on a port along with TCP Flags, TCP Syn Attack will take precedence.
If an ACL clause with match-any exists, and the system runs out of CAM, if the total number of TCP rules to TCP Flags will not fit within 1021 entries (the maximum rules allowed per device), then none of the TCP Flag rules will be programmed into the CAM hardware.
If a range option and match-any TCP-flags are combined in the same ACL, the total number of rules will be calculated as: Total number of rules in CAM hardware = (number of rules for range)* (number of rules for match-any TCP-flags).
Brocade ICX 6650 Security Configuration Guide 61 53-1002601-01
TCP Flags - edge port security
62 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Chapter
NOTE

SSH2 and SCP

Tab le 12 lists SSH2 and Secure Copy features supported on Brocade ICX 6650.
TABLE 12 Supported SSH2 and Secure Copy features
Feature Brocade ICX 6650
Secure Shell (SSH) version 2 Yes
AES encryption for SSH2 Yes
Optional parameters for SSH2 Yes
Using secure copy (SCP) with SSH2 Yes
Filtering SSH access using ACLs Yes
Terminating an active SSH connection Yes
SSH client Yes

SSH version 2 overview

2
Secure Shell (SSH) is a mechanism for allowing secure remote access to management functions on a Brocade device. SSH provides a function similar to Telnet. Users can log into and configure the device using a publicly or commercially available SSH client program, just as they can with Telnet. However, unlike Telnet, which provides no security, SSH provides a secure, encrypted connection to the device.
The Brocade SSH2 implementation is compatible with all versions of the SSH2 protocol (2.1, 2.2, and so on). At the beginning of an SSH session, the Brocade device negotiates the version of SSH2 to be used. The highest version of SSH2 supported by both the Brocade device and the client is the version that is used for the session. Once the SSH2 version is negotiated, the encryption algorithm with the highest security ranking is selected to be used for the session.
Brocade devices also support Secure Copy (SCP) for securely transferring files between a Brocade device and SCP-enabled remote hosts.
The SSH feature includes software that is copyright Allegro Software Development Corporation.
SSH2 is supported in the Layer 2 and Layer 3 codes.
SSH2 is a substantial revision of Secure Shell, comprising the following hybrid protocols and definitions:
SSH Transport Layer Protocol
SSH Authentication Protocol
SSH Connection Protocol
SECSH Public Key File Format
Brocade ICX 6650 Security Configuration Guide 63 53-1002601-01
SSH version 2 overview
NOTE
SSH Fingerprint Format
SSH Protocol Assigned Numbers
SSH Transport Layer Encryption Modes
SCP/SSH URI Format

Tested SSH2 clients

The following SSH clients have been tested with SSH2:
SSH Secure Shell 3.2.3
Van Dyke SecureCRT 5.2.2
F-Secure SSH Client 5.3 and 6.0
PuTTY 0.60
OpenSSH 4.3p2
Brocade SSH Client
Supported SSH client public key sizes are 1024 bits for DSA keys, and 1024 or 2048 bits for RSA keys.

SSH2 supported features

SSH2 (Secure Shell version 2 protocol) provides an SSH server and an SSH client. The SSH server allows secure remote access management functions on a Brocade device. SSH provides a function that is similar to Telnet, but unlike Telnet, SSH provides a secure, encrypted connection.
Brocade SSH2 support includes the following:
Key exchange methods are diffie-hellman-group1-sha1
The supported public key algorithms are ssh-dss and ssh-rsa.
Encryption is provided with 3des-cbc, aes128-cbc, aes192-cbc or aes256-cbc. AES encryption
has been adopted by the U.S. Government as an encryption standard.
Data integrity is ensured with hmac-sha1.
Supported authentication methods are Password and publickey.
Five inbound SSH connection at one time are supported.
One outbound SSH is supported.

SSH2 unsupported features

The following are not supported with SSH2:
Compression
TCP/IP port forwarding, X11 forwarding, and secure file transfer
SSH version 1
64 Brocade ICX 6650 Security Configuration Guide
53-1002601-01

SSH2 authentication types

The Brocade implementation of SSH2 supports the following types of user authentication:
DSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
RSA challenge-response authentication, where a collection of public keys are stored on the
device. Only clients with a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
Password authentication, where users attempting to gain access to the device using an SSH
client are authenticated with passwords stored on the device or on a TACACS or TACACS+ server or a RADIUS server.

Configuring SSH2

You can configure the device to use any combination of these authentication types. The SSH server and client negotiate which type to use.
To configure SSH2, follow these steps:
SSH2 authentication types
1. Generate a host Digital Signature Algorithm (DSA) or Really Secure Algorithm (RSA) public and private key pair for the device.
See the section “Enabling and disabling SSH by generating and deleting host keys” on page 65.
2. Configure DSA or RSA challenge-response authentication.
See the section “Configuring DSA or RSA challenge-response authentication” on page 67.
3. Set optional parameters.
See the section “Optional SSH parameters” on page 69.

Enabling and disabling SSH by generating and deleting host keys

To enable SSH, you generate a public and private DSA or RSA host key pair on the device. The SSH server on the Brocade device uses this host DSA or RSA key pair, along with a dynamically generated server DSA or RSA key pair, to negotiate a session key and encryption method with the client trying to connect to it.
While the SSH listener exists at all times, sessions can not be started from clients until a host key is generated. After a host key is generated, clients can start sessions.
To disable SSH, you delete all of the host keys from the device.
When a host key pair is generated, it is saved to the flash memory of all management modules. When a host key pair is is deleted, it is deleted from the flash memory of all management modules.
The time to initially generate SSH keys varies depending on the configuration, and can be from a under a minute to several minutes.
Brocade ICX 6650 Security Configuration Guide 65 53-1002601-01
SSH2 authentication types
NOTE
If you have generated SSH keys on the switch, you should delete and regenerate it when you upgrade or downgrade the software version before ssh session.
Setting the CPU priority for key generation
Generating the key is a resource-intensive operation. You can set the priority for this operation to high so that the device allocates more CPU time for this operation. So you must use this option only when the device is in the maintenance window. This option reduces the time taken for key generation.
To set high priority for the key generation operation, enter the following command:
Brocade(config)#crypto-gen priority high
Syntax: crypto key crypto-gen priority default | high
The default keyword sets the priority as default. The key generation task is handled with the regular priority.
The high keyword sets the high priority for the key generation task. Use this option only when the device is in the maintenance window.
Generating and deleting a DSA key pair
To generate a DSA key pair, enter the following command.
Brocade(config)# crypto key generate dsa
To delete the DSA host key pair, enter the following command.
Brocade(config)# crypto key zeroize dsa
Syntax: crypto key generate | zeroize dsa
The generate keyword places a host key pair in the flash memory and enables SSH on the device, if it is not already enabled.
The zeroize keyword deletes the host key pair from the flash memory. This disables SSH if no other server host keys exist on the device.
The dsa keyword specifies a DSA host key pair. This keyword is optional. If you do not enter it, the command crypto key generate generates a DSA key pair by default, and the command crypto key zeroize works as described in “Deleting DSA and RSA key pairs” on page 67.
Generating and deleting an RSA key pair
To generate an RSA key pair, enter a command such as the following:
Brocade(config)# crypto key generate rsa modulus 2048
To delete the RSA host key pair, enter the following command.
Brocade(config)# crypto key zeroize rsa
Syntax: crypto key generate | zeroize rsa [modulus modulus-size]
66 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
SSH2 authentication types
AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
The generate keyword places an RSA host key pair in the flash memory and enables SSH on the device, if it is not already enabled.
The optional [modulus modulus-size] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048. The default value is 1024.
The zeroize keyword deletes the RSA host key pair from the flash memory. This disables SSH if no other authentication keys exist on the device.
The rsa keyword specifies an RSA host key pair.
Deleting DSA and RSA key pairs
To delete DSA and RSA key pairs from the flash memory, enter the following command:
Brocade(config)# crypto key zeroize
Syntax: crypto key zeroize
The zeroize keyword deletes the host key pair from the flash memory. This disables SSH.
Providing the public key to clients
The host DSA or RSA key pair is stored in the system-config file of the Brocade device. Only the public key is readable. Some SSH client programs add the public key to the known hosts file automatically. In other cases, you must manually create a known hosts file and place the public key of the Brocade device in it.
If you are using SSH to connect to a Brocade device from a UNIX system, you may need to add the public key on the Brocade device to a “known hosts” file on the client UNIX system; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a known hosts file.

Configuring DSA or RSA challenge-response authentication

With DSA or RSA challenge-response authentication, a collection of clients’ public keys are stored on the Brocade device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
Brocade ICX 6650 Security Configuration Guide 67 53-1002601-01
When DSA or RSA challenge-response authentication is enabled, the following events occur when a client attempts to gain access to the device using SSH:
SSH2 authentication types
NOTE
---- BEGIN SSH2 PUBLIC KEY ---­Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
---- END SSH2 PUBLIC KEY ----
1. The client sends its public key to the Brocade device.
2. The Brocade device compares the client public key to those stored in memory.
3. If there is a match, the Brocade device uses the public key to encrypt a random sequence of bytes.
4. The Brocade device sends these encrypted bytes to the client.
5. The client uses its private key to decrypt the bytes.
6. The client sends the decrypted bytes back to the Brocade device.
7. The Brocade device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes match, it means that the client private key corresponds to an authorized public key, and the client is authenticated.
Setting up DSA or RSA challenge-response authentication consists of the following steps.
1. Import authorized public keys into the Brocade device.
2. Enable DSA or RSA challenge response authentication.
Importing authorized public keys into the Brocade device
SSH clients that support DSA or RSA authentication normally provide a utility to generate a DSA or RSA key pair. The private key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not protected. You must import the client public key for each client into the Brocade device.
Collect one public key of each key type (DSA and/or RSA) from each client to be granted access to the Brocade device and place all of these keys into one file. This public key file may contain up to 17 keys. The following is an example of a public key file containing one public key:
Each key in the public key file must begin and end with the first and last lines in this example. If your client does not include these lines in the public key, you must manually add them.
68 Brocade ICX 6650 Security Configuration Guide
Import the authorized public keys into the Brocade device active configuration by loading this public key file from a TFTP server.
To load a public key file called pkeys.txt from a TFTP server, enter a command such as the following:
Brocade(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
53-1002601-01

Optional SSH parameters

Brocade# show ip client-pub-key
---- BEGIN SSH2 PUBLIC KEY ---­Comment: DSA Public Key AAAAB3NzaC1kc3MAAACBAPY8ZOHY2yFSJA6XYC9HRwNHxaehvx5wOJ0rzZdzoSOXxbET W6ToHv8D1UJ/ z+zHo9Fiko5XybZnDIaBDHtblQ+Yp7StxyltHnXF1YLfKD1G4T6JYrdH YI14Om 1eg9e4NnCRleaqoZPF3UGfZia6bXrGTQf3gJq2e7Yisk/gF+1VAAAAFQDb8D5cv wHWTZDPfX0D2s9Rd7NBvQAAAIEAlN92+Bb7D4KLYk3IwRbXblwXdkPggA4pfdtW9v GfJ0/RHd+NjB4eo1D+0dix6tXwYGN7PKS5R/FXPNwxHPapcj9uL1Jn2AWQ2dsknf+i/FAA vioUPkmdMc0zuWoSOEsSNhVDtX3WdvVcGcBq9cetzrtOKWOocJmJ80qadxTRHtUAAACB AN7CY+KKv1gHpRzFwdQm7HK9bb1LAo2KwaoXnadFgeptNBQeSXG1vO+JsvphVMBJc9HS n24VYtYtsMu74qXviYjziVucWKjjKEb11juqnF0GDlB3VVmxHLmxnAz643WK42Z7dLM5 sY29ouezv4Xz2PuMch5VGPP+CDqzCM4loWgV
---- END SSH2 PUBLIC KEY ----
Syntax: ip ssh pub-key-file tftp tftp-server-ip-addr filename | remove
The tftp-server-ip-addr variable is the IP address of the tftp server that contains the public key file that you want to import into the Brocade device.
The filename variable is the name of the public key file that you want to import into the Brocade device.
The remove parameter deletes the public keys from the device.
To display the currently loaded public keys, enter the following command.
Syntax: show ip client-pub-key [begin expression | exclude expression | include expression]
To clear the public keys from the buffers, enter the following command.
Brocade# clear public-key
Syntax: clear public-key
Enabling DSA or RSA challenge-response authentication
DSA and RSA challenge-response authentication is enabled by default. You can disable or re-enable it manually.
To enable DSA and RSA challenge-response authentication.
Brocade(config)# ip ssh key-authentication yes
To disable DSA and RSA challenge-response authentication.
Brocade(config)# ip ssh key-authentication no
Syntax: ip ssh key-authentication yes | no
Optional SSH parameters
You can adjust the following SSH settings on the Brocade device:
The number of SSH authentication retries
The user authentication method the Brocade device uses for SSH connections
Brocade ICX 6650 Security Configuration Guide 69 53-1002601-01
Optional SSH parameters
Whether the Brocade device allows users to log in without supplying a password
The port number for SSH connections
The SSH login timeout value
A specific interface to be used as the source for all SSH traffic from the device
The maximum idle time for SSH sessions

Setting the number of SSH authentication retries

By default, the Brocade device attempts to negotiate a connection with the connecting host three times. The number of authentication retries can be changed to between 1–5.
For example, the following command changes the number of authentication retries to 5.
Brocade(config)# ip ssh authentication-retries 5
Syntax: ip ssh authentication-retries number

Deactivating user authentication

After the SSH server on the Brocade device negotiates a session key and encryption method with the connecting client, user authentication takes place. The Brocade implementation of SSH supports DSA or RSA challenge-response authentication and password authentication.
With DSA or RSA challenge-response authentication, a collection of clients’ public keys are stored on the Brocade device. Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to one of the stored public keys can gain access to the device using SSH.
With password authentication, users are prompted for a password when they attempt to log into the device (provided empty password logins are not allowed). If there is no user account that matches the user name and password supplied by the user, the user is not granted access.
You can deactivate one or both user authentication methods for SSH. Note that deactivating both authentication methods essentially disables the SSH server entirely.
To disable DSA or RSA challenge-response authentication, enter the following command.
Brocade(config)# ip ssh key-authentication no
Syntax: ip ssh key-authentication yes | no
The default is yes.
To deactivate password authentication, enter the following command.
Brocade(config)# ip ssh password-authentication no
Syntax: ip ssh password-authentication no | yes
The default is yes.
70 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Optional SSH parameters

Enabling empty password logins

By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password. Without a user name and password, a user is not granted access.
If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password.
To enable empty password logins, enter the following command.
Brocade(config)# ip ssh permit-empty-passwd yes
Syntax: ip ssh permit-empty-passwd no | yes

Setting the SSH port number

By default, SSH traffic occurs on TCP port 22. You can change this port number. For example, the following command changes the SSH port number to 2200.
Brocade(config)# ip ssh port 2200
Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH port number, Brocade recommends that you change it to a port number greater than 1024.
Syntax: ip ssh port number

Setting the SSH login timeout value

When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects. You can change this timeout value to between 1–120 seconds. For example, to change the timeout value to 60 seconds, enter the following command.
Brocade(config)# ip ssh timeout 60
Syntax: ip ssh timeout seconds

Designating an interface as the source for all SSH packets

You can designate a loopback interface, virtual interface, or Ethernet port as the source for all SSH packets from the device. For more information, refer to Brocade ICX 6650 Layer 3 Routing Configuration Guide.

Configuring the maximum idle time for SSH sessions

By default, SSH sessions do not time out. Optionally, you can set the amount of time an SSH session can be inactive before the Brocade device closes it. For example, to set the maximum idle time for SSH sessions to 30 minutes, enter the following command.
Brocade ICX 6650 Security Configuration Guide 71 53-1002601-01

Filtering SSH access using ACLs

Brocade# show ip ssh Connection Version Encryption Username HMAC Server Hostkey IP Address Inbound: 1 SSH-2 3des-cbc Raymond hmac-sha1 ssh-dss 10.120.54.2 Outbound: 6 SSH-2 aes256-cbc Steve hmac-sha1 ssh-dss 10.37.77.15
SSH-v2.0 enabled; hostkey: DSA(1024), RSA(2048)
Brocade(config)# ip ssh idle-time 30
Syntax: ip ssh idle-time minutes
If an established SSH session has no activity for the specified number of minutes, the Brocade device closes it. An idle time of 0 minutes (the default value) means that SSH sessions never time out. The maximum idle time for SSH sessions is 240 minutes.
Filtering SSH access using ACLs
You can permit or deny SSH access to the Brocade device using ACLs. To use ACLs, first create the ACLs you want to use. You can specify a numbered standard IPv4 ACL, a named standard IPv4 ACL
Enter commands such as the following.
Brocade(config)# access-list 10 permit host 192.168.144.241 Brocade(config)# access-list 10 deny host 192.168.144.242 log Brocade(config)# access-list 10 permit host 192.168.144.243 Brocade(config)# access-list 10 deny any Brocade(config)# ssh access-group 10
Syntax: ssh access-group standard-named-acl | standard-numbered-acl

Terminating an active SSH connection

To terminate one of the active SSH connections, enter the following command
Brocade# kill ssh 1
Syntax: kill ssh connection-id

Displaying SSH information

Up to five SSH connections can be active on the Brocade device.

Displaying SSH connection information

To display information about SSH connections, enter the show ip ssh command.
72 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Displaying SSH information
Brocade# show ip ssh config SSH server :Enabled SSH port :22 Encryption :AES-256 AES-192 AES-128 3-DES Permit empty password :Yes Authentication methods :Password Public-key Interactive Authentication retries :10 Login timeout (seconds) :20 Idle timeout (minutes) :10 Strict management VRF :Enabled SCP :Disabled SSH IPv4 clients :10.200.200.201. 10.200.200.202. 10.200.200.203 SSH IPv6 clients :2001:DB8:4545:3112:2040:f8ff:fe21:6001 SSH IPv4 access-list :4 SSH IPv6 access-list :ssh_ipv6_acl Brocade#
Syntax: show ip ssh [begin expression | exclude expression | include expression]
This display shows the following information about the active SSH connections.
TABLE 13 SSH connection information
Field Description
Inbound Connections listed under this heading are inbound.
Outbound Connections listed under this heading are outbound.
Connection The SSH connection ID.
Version The SSH version number.
Encryption The encryption method used for the connection.
Username The user name for the connection.
HMAC The HMAC version
Server Hostkey The type of server hostkey. This can be DSA or RSA.
IP Address The IP address of the SSH client
SSH-v2.0 enabled Indicates that SSHv2 is enabled.
hostkey Indicates that at least one host key is on the device. It is followed by a list
of the host key types and modulus sizes.

Displaying SSH configuration information

To display SSH configuration information, use the show ip ssh config command:
Syntax: show ip ssh config
Brocade ICX 6650 Security Configuration Guide 73 53-1002601-01
This display shows the following information.
TABLE 14 SSH configuration information
Field Description
SSH server SSH server is enabled or disabled
SSH port SSH port number
Displaying SSH information
Brocade# show who Console connections: Established you are connecting to this session 2 minutes 56 seconds in idle
SSH server status: Enabled SSH connections (inbound):
1. established, client ip address 10.2.2.1, server hostkey DSA 1 minutes 15 seconds in idle
2. established, client ip address 10.2.2.2, server hostkey RSA 2 minutes 25 seconds in idle SSH connection (outbound):
3. established, server ip address 10.37.77.15, server hostkey RSA 7 seconds in idle
TABLE 14 SSH configuration information (Continued)
Field Description
Encryption The encryption used for the SSH connection. The following values are
Permit empty password Empty password login is allowed or not allowed.
Authentication methods The authentication methods used for SSH. The authentication can have
Authentication retries The number of authentication retries. This number can be from 1 to 5.
Login timeout (seconds) SSH login timeout value in seconds. This can be from 0 to 120.
Idle timeout (minutes) SSH idle timeout value in minutes. This can be from 0 to 240.
Strict management VRF Strict management VRF is enabled or disabled.
SCP SCP is enabled or disabled.
SSH IPv4 clients The list of IPv4 addresses to which SSH access is allowed. The default is
SSH IPv6 clients The list of IPv4 addresses to which SSh access is allowed. Default “All”.
SSH IPv4 access-list The IPv4 ACL used to permit or deny access using SSH.
SSH IPv6 access-list The IPv6 ACL used to permit or deny access to device using SSH.
displayed when AES only is enabled:
AES-256, AES-192, and AES-128 indicate the different AES
methods used for encryption.
3-DES indicates 3-DES algorithm is used for encryption.
one or more of the following values:
Password - indicates that you are prompted for a password when
attempting to log into the device.
Public-key - indicates that DSA or RSA challenge-response
authentication is enabled.
Interactive - indicates the interactive authentication si enabled.
“All”.

Displaying additional SSH connection information

The show who command also displays information about SSH connections:
74 Brocade ICX 6650 Security Configuration Guide
show who [begin expression | exclude expression | include expression]
53-1002601-01

Secure copy with SSH2

NOTE
Secure Copy (SCP) uses security built into SSH to transfer image and configuration files to and from the device. SCP automatically uses the authentication methods, encryption algorithm, and data compression level configured for SSH. For example, if password authentication is enabled for SSH, the user is prompted for a user name and password before SCP allows a file to be transferred. No additional configuration is required for SCP on top of SSH.
You can use SCP to copy files on the Brocade device, including the startup configuration and running configuration files, to or from an SCP-enabled remote host.

Enabling and disabling SCP

SCP is enabled by default and can be disabled. To disable SCP, enter the following command.
Brocade(config)# ip ssh scp disable
Syntax: ip ssh scp disable | enable
Secure copy with SSH2
If you disable SSH, SCP is also disabled.

Secure copy configuration notes

When using SCP, enter the scp commands on the SCP-enabled client, rather than the console
on the Brocade device.
Certain SCP client options, including -p and -r, are ignored by the SCP server on the Brocade
device. If an option is ignored, the client is notified.
An SCP AES copy of the running or start configuration file from the Brocade device to Linux WS
4 or 5 may fail if the configuration size is less than 700 bytes. To work around this issue, use PuTTY to copy the file.

Example file transfers using SCP

The following are examples of using SCP to transfer files to and from a Brocade device.
Copying a file to the running configuration
To copy a configuration file (c:\cfg\brocade.cfg) to the running configuration file on a Brocade device at 192.168.1.50 and log in as user terry, enter the following command on the SCP-enabled client.
C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:runConfig
If password authentication is enabled for SSH, the user is prompted for user terry password before the file transfer takes place.
Brocade ICX 6650 Security Configuration Guide 75 53-1002601-01
Secure copy with SSH2
NOTE
Copying a file to the startup configuration
To copy the configuration file to the startup configuration file, enter the following command.
C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:startConfig
Copying the running config uration file to an SCP-enabled client
To copy the running configuration file on the Brocade device to a file called c:\cfg\fdryrun.cfg on the SCP-enabled client, enter the following command.
C:\> scp terry@192.168.1.50:runConfig c:\cfg\brcdrun.cfg
Copying the startup configuration file to an SCP-enabled client
To copy the startup configuration file on the Brocade device to a file called c:\cfg\brcdestart.cfg on the SCP-enabled client, enter the following command.
C:\> scp terry@192.168.1.50:startConfig c:\cfg\brcdstart.cfg
To overwrite the running configuration file
C:\> scp c:\cfg\brocade.cfg terry@192.168.1.50:runConfig-overwrite
Copying a software image file to flash memory
To copy a software image file from an SCP-enabled client to the primary flash on these devices, enter one of the following commands.
C:\> scp FCXLR07500.bin terry@192.168.1.50:flash:primary
or
C:\> scp terry@192.168.1.50:flash:primary FCXLR07500.bin
To copy a software image file from an SCP-enabled client to the secondary flash on these devices, enter one of the following commands.
C:\> scp FCXLR07500.bin terry@192.168.1.50:flash:secondary
or
C:\> scp terry@192.168.1.50:flash:secondary FCXLR07500.bin
The Brocade device supports only one SCP copy session at a time.
Copying a software image file from flash memory
To copy a software image file from the primary flash on these devices to an SCP-enabled client, enter a command such as the following.
C:\> scp terry@192.168.1.50:flash:primary FCXLR07500.bin
To copy a software image file from the secondary flash on these devices to an SCP-enabled client, enter a command such as the following.
C:\> scp terry@192.168.1.50:flash:secondary FCXLR07500.bin
76 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Secure copy with SSH2
NOTE
The Brocade device supports only one SCP copy session at a time.
Importing a digital certificate using SCP
To import a digital certificate using SCP, enter a command such as the following one:
C:\> scp certfile user@192.168.89.210:sslCert
Syntax: scp certificate-filename user@ip-address:sslCert.
The ip-address variable is the IP address of the server from which the digital certificate file is downloaded.
The certificate-filename variable is the file name of the digital certificate that you are importing to the device.
The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent functionality to the ip ssl certificate-data-file tftp. For more information on the ip ssl certificate-data-file tftp command, refer to “Importing digital certificates
and RSA private key files” on page 27.
Importing an RSA private key
To import an RSA private key from a client using SCP, enter a command such as the following one:
C:\> scp keyfile user@192.168.9.210:sslPrivKey
Syntax: scp key-filename user@ip-address: sslPrivKey
The ip-address variable is the IP address of the server that contains the private key file.
The key-filename variable is the file name of the private key that you want to import into the device.
The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent functionality to the ip ssl private-key-file tftp command. For more information on the ip ssl private-key-file tftp command, refer to “Importing digital certificates and
RSA private key files” on page 27.
Importing a DSA or RSA public key
To import a DSA or RSA public key from a client using SCP, enter a command such as the following one:
C:\> scp pkeys.txt user@192.168.1.234:sshPubKey
Syntax: scp key-filename user@ip-address:sshPubKey
The ip-address variable is the IP address of the server that contains the public key file.
The key-filename variable is the name of the DSA or RSA public key file that you want to import into the device.
Brocade ICX 6650 Security Configuration Guide 77 53-1002601-01

SSH2 client

SSH2 client
The scp command can be used when TFTP access is unavailable or not permitted and the command has an equivalent function to the ip ssh pub-key-file tftp command. For more information on the ip ssh pub-key-file tftp command, refer to “Importing authorized public keys into the Brocade
device” on page 68.
SSH2 client allows you to connect from a Brocade device to an SSH2 server, including another Brocade device that is configured as an SSH2 server. You can start an outbound SSH2 client session while you are connected to the device by any connection method (SSH2, Telnet, console). Brocade devices support one outbound SSH2 client session at a time.
The supported SSH2 client features are as follows:
Encryption algorithms, in the order of preference:
- aes256-cbc
- aes192-cbc
- aes128-cbc
- 3des-cbc
SSH2 client session authentication algorithms:
- Password authentication
- Public Key authentication
Message Authentication Code (MAC) algorithm: hmac-sha1
Key exchange algorithm: diffie-hellman-group1-sha1
No compression algorithms are supported.
The client session can be established through either in-band or out-of-band management
ports.
The client session can be established through IPv4 or IPv6 protocol access.
The client session can be established to a server listening on a non-default SSH port.

Enabling SSH2 client

To use SSH2 client, you must first enable SSH2 server on the device. See “SSH2 authentication
types” on page 65.
When SSH2 server is enabled, you can use SSH client to connect to an SSH server using password authentication.

Configuring SSH2 client public key authentication

To use SSH client for public key authentication, you must generate SSH client authentication keys and export the public key to the SSH servers to which you want to connect.
The following sections describe how to configure SSH client public key authentication:
“Generating and deleting a client DSA key pair” on page 79
“Generating and deleting a client RSA key pair” on page 79
78 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
“Exporting client public keys” on page 79
Generating and deleting a client DSA key pair
To generate a client DSA key pair, enter the following command.
Brocade(config)# crypto key client generate dsa
To delete the DSA host key pair, enter the following command.
Brocade(config)# crypto key client zeroize dsa
Syntax: crypto key client generate | zeroize dsa
The generate keyword places a host key pair in the flash memory.
The zeroize keyword deletes the host key pair from the flash memory.
The dsa keyword specifies a DSA host key pair.
Generating and deleting a client RSA key pair
To generate a client RSA key pair, enter a command such as the following:
Brocade(config)# crypto key client generate rsa modulus 2048
SSH2 client
To delete the RSA host key pair, enter the following command.
Brocade(config)# crypto key client zeroize rsa
Syntax: crypto key client generate | zeroize rsa [modulus modulus-size]
The generate keyword places an RSA host key pair in the flash memory.
The zeroize keyword deletes the RSA host key pair from the flash memory.
The optional [modulus modulus-size] parameter specifies the modulus size of the RSA key pair, in bits. The valid values for modulus-size are 1024 or 2048. It is used only with the generate parameter. The default value is 1024.
The rsa keyword specifies an RSA host key pair.
Exporting client public keys
Client public keys are stored in the following files in flash memory:
A DSA key is stored in the file $$sshdsapub.key.
An RSA key is stored in the file $$sshrsapub.key.
To copy key files to a TFTP server, you can use the copy flash tftp command.
You must copy the public key to the SSH server. If the SSH server is a brocade device, see the section “Importing authorized public keys into the Brocade device” on page 68.

Using SSH2 client

To start an SSH2 client connection to an SSH2 server using password authentication, enter a command such as the following:
Brocade ICX 6650 Security Configuration Guide 79 53-1002601-01
SSH2 client
Brocade# ssh 10.10.10.2
To start an SSH2 client connection to an SSH2 server using public key authentication, enter a command such as the following:
Brocade# ssh 10.10.10.2 public-key dsa
Syntax: ssh ipv4Addr | ipv6Addr | host-name [public-key [dsa | rsa]] [port portnum]
The ipv4Addr | ipv6Addr | host-name variable identifies an SSH2 server. You identify the server to connect to by entering its IPv4 or IPv6 address or its hostname.
The optional [public-key [dsa | rsa]] parameter specifies the type of public key authentication to use for the connection, either DSA or RSA. If you do not enter this parameter, the default authentication type is password.
The optional port portnum parameter specifies that the SSH2 connection will use a non-default SSH2 port, where portnum is the port number. The default port number is 22.

Displaying SSH2 client information

For information about displaying SSH2 client information, see the following sections:
“Displaying SSH connection information” on page 72
“Displaying additional SSH connection information” on page 74
80 Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use