Security

Authentication, authorization, and accounting

This section describes authentication, authorization, and accounting (AAA) used to monitor and control network access on the 7705 SAR. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.

The third step, accounting, keeps track of the activity of a user who has accessed the network. The type of accounting information recorded can include a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. The accounting data can then be used to analyze trends, and also for billing and auditing purposes.

You can configure the 7705 SAR to use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security to validate users who attempt to access the router by console, Telnet, SSH, SFTP, SCP, or FTP. You can select the authentication order that determines the authentication method to try first, second, and third.

The 7705 SAR supports the following security features:

  • RADIUS can be used for authentication, authorization, and accounting

  • TACACS+ can be used for authentication, authorization, and accounting

  • local security can be implemented for authentication and authorization

The following figure depicts end-user access requests sent to a RADIUS server. After validating the usernames and passwords, the RADIUS server returns an access accept message to the users on ALU-1 and ALU-2. The username and password from ALU-3 could not be authenticated; therefore, access was denied.

Figure 1. RADIUS requests and responses

Authentication

Authentication validates a username and password combination when a user attempts to log in.

When a user attempts to log in through the console or through Telnet, SSH, SFTP, SCP, or FTP, the 7705 SAR client sends an access request to a RADIUS, TACACS+, or local database.

Transactions between the client and a RADIUS server are authenticated through the use of a shared secret. The secret is never transmitted over the network. User passwords are sent encrypted between the client and RADIUS server, which prevents someone snooping on an insecure network to learn password information.

If the RADIUS server does not respond within a specified time, the router issues the access request to the next configured servers. Each RADIUS server must be configured identically to guarantee consistent results. Up to five RADIUS servers can be configured.

If a server is unreachable, it is not used again by the RADIUS application until 30 seconds have elapsed, to give the server time to recover from its unreachable state. After 30 seconds, the unreachable server becomes available again for the RADIUS application.

If, within the 30 seconds, the RADIUS server receives a valid response to a previously sent RADIUS packet on that unreachable server, the server immediately becomes available again.

If any RADIUS server rejects the authentication request, it sends an access reject message to the router. In this case, no access request is issued to any other RADIUS servers. However, if other authentication methods such as TACACS+ or local are configured, then these methods are attempted. If no other authentication methods are configured, or all methods reject the authentication request, then access is denied.

The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message.

Implementing authentication without authorization for the 7705 SAR does not require the configuration of VSAs (vendor-specific attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.

Any combination of these authentication methods can be configured to control network access from a 7705 SAR router:

Local authentication

Local authentication uses PKI or usernames and passwords configured on the router to authenticate login attempts. The usernames and passwords are local to each router, not to user profiles.

By default, local authentication is enabled. When one or more of the other security methods are enabled, local authentication is disabled. Local authentication is restored when the other authentication methods are disabled. Local authentication is attempted if the other authentication methods fail and local is included in the authentication order password parameters.

Remote security servers such as RADIUS or TACACS+ are not enabled.

Password hashing

The 7705 SAR supports two algorithms for user password hashing: bcrypt, which is the default algorithm, and PBKDF2. The PBKDF2 algorithm uses the SHA-2 and SHA-3 sets of cryptographic hash functions for password hashing.

A system administrator can change the default bcrypt password hashing algorithm to the PBKDF2 algorithm using the config>system>security>password>hashing command.

When the password hashing algorithm is changed to PBKDF2 SHA-2 or PBKDF2 SHA-3, users must change their passwords using the /password command to use the new hashing algorithm. The system administrator must then perform an admin>save command to store the new user passwords in the system configuration file.

After a password hashing change, any user logging in to the system who did not update their password to use the new hashing algorithm will be prompted to enter their old password the next time they log in. When the password is entered successfully, the user is prompted to enter a new password that will be hashed using the new algorithm.

RADIUS authentication

Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service.

RADIUS allows administrators to maintain user profiles in a shared central database and provides better security, allowing a company to set up a policy that can be applied at a single administered network point.

RADIUS server selection

Up to five RADIUS servers can be configured. They can be selected to authenticate user requests in two ways, using either the direct method or the round-robin method. The default method is direct.

Direct

In direct mode, the first server, as defined by the server-index command, is the primary server. This server is always used first when authenticating a request.

Round-robin

In round-robin mode, the server used to authenticate a request is the next server in the list, following the last authentication request. For example, if server 1 is used to authenticate the first request, server 2 is used to authenticate the second request, and so on.

TACACS+ authentication

Terminal Access Controller Access Control System, commonly referred to as TACACS, is an authentication protocol that allows a remote access server to forward a user's login password to an authentication server to determine whether access can be allowed to a system. TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.

TACACS+ and RADIUS have largely replaced earlier protocols in the newer or recently updated networks. TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations.

Authorization

The 7705 SAR supports the following authorization methods to control the actions of specific users:

Authorization operates by applying a profile based on username and password configurations after network access is granted. For RADIUS authorization, the profiles are configured locally on the router or downloaded using VSAs from a RADIUS server. For TACACS+ authorization, local profiles configured on the router can be used or remote profiles configured on the TACACS+ server can be used where each command is sent to the TACACS+ server for authorization. See RADIUS VSAs and TACACS+ services and VSAs.

When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames and their associated passwords are temporary and are not saved in the configuration database when the user session terminates.

TACACS+ separates the authentication and authorization functions. RADIUS combines the authentication and authorization functions.

Local authorization

Local authorization uses user profiles and user access information after a user is authenticated. The profiles and user access information specify the actions the user is allowed to perform.

By default, local authorization is enabled. Local authorization is disabled only when a different remote authorization method is configured (RADIUS authorization or TACACS+). Local authorization is restored when RADIUS authorization is disabled.

You must configure profile and user access information locally.

RADIUS authorization

RADIUS authorization grants or denies access permissions for a 7705 SAR router. Permissions include the use of FTP, Telnet, SSH (SCP and SFTP), and console access. When granting Telnet, SSH (SCP and SFTP), and console access to the 7705 SAR router, authorization can be used to limit what CLI commands the user is allowed to issue and which file systems the user is allowed or denied access to.

After a user has been authenticated using RADIUS (or another method), the 7705 SAR router can be configured to perform authorization. The RADIUS server can be used to:

  • download the user profile to the 7705 SAR router

  • send the profile name that the node should apply to the 7705 SAR router

  • control file access using VSAs (see RADIUS VSAs)

If RADIUS authentication is successful and no authorization is configured for the user on the RADIUS server, local (router) authorization is attempted if it is configured using the authentication-order command. When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates. The temporary profiles are only downloaded if the user authenticates via RADIUS. RADIUS-based authorization is not supported for users who authenticate locally or via TACACS+.

The following table lists the supported authorization configurations.

Table 1. Supported authorization configurations

User

Local authorization

RADIUS authorization

7705 SAR configured user

RADIUS server configured user

TACACS+ server configured user

When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames are temporary and are not saved in the configuration when the user session terminates. Temporary user login names and their associated passwords are not saved as part of the configuration.

TACACS+ authorization

Like RADIUS authorization, TACACS+ grants or denies access permissions for a 7705 SAR router. The TACACS+ server sends a response based on the username and password.

TACACS+ command authorization operates in the following ways:

  • All users who authenticate via TACACS+ can use a single common command authorization profile that is configured locally on the router.
  • Every command that a user attempts is sent to the TACACS+ server for authorization.
  • The TACACS+ default template can be configured (tacplus_default) and vendor-specific attributes (VSAs) can be used to control file access. The use-default-template command must be enabled to configure all other access parameters locally. See TACACS+ services and VSAs for more information.

To use a single common default command authorization profile to control command authorization for TACACS+ users, enable the TACACS+ default user template and configure the template to point to a valid local profile. The local profile is then used for command authorization. TACACS+ authorization must be disabled.

CLI syntax:
config>system>security
    tacplus 
        use-default-template
        no authorization
     user-template tacplus_default
        profile user-profile-name

When the tacplus authorization command is enabled, each CLI command that the user issues is sent to the TACACS+ server for authorization. The authorization request contains the first word of the CLI command as the value for the TACACS+ command and all following words as a command argument. Quoted values are expanded so that the quotation marks are stripped off and the enclosed values are seen as one command or command argument.

Accounting

Accounting tracks user activity to a specific host. The 7705 SAR supports RADIUS and TACACS+ accounting.

RADIUS accounting

When enabled, RADIUS accounting sends command line accounting from the 7705 SAR router to the RADIUS server. The router sends accounting records using UDP packets at port 1813 (decimal).

The router issues an accounting request packet for each event requiring the activity to be recorded by the RADIUS server. The RADIUS server acknowledges each accounting request by sending an accounting response after it has processed the accounting request. If no response is received in the time defined in the timeout parameter, the accounting request must be retransmitted until the configured retry count is exhausted. A trap is issued to alert the NMS (or trap receiver) that the server is unresponsive. The router issues the accounting request to the next configured RADIUS server (up to 5).

User passwords and authentication keys of any type are never transmitted as part of the accounting request.

When RADIUS accounting is enabled, the server is responsible for receiving accounting requests and returning a response to the client indicating that it has successfully received the request. Each command issued on the 7705 SAR router generates a record sent to the RADIUS server. The record identifies the user who issued the command and the timestamp.

Accounting can be configured independently from RADIUS authorization and RADIUS authentication.

TACACS+ accounting

The 7705 SAR allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record-type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent. A start packet is sent to a TACACS+ server when an authenticated user establishes a Telnet or SSH session and a stop packet is sent when the user logs out.

When a user logs in to request access to the network using Telnet or SSH, or a user enters a command for which accounting parameters are configured, or a system event occurs, such as a reboot or a configuration file reload, the 7705 SAR checks the configuration to see if TACACS+ accounting is required for the particular event.

If TACACS+ accounting is required, then, depending on the accounting record type specified, the device sends a start packet to the TACACS+ accounting server that contains information about the event.

The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server.

Security controls

You can configure the 7705 SAR to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which requests are processed among RADIUS, TACACS+ and local methods can be specifically configured. For example, the authentication order can be configured to process authorization using TACACS+ first, then RADIUS, for authentication and accounting. Local access can be specified next in the authentication order if the RADIUS and TACACS+ servers are not operational.

When a server does not respond

A trap is issued if a RADIUS server is unresponsive. An alarm is raised if RADIUS is enabled with at least one RADIUS server and no response is received to either accounting or user access requests from any server.

Periodic checks to determine if the primary server is responsive again are performed. If a server is down, it will not be contacted for 5 minutes. If a login is attempted after 5 minutes, then the server is contacted again. If a server has the health check feature enabled and is unresponsive, the server’s status is checked every 30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Nokia Fault Manager or other third party fault management servers.

The servers are accessed in order from lowest to highest specified index (from 1 to 5) for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server. If a response from the server is received, no other server is queried.

Authentication and authorization request flow

In Security flow, the authentication process is defined in the config>system>security> password context with the authentication-order command. The authentication order is determined by specifying the sequence in which password authentication is attempted among RADIUS, TACACS+, and local servers when exit-on-reject is disabled.

This example uses the authentication order of RADIUS, then TACACS+, and finally, local. A request is sent to RADIUS server 1. If there is no response from the server, the request is passed to the next RADIUS server, and so on, until the last RADIUS server is attempted (RADIUS server 5). If server 5 does not respond, the request is passed to TACACS+ server 1. If there is no response from that server, the request is passed to the next TACACS+ server, and so on.

If a request is sent to an active RADIUS server and the username and password are not recognized, access is denied and the next method is attempted, in this case, the TACACS+ server. The process continues until the request is accepted or denied or each server is queried. Finally, if the request is denied by the active TACACS+ server, the local method is attempted. This is the last chance for the access request to be accepted.

Figure 2. Security flow

RADIUS VSAs

The 7705 SAR supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are defined in RFC 2138. If VSAs are not configured on the RADIUS server, the RADIUS user authenticates with options defined in the RADIUS default template when use-default-template is enabled. If VSAs are used, all mandatory VSAs must be configured for the RADIUS user to authenticate. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527. Nokia VSAs are defined in the dictionary-freeradius.txt file in the support folder of the software package.

Nokia supports the following RADIUS VSAs for AAA:

  • Timetra-Access <ftp> <console> <both> <scp-sftp> <console-port-cli> <ssh-cli> <telnet-cli> – specifies the router management access methods a user can access. Multiple access methods can be specified by adding the value of the access methods to allow in the RADIUS server configuration file. This VSA is mandatory when the RADIUS default template is disabled.

    For example, to allow console port CLI and SSH CLI access:

    RADIUS server configuration

    Timetra-Access = 96 # 32 (console-port-cli) + 64 (ssh-cli)

    or

    Timetra-Access = console-port-cli
    Timetra-Access += ssh-cli
  • Timetra-Profile <profile-name> – maps to the user profile, which must be configured on the 7705 SAR router. The following guidelines apply for local and remote authentication:

    • The authentication-order parameters configured on the router must include the local keyword.

    • The username may or may not be configured on the 7705 SAR router.

    • The user must be authenticated by the RADIUS server.

    • Up to eight valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.

    If all of the preceding conditions are not met, access to the router is denied and a failed login event or trap is written to the security log.

  • Timetra-Action <permit | deny> – specifies the action to be applied when the user has entered a command specified in the Timetable-Cmd VSA

  • Timetra-Default-Action <permit-all | deny-all | read-only-all | none> – specifies the default action when the user has entered a command and no entry configured in the Timetra-Cmd VSA for the user resulted in a match condition. This VSA is mandatory when the RADIUS default template is disabled.

  • Timetra-Cmd <match-string> – configures a command or command subtree as the scope for the match condition. The command and all commands in the subtrees are authorized. If an invalid command is specified, a deny-all profile is installed and the radiusUserProfileInvalid event is logged.

  • Timetra-Home-Directory <home-directory-string> – specifies the home directory. It cannot be used to delete a home directory that is configured in the RADIUS default template.

  • Timetra-Restrict-To-Home <true | false> – specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured, the user is allowed to access the entire file system.

  • Timetra-Save-When-Restricted <true | false> – when this VSA is set to true, the user can execute configuration save operations (for example, admin save) in the CLI when Timetra-Restrict-To-Home is set to true.
  • Timetra-Exec-File <login-exec-string> – specifies the login exec file that is executed when the user successfully logs in to a console session. If this VSA is not configured, no login exec file is applied.

RADIUS configuration for file access control using VSAs

File access control can be configured in one of the following ways depending on the file access requirements of users:
  • locally with no VSAs (see Configuring users for information about configuring user access parameters locally)
  • with VSAs
Note: File access is denied when the restricted-to-home command is configured unless the home-directory command is configured and the directory has been created by an administrator.

Example: RADIUS server with VSA configuration for per-user home directories and a locally configured default template for other options

This example shows the following configuration:
  • all users can save the configuration
  • on the router: each user has a home directory with restricted file access. The administrator must create the home directory for each user.
  • on the RADIUS server: the home directory is configured with a VSA
  • on the router: optionally, access to copy files to the router with SCP/SFTP is configured in the RADIUS default template
  • on the router: other file access controls are configured in the RADIUS default template
RADIUS server configuration
user1
    Timetra-Home-Directory = "cf3:\users\user1"

user2
    Timetra-Home-Directory = "cf3:\users\user2"

user3
    Timetra-Home-Directory = "cf3:\users\user3"

user4
    Timetra-Home-Directory = "cf3:\users\user4"
CLI configuration
A:node-2>config>system>security>user-template# info
----------------------------------------------
restricted-to-home
save-when-restricted
----------------------------------------------

Example: RADIUS server with VSA configuration and per-user home directories

This example shows the following configuration:

  • all file access controls are configured with VSAs, which is the most flexible way to grant different file access to each user
  • on the RADIUS server: each user has a home directory with restricted file access. The administrator must create the home directory for each user.
  • on the router: the RADIUS default template is not used for file access
  • on the RADIUS server: the administrator can restrict file access to the home directory of the user and allow users to save the configuration based on the VSA value
  • on the RADIUS server: access to the router and permission to copy files to the router with SCP/SFTP are configured with VSAs
RADIUS server configuration – user1 has access to all files and can save the configuration and copy files to the router with SCP/SFTP:
user1
    Timetra-Access = 112 # 16 + (scp-sftp) + 32 (console-port-cli) + 64 (ssh-cli)
    # Timetra-Home-Directory is not defined
    Timetra-Restrict-To-Home = false
    # Timetra-Save-When-Restricted is not defined
RADIUS server configuration – user2 has home directory access and can save the configuration and copy files to the router with SCP/SFTP:
user2
    Timetra-Access = 112 # 16 + (scp-sftp) + 32 (console-port-cli) + 64 (ssh-cli)
    Timetra-Home-Directory = "cf3:\users\user2",
    Timetra-Restrict-To-Home = true,
    Timetra-Save-When-Restricted = true
RADIUS server configuration – user3 has home directory access but cannot save the configuration or copy files to the router with SCP/SFTP:
user3
    Timetra-Access = 96 # 32 (console-port-cli) + 64 (ssh-cli)
    Timetra-Home-Directory = "cf3:\users\user3",
    Timetra-Restrict-To-Home = true,
    Timetra-Save-When-Restricted = false
RADIUS server configuration – user4 has no file access and cannot save the configuration:
user4
    Timetra-Access = 96 # 32 (console-port-cli) + 64 (ssh-cli)
    # Timetra-Home-Directory is not defined
    Timetra-Restrict-To-Home = true,
    Timetra-Save-When-Restricted = false

TACACS+ services and VSAs

The 7705 SAR supports the "nokia-user" service with several VSAs. Administrators can optionally configure the service and VSAs for each user on a TACACS+ server instead of configuring access locally.

When a user authenticates with TACACS+, the router:

  • if enabled, requests the "nokia-user" VSA from the server for authorization after authentication succeeds
  • uses the values from the VSA if present and values from the TACACS+ default template when a VSA is not present
  • discards invalid VSA values and authentication fails
  • discards unknown VSAs and authentication succeeds
  • discards unknown mandatory VSA values and authentication succeeds

The administrator must ensure that the use-default-template command is enabled so that users can be authenticated. If the default template (tacplus_default) is not enabled, no login access (FTP or console) will be granted because that access can only be configured via the default template (not through VSAs).

The following table describes the supported services and VSAs.
Table 2. TACACS+ VSAs
Service name VSA name Description Values
nokia-user home-directory Home directory for the user A string up to 200 characters
nokia-user restricted-to-home Limits user access to their home directory

true – prevents the user from accessing files outside their home directory

false – allows the user to access all files on the system

nokia-user save-when-restricted Saves configurations when the user is restricted to home

true – allows all configuration save operations (for example, admin save) via the CLI even if restricted-to-home is enabled

false – prevents the user from performing any configuration save operations outside of their home directory when restricted-to-home is enabled

TACACS+ configuration for file access control using VSAs

File access control can be configured in one of the following ways depending on the file access requirements of users:
  • locally with no VSAs (see Configuring users for information about configuring user access parameters locally)
  • locally using the TACACS+ default template (tacplus_default) and some VSAs that are different for each user
  • using the file access VSAs to control file access and the TACACS+ default template for other user access controls
Note: File access is denied when the restricted-to-home command is configured unless the home-directory command is configured and the directory has been created by an administrator.
Note: If the home directory in the server configuration file (tac_plus.conf) is in quotation marks, you must add a backslash (\) to escape the backslash (\); otherwise, the TACACS+ server will reject the setting and fail to start. For example:
  • home-directory = cf3:\users\user1
  • home-directory = "cf3:\\users\\user1"
Note: Currently, user access cannot be defined on the TACACS+ server. Therefore, the TACACS+ default template is the only place where this can be defined. This means that use-default-template must be enabled; otherwise, a mandatory attribute will be missing.

Example: TACACS+ server with VSA configuration for per-user home directories and a locally configured default template for other options

This example shows the following configuration:
  • all users can save the configuration
  • on the router: each user has a home directory with restricted file access. The administrator must create the home directory for each user.
  • on the TACACS+ server: the home directory is configured with a VSA
  • on the router: use-default-template is enabled under the config>system>security>tacplus context; this configuration is mandatory (see note above)
  • on the router: other file access controls are configured in the TACACS+ default template
TACACS+ server configuration
user = user1 {
    service = nokia-user {
        home-directory = cf3:\users\user1
    }
}
user = user2 {
    service = nokia-user {
        home-directory = cf3:\users\user2
    }
}
user = user3 {
    service = nokia-user {
        home-directory = cf3:\users\user3
    }
}
user = user4 {
    service = nokia-user {
        home-directory = cf3:\users\user4
    }
}
CLI configuration
A:node-2>config>system>security>user-template# info
----------------------------------------------
restricted-to-home
save-when-restricted
----------------------------------------------

Example: TACACS+ server configuration with VSA configuration and per-user home directories

This example shows the following configuration:

  • all file access is controlled with VSAs, which is the most flexible way to grant different file access to each user
  • on the router: each user has a home directory with restricted file access. The administrator must create the home directory for each user.
  • on the router: the TACACS+ default template is not used for file access
  • on the TACACS+ server: the administrator can also restrict file access to the home directory of the user and allow users to save the configuration based on the VSA value
TACACS+ server configuration – user1 has access to all files and can save the configuration:
user = user1 {
    service = nokia-user {
        # home-directory is not defined
        restricted-to-home = false
        # save-when-restricted is not defined
    }
}
TACACS+ server configuration – user2 has home directory access and can save the configuration:
user = user2 {
    service = nokia-user {
        home-directory = cf3:\users\user2
        restricted-to-home = true
        save-when-restricted = true
    }
}
TACACS+ server configuration – user3 has home directory access but cannot save the configuration:
user = user3 {
    service = nokia-user {
        home-directory = cf3:\users\user3
        restricted-to-home = true
        save-when-restricted = false
    } 
}
TACACS+ server configuration – user4 has no file access and cannot save the configuration:
user = user4 {
    service = nokia-user {     
       # home-directory is not defined
        restricted-to-home = true
        save-when-restricted = false
    } 
}

Other security features

SSH

Secure Shell (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router.

A connection is always initiated by the client (the user). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure connection over an insecure network.

The 7705 SAR supports Secure Shell version 2 (SSHv2). SSHv2 uses host keys to authenticate systems and is considered a more secure, efficient, and portable version of SSH.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and encryption capabilities. SSH supports remote login to another computer over a network, remote command execution, and file relocation from one host to another.

The 7705 SAR has a global SSH server process to support inbound SSH, SFTP, and SCP sessions initiated by external SSH or SCP client applications. The SSH server supports SSHv2. This server process is separate from the SSH and SCP client commands on the 7705 SAR, which initiate outbound SSH and SCP sessions.

Inbound SSH, Telnet, and FTP sessions are counted separately and it is possible to set the limit for each session type individually with the config>system>login-control command. However, there is a maximum of 50 sessions for SSH and Telnet together. SCP and SFTP sessions are counted as SSH sessions.

When the SSH server is enabled, an SSH security key is generated. Unless the preserve-key command is enabled, the key is only valid until either the node is restarted or the SSH server is stopped and restarted. The key size is non-configurable and is set to 2048 for SSHv2 RSA and to 1024 for SSHv2 DSA. Only SSHv2 RSA is supported in FIPS-140-2 mode. When the server is enabled, all inbound SSH, SCP, and SFTP sessions are accepted provided the session is properly authenticated.

When the global SSH server process is disabled, no inbound SSH, SCP, or SFTP sessions are accepted.

When using SCP to copy files from an external device to the file system, the 7705 SAR SCP server will accept either forward slash (/) or backslash (\) characters to delimit directory and filenames. Similarly, the 7705 SAR SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems will often interpret the backslash character as an ‟escape” character, which does not get transmitted to the 7705 SAR SCP server. For example, a destination directory specified as ‟cf3:\dir1\file1” will be transmitted to the 7705 SAR SCP server as ‟cf3:dir1file1”, where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an ‟escape” character, a double backslash (\\) or the forward slash (/) can typically be used to properly delimit directories and the filename.

The 7705 SAR support for SSH, SCP, and SFTP is the same for both IPv4 and IPv6 addressing, including support for:

  • SSHv2

  • in-band and out-of-band management of the 7705 SAR

  • key management and authentication types

  • encryption types

  • simultaneous IPv4 and IPv6 SSH/SCP/SFTP sessions

The 7705 SAR supports configurable lists for the following: cipher, key exchange (KEX) algorithms, and message authentication code (MAC) algorithms. These lists can be configured for an SSH client or an SSH server and are used to negotiate the best compatible cipher, KEX, or MAC algorithm between the client and server. The lists are created and managed under the config>system>security>ssh context. The client list is used when the 7705 SAR is acting as an SSH client and the server list is used when the 7705 SAR is acting as an SSH server.

SSH and Telnet listening ports configurable to a non-default value

For security reasons, the SSH server and Telnet server listening ports are configurable to a non-default port value. This configuration makes it more difficult for unauthorized users to scan the SSH or Telnet ports and launch Denial of Service (DoS) attacks. The 7705 SAR SSH and Telnet clients are capable of initiating an SSH or Telnet connection to a specific non-default SSH or Telnet port.

Ensuring no other application is using the SSH or Telnet port

When a user attempts to configure a new value for the default SSH or Telnet port, the SSH or Telnet application checks whether the port is in use by another protocol. If the port is in use, the configuration is blocked and a warning displays stating: "Port is already in use".

The newly configured port cannot be overwritten by any other protocol even if there is no active SSH or Telnet session. After the port is configured, no other protocol is allowed to reserve the port.

Behavior in base routing and VPRN

The 7705 SAR uses GRT leaking and the allow-management command for VPRN management. If the listening port for SSH or Telnet is changed, the configuration also applies to VPRN GRT leaking.

Known limitations
When SSH or Telnet in-band or out-of-band connections to the initial port exist, the port change back to the initial value is blocked until all connections to the initial port are closed. If the port is changed and there are open connections to the changed port, the connections must be closed manually to be able to revert to the previous port. For example:
  • SSH is connected to port 22 and the user changes the port to 22000; the change is effective immediately, but the SSH connection to port 22 remains open.
  • The port cannot be changed back from 22000 to 22 until all connections to port 22 are closed.

Multichannel SSH

The 7705 SAR supports up to five channels within a single SSH connection, up to a maximum of 15 channels per system. SSH channels can be used when an SSH connection has authenticated a user and a channel is opened for configuration while another channel is required to retrieve state information, such as collecting configurations or show command output. The primary connection authenticates the user through public key authentication (PKI) or keyboard authentication. After the primary connection is authenticated, applications can open multiple channels (sessions) to the server with the same connection.

Opening a new channel inside an existing authenticated SSH connection reduces the additional time and memory requirements for establishing a new SSH session. Reducing the time and memory needed is useful when, for example, multiple RPCs from different network managers to the same device are executed at the same time.

Note: Multiple channels are only supported for SSH and some applications that use SSH as transport. Multiple channels are not supported for SFTP or SCP.

SSH session closing behavior

The SSH connection closes automatically when the last channel (session) opened in the connection is closed.

SSH keepalive intervals are disabled on the 7705 SAR, which results in the following:

  • the 7705 SAR SSH server does not close the session when the client SSH keepalive intervals time out
  • the client SSH keepalive intervals cannot be used to keep the connection to the 7705 SAR server open

SSH PKI authentication

The SSH server supports public key authentication (also known as PKI) if the server has been previously configured to know the client’s public key.

Using public key authentication can be more secure than the existing username and password method for the following reasons:

  • A user typically reuses the same password with multiple servers. If the password is compromised, the user must reconfigure the password on all affected servers.

  • A password is not transmitted between the client and server using PKI. Instead, the sensitive information (the private key) is kept on the client. Therefore, the password is less likely to be compromised.

The 7705 SAR supports server-side SSHv2 public key authentication but does not include a key-generation utility.

Support for PKI should be configured at the system level where one or more public keys may be bound to a username. This configuration will not affect any other system security or login functions.

PKI has preference over password authentication. PKI is supported using local authentication. PKI authentication is not supported on TACACS+ or RADIUS.

User public key generation

Before SSH can be used with PKI, a public/private key pair must be generated. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYGen that will generate key pairs.

The 7705 SAR currently supports Rivest, Shamir, and Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) user public keys. The RSA public key is supported up to 4096 bits and the ECDSA public key is supported up to NIST P-521.

If the client is using PuTTY, they first generate a key pair using PuTTYGen. The user sets the key type to SSH-2 RSA and sets the number of bits to be used for the key. The user can also configure a passphrase that is used to store the key locally in encrypted form. If the passphrase is configured, it acts as a password for the private key and the user must enter the passphrase to use the private key. If a passphrase is not used, the key is stored in plaintext locally.

Next, the public key must be configured for the user on the 7705 SAR with the command config>system>security>user>public-keys. The user can program the public key using the CLI or SNMP.

SSH cipher lists

The 7705 SAR supports configurable cipher client and cipher server lists that are used to negotiate the best compatible cipher between the SSH client and SSH server. Each list contains ciphers and their corresponding index values, where a lower index has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest. When the client and server exchange their cipher lists, the first cipher in the client list that is also supported by the server is the cipher that is agreed upon.

See SSHv2 default index values in the Security command reference for the cipher index values and names.

The default list can be changed by manually removing a single index or as many indexes as required using the no cipher index command. The default list can also be customized by first removing an index and then redefining it for each algorithm as required (the 7705 SAR does not support customizing an index without first removing it).

SSH KEX lists

The 7705 SAR supports configurable KEX client and KEX server lists that are used to negotiate the best compatible KEX algorithm between the SSH client and SSH server. Each list contains KEX algorithms and their corresponding index values, where a lower index value has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest. When the client and server exchange their KEX lists, the first algorithm in the client list that is also supported by the server is the algorithm that is agreed upon.

The KEX client and KEX server each have a default list that contains all supported algorithms and their corresponding indexes. See Default KEX index values in the Security command reference for the default KEX index values and algorithms.

The default list can be changed by manually removing a single index or as many indexes as required using the no kex index command. The default list can also be customized by first removing an index and then redefining it for each algorithm as required (the 7705 SAR does not support customizing an index without first removing it).

Once a change has been made to the default list, the 7705 SAR uses the changed list moving forward. To go back to using the hard-coded list, the default KEX indexes must be manually re-entered with their corresponding algorithms. If all the entries in a KEX list are removed, the list will be empty and any KEX algorithm brought to the negotiation will be rejected.

SSH key re-exchange without disabling SSH

The 7705 SAR supports periodic rollover (or re-exchange) of the SSH symmetric key without disabling SSH. Symmetric key rollover is important in long SSH sessions. Symmetric key rollover ensures that the encryption channel between the client and server is not jeopardized by an external hacker that is trying to break the encryption via a brute force attack. The feature can be configured on either the SSH client or server.

The following are triggers for symmetric key rollover and negotiation:

  • the negotiation of the key based on a configured time period

  • the negotiation of the key based on a configured data transmission size

Key re-exchange is enabled by default. The default values for both the client and server are 60 min and 1024 MB, which is the RFC 4253 recommendation.

Key re-exchange procedure

The key re-exchange procedure is initiated by sending an SSH_MSG_KEXINIT message while not performing a key exchange. When this message is received by a client or server, the client or server must respond with its own SSH_MSG_KEXINIT message, except in cases where the received SSH_MSG_KEXINIT message was already sent as a reply. Either client or server can initiate the re-exchange, but the roles must not be changed (that is, the server must remain the server and the client must remain the client).

Key re-exchange is performed using whatever encryption was in effect when the exchange was initiated. Encryption, compression, and MAC methods are not changed before a new SSH_MSG_NEWKEYS message is sent after the key exchange (as in the initial key exchange). Re-exchange is processed in the same way as the initial key exchange, except that the session identifier remains unchanged. Some or all of the algorithms can be changed during the re-exchange. Host keys can also change. All keys and initialization vectors are recomputed after the exchange. Compression and encryption contexts are reset.

Note: If the key re-exchange parameters are modified, only new SSH connections inherit the new parameters. The existing SSH connections use the previously configured parameters.

SSH MAC lists

The 7705 SAR supports configurable SSHv2 server MAC and client MAC lists that are used to negotiate the best compatible MAC algorithm between the SSH client and SSH server.

Each list contains MAC algorithms and their corresponding index values, where a lower index value has a higher preference in the SSHv2 negotiation. The list is ordered by preference from highest to lowest. When the client and server exchange their MAC lists, the first algorithm in the client list that is also supported by the server is the algorithm that is agreed upon.

In addition, strong HMAC algorithms can be configured at the top of the MAC list (that is, as the lowest index values in the list) in the order to be negotiated first between the client and server. The first algorithm in the list that is supported by both the client and the server is the one that is agreed upon.

The default list can be changed by manually removing a single index or as many indexes as required using the no mac index command. The default list can also be customized by first removing an index and then redefining it for each algorithm as required (the 7705 SAR does not support customizing an index without first removing it).

SFTP

When an SSH server is enabled on the 7705 SAR, users can connect to the node through SSH File Transfer Protocol (SFTP). SFTP runs on top of SSH and uses the same password and authentication process, and once logged in, SFTP users will appear as regular SSH users. Additionally, all other user management features apply to users logging in to the 7705 SAR with an SFTP client.

Event logs are created to capture both successful and unsuccessful attempts to access the node through SFTP.

CSM filters and CSM security

IP forwarding supports CSM filters that are applied to IP packets extracted to the control plane. CSM filters are used to protect the control plane from DoS attacks, unauthorized access to the node, and similar security breaches.

IP filters scan all traffic and take the appropriate (configured) action against matching packets. Packets that are not filtered by the IP filters and are destined for the 7705 SAR are scanned by the configured CSM filter.

For information about IP filters, see the 7705 SAR Router Configuration Guide.

Note: Although the Control and Switching module on the 7705 SAR is called a CSM, the CSM filters are referred to as CPM filters in the CLI to maintain consistency with other SR routers.

Both IPv4 and IPv6 CSM filters are supported.

IPv4 CSM filters drop or accept incoming packets based on the following match criteria:

  • DSCP name

  • destination IP address

  • destination port

  • fragmentation

  • ICMP code

  • ICMP type

  • IP option value

  • multiple options

  • option present

  • source IP address

  • source port

  • TCP ACK

  • TCP SYN

IPv6 CSM filters drop or accept incoming packets based on the following match criteria:

  • DSCP name

  • destination IP address

  • destination port

  • ICMP code

  • ICMP type

  • source IP address

  • source port

  • TCP ACK

  • TCP SYN

To prevent DoS-like attacks from overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner, the 7705 SAR segregates the incoming control plane traffic into different queues. These queues are used to shape and rate-limit traffic for each protocol or group of protocols, or on a per-flow basis, with the main goal of mitigating DoS attacks and ensuring that the control plane does not end up with more traffic than it can handle.

These queues are fixed use (each queue handles a specific type of traffic, which is not user-configurable) and fixed configuration (each queue is configured for particular rates and buffering capacity and is not user-configurable).

Exponential login backoff

A malicious user can gain CLI access via a dictionary attack: using a script to try ‟admin” with any password.

The 7705 SAR increases the delay between login attempts exponentially to mitigate attacks. It is applied to the console login. SSH and Telnet sessions terminate after four attempts.

File access controls

Files on the 7705 SAR can be accessed locally using the CLI file commands and output modifiers, such as > (file redirect), or remotely via FTP or SCP. The 7705 SAR can control file access to:

  • allow users to access all files and save the configuration
  • allow users to access only the files in their home directory and save the configuration
  • allow users to access only the files in their home directory with no ability to save the configuration
  • prevent users from accessing any files or saving the configuration

The file access controls provide different levels of user access. File access controls can also be configured to allow users to save the configuration to a system file that is stored outside their home directory when their file access is restricted to their home directory. A home directory is typically a working space for the user; for example, cf3:\users\user1. Although the home directory can be configured to contain saved configuration files, log files, or other system files, administrators should only do this for users who are intended to have access to those files.

The following commands configure file access controls for local or remote users; these commands can be set via the CLI, RADIUS VSAs, or TACACS+ VSAs:

  • restricted-to-home – limits file access to only the files in the home directory of the user
  • home-directory – home directory for the user; Nokia recommends that this command not be configured in the RADIUS or TACACS+ default template because each user should have their own home directory
  • save-when-restricted – allows the user to save configurations when the user is restricted to their home directory, even if the saved configuration file is outside the home directory of the user
High-privilege users and administrators have access to the router configuration file via the CLI, SCP, and SFTP, and must be trusted. Medium-privilege and low-privilege users with access to a subset of the configuration must be configured with restricted-to-home and a home-directory to restrict their access to the file system via the CLI, SCP, and SFTP. The home directory must not contain the saved configuration file.
Note: The restricted-to-home configuration is the default setting for non-administrative users. For administrative users (user "admin"), the default is no restricted-to-home.

The following table lists the user types and privileges and their corresponding file access control configuration.

Table 3. File access control configuration
Type of user File system access Configuration access Restricted to home Home directory Save when restricted
High-privilege administrator Full Yes Disabled (false) Unconfigured Unconfigured
High-privilege user with access to all configuration Private directory with environment settings and Python applications Yes Enabled (true) cf3:\users\user1 Enabled (true)
Medium-privilege user with access to a subset of configuration using AAA command authorization Directory of CLI scripts and Python applications Yes Enabled (true)

cf3:\scripts\script-group-a

Enabled (true)
Medium-privilege user with access to a subset of configuration using AAA command authorization None Yes Enabled (true) Unconfigured Enabled (true)
Low-privilege operational user Private directory with environment settings and operational scripts No Enabled (true) cf3:\users\user2 Unconfigured1
Low-privilege operational user None No Enabled (true) Unconfigured Unconfigured1
Low-privilege user for managing XML accounting files Accounting directory No Enabled (true) cf2:\act Unconfigured1
Low-privilege user for managing log files Log directory No Enabled (true) cf2:\log Unconfigured1

Note:

  1. Configuration save operations (for example, admin save) are controlled by AAA command authorization. Optionally, save-when-restricted can be disabled to explicitly deny configuration save operations for these user types.

The following examples show how to use the CLI to configure different permissions for local users. The administrator must create a home directory for each user.

access to all files and the ability to save the configuration

Use the following configuration for a high-privilege administrator who needs access to all files:

config>system>security 
              user user1 
                  no restricted-to-home

access to home directory files only and the ability to save the configuration

Use the following configuration for a medium-privilege user who can access some parts of the configuration and needs to save the configuration, but is denied access to other parts of the configuration in a AAA profile:

config>system>security 
              user user2 
              home-directory "cf3:\users\user2"
              restricted-to-home
              save-when-restricted

access to home directory files only and no ability to save the configuration

Use the following configuration for a low-privilege user who does not have access to any part of the configuration but still requires a working area on the file system for their own files:

config>system>security 
              user user3 
              home-directory "cf3:\users\user3"
              restricted-to-home
              no save-when-restricted

no file access and no ability to save the configuration

Use the following configuration for a low-privilege user who does not have access to any part of the configuration and does not require any file system access:

config>system>security 
              user user4
              restricted-to-home
              no save-when-restricted

Encryption

Data Encryption Standard (DES) and Triple DES (3DES) are supported for encryption:

  • DES is a widely used method of data encryption using a private (secret) key. Both the sender and the receiver must know and use the same private key.

  • 3DES is a more secure version of the DES protocol.

802.1x network access control

The 7705 SAR supports network access control of client devices (PCs, STBs, and so on) on an Ethernet network using the IEEE 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.

See the 7705 SAR Interface Configuration Guide for more information about IEEE 802.1x.

TCP enhanced authentication and keychain authentication

The 7705 SAR supports non-keychain MD5 authentication for OSPF, IS-IS, and RSVP-TE and TCP MD5 authentication for BGP and LDP. In previous releases, only a single authentication key or pre-hashed MD5 digest could be defined at a time using the authentication-key command. If this key was changed, the adjacency was reset, causing both the local and remote router to reconverge based on the lost adjacency. When a new key or digest was added, the adjacency was re-established, causing another reconvergence event within the network.

The 7705 SAR also supports the TCP Enhanced Authentication Option, as specified in draft-bonica-tcp-auth-05, Authentication for TCP-based Routing and Management Protocols. The TCP Enhanced Authentication option is a TCP extension that enhances security for BGP, LDP, and other TCP-based protocols. It extends the MD5 authentication option to include the ability to change keys in a BGP or LDP session seamlessly without tearing down the session and allows for stronger authentication algorithms to be used. It is intended for applications where secure administrative access to both endpoints of the TCP connection is normally available.

TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon the practice described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this strategy, TCP peers can update authentication keys during the lifetime of a TCP connection. TCP peers can also use stronger authentication algorithms to authenticate routing messages.

Keychain authentication

TCP enhanced authentication uses keychains that are associated with every protected TCP connection.

The keychain concept supported by BGP and LDP has also been extended to the OSPF, IS-IS, and RSVP-TE protocols.

The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors. The keychain must include at least one key entry to be valid. The keychain mechanism also allows authentication keys to be changed without affecting the state of the associated protocol adjacencies.

Each key within a keychain must include the following attributes for the authentication of protocol messages:

  • key identifier – unique identifier, expressed as a decimal integer

  • authentication algorithm – see Security algorithm support per protocol

  • authentication key – used by the authentication algorithm to authenticate packets

  • direction – packet stream direction in which the key is applied (receive direction, send direction, or both)

  • begin time – the time at which a new authentication key can be used

Optionally, each key can include the following attributes:

  • end time – the time at which the authentication key becomes inactive (applies to received packets only)

  • tolerance – period in which both old and new authentication key values can overlap and both keys are allowed on received packets (applies to received packets only)

For added security, support for the Secure Hash Algorithm (SHA) has been added. The following table lists the security algorithms supported per protocol.

Table 4. Security algorithm support per protocol

Protocol

Clear text

MD5

(message digest)

HMAC-MD5

HMAC-SHA-1-96

HMAC-SHA-1

HMAC-SHA-256

AES-128-CMAC-96

OSPF

IS-IS

RSVP-TE

BGP

LDP

Keychain configuration guidelines and behavior

  • The authentication-key command or the auth-keychain command can be used by the protocols listed in Security algorithm support per protocol, but both cannot be supported at the same time. If both commands are configured, the auth-keychain configuration is applied and the authentication-key command is ignored.

  • A keychain cannot be referenced by a protocol until it has been configured.

  • If a keychain is referenced by a protocol, the keychain cannot be deleted.

  • If multiple keys in a keychain are valid at the same time, the newest key (key with the most current begin-time) is used.

  • If a protocol sends a packet that is configured to use a keychain, the most current key from that keychain is used.

  • If a protocol receives a packet that is configured to use a keychain, the current key set is returned to authenticate the received packet:

    • The key set includes the currently active keys (based on the current system time) and the begin-time or end-time associated with each key in the specified keychain.

    • If a tolerance value is set for a key, the key is returned as part of the key set if the current time is within the key’s begin-time, plus or minus the tolerance value. For example, if the begin-time is 12:00 p.m. and the tolerance is 600 seconds, the new key is included from 11:55 a.m. and the key to be replaced is included until 12:05 p.m.

  • The end-time and tolerance parameters apply only to received packets. Transmitted packets always use the newest key, regardless of the tolerance value.

  • If a keychain exists but there are no active key entries with an authentication type that matches the type supported by the protocol, inbound protocol packets are not authenticated and are discarded and no outbound protocol packets are sent.

  • If a keychain exists but the last key entry has expired, a log entry is raised indicating that all keychain entries have expired.

    • The OSPF and RSVP-TE protocols continue to authenticate inbound and outbound traffic using the last valid authentication key.

    • The IS-IS protocol does not revert to an unauthenticated state and requires that the old key not be used; therefore, when the last key has expired, all traffic will be discarded.

For information about associating keychains with protocols, see the 7705 SAR Routing Protocols Guide (for OSPF, IS-IS, and BGP), the 7705 SAR MPLS Guide (for RSVP-TE and LDP), and the 7705 SAR Services Guide (for OSPF and BGP in a VPRN service).

Key rollover

Use the following commands to configure keychain authentication to roll over to a new key without tearing down the session:

config>system>security
    keychain name
        direction
            uni
                receive
                    entry entry-id 
                        begin-time [date] [hours-minutes] [UTC]
                        end-time [date] [hours-minutes] [UTC]
                send
                    entry entry-id  
                        begin-time [date] [hours-minutes] [UTC]
            bi
                    entry entry-id  
                        begin-time [date] [hours-minutes] [UTC]

The begin-time command specifies when the authentication key starts to authenticate the protocol stream and the end-time command specifies when the authentication key is no longer eligible to authenticate the protocol stream. The system uses the key configured with the most recent begin-time. For more information about configuring keychain authentication, see Configuring keychain authentication.

A user does not have to configure an end-time and can instead choose to configure multiple entries with different begin-time configurations so that the newest key (key with the most current begin-time) is used. The current key pair is replaced to improve security without session loss between two peers.

TLS

Transport Layer Security (TLS) is used for two primary purposes:

  • authentication of an end device (client or server) using a digital signature (DS)

    TLS uses PKI for device authentication. DSs are used to authenticate the client or the server. The server typically sends a certificate with a DS to the client.

    In specific situations, the server can request a certificate from the client to authenticate it. The client has a certificate (called a trust anchor) from the certificate authority (CA) that is used to authenticate the server certificate and its DS. After the client provides a digitally signed certificate to the server and both parties are authenticated, the encryption PDUs can then be transmitted.

  • encryption and authentication of application PDUs

    After the client and server have been successfully authenticated, the cipher suite is negotiated between the server and clients, and the PDUs are encrypted based on the agreed cipher protocol.

TLS interaction with applications

TLS is a standalone configuration. The user must configure a TLS client profile with certificates and trust anchors, and then assign the TLS client profile to the appropriate applications. When a TLS client profile is assigned to an application, the application does not send any PDUs until the TLS handshake has been successfully completed and the encryption ciphers have been negotiated between the TLS server and the TLS client.

After successful negotiation and handshake, the application is notified that TLS is operationally up. The application begins transmitting PDUs encrypted using TLS based on the agreed ciphers. If at any point the TLS becomes operationally down, the application will stop transmitting PDUs.

For example, a TLS connection with the PCEP application operates as follows:

  1. A TLS client is configured under PCEP on the 7705 SAR.
  2. PCEP stops sending clear text PDUs because a TLS client profile has been assigned and TLS is not ready to encrypt.

  3. The TLS client begins the handshake.
  4. Authentication occurs at the TLS layer.
  5. The TLS server and TLS client negotiate ciphers.
  6. Salts are negotiated for the symmetric key. A salt is a seed for creating AES encryption keys.
  7. When negotiations are successfully completed, the handshake finishes, TLS becomes operationally up, and PCEP is notified.
  8. PCEP begins transmitting PDUs that are encrypted using TLS.

Until TLS becomes operationally up, PCEP does not transmit any PDUs.

Application support

The 7705 SAR supports TLS client profiles on the PCC to enable PCEP over TLS (PCEPS). See the "PCEP over TLS" section in the 7705 SAR MPLS Guide for more information.

TLS handshake

The following figure shows the TLS handshake process and the table describes the steps.

Figure 3. TLS handshake
Table 5. TLS handshake steps
Step Description
1

The TLS handshake begins with the client Hello message. This message includes the cipher list that the client wants to use and negotiate.

2

The TLS server sends back a server Hello message, along with the first common cipher found on both the client cipher list and the server cipher list. This agreed cipher is used for data encryption.

3

The TLS server continues by sending a server certificate message, where the server provides a certificate to the client so that the client can authenticate the server identity. The public key of this certificate (RSA key) can also be used for encryption of the symmetric key seed that is used by the client and server to create the symmetric encryption key. This occurs only if PKI is using RSA for asymmetric encryption.

4

Server key exchange is not supported by the 7705 SAR.

The 7705 SAR only uses RSA keys; Diffie-Hellman key exchange is not supported.

5

The server can optionally be configured to request a certificate from the client to authenticate the client.

6

If the server requests a certificate, the client must provide a certificate using a client certificate message. If the client does not provide a certificate, the server drops the TLS session.

7

The client uses the server public RSA key that was included in the server certificate to encrypt a seed used for creating the symmetric key. This seed is used by the client and server to create the identical symmetric key for encrypting and decrypting the data plane traffic.

8 The client sends a cipher specification to switch encryption to this symmetric key.
9 The client successfully finishes the handshake.
10 The server sends a cipher specification to switch encryption to this symmetric key.
11 The server successfully finishes the handshake.

After a successful handshake, TLS is operationally up and can be used for application encryption.

TLS 1.3

TLS 1.3 is required for faster handshakes, stronger encryption, and authentication algorithms.

All 7705 SAR applications that use TLS 1.2 also support TLS 1.3, unless specifically stated otherwise.

The user can configure the node to use TLS 1.2, TLS 1.3, or both for negotiation.

If TLS 1.3 is negotiated with a peer, the node does not negotiate the TLS version down to 1.2 as long as the session is alive.

TLS 1.3 handshake

The TLS 1.3 client handshake is very similar to TLS 1.2 because the client is able to negotiate TLS 1.2 or 1.3 when starting the TLS Hello message to the server. The client includes a "Supported Version" extension in its Hello message. The server responds with its own supported version and agreed ciphers. The server and client must agree on the TLS version to proceed with the connection.

In TLS 1.2 and TLS 1.3, the server can optionally request the client certificate to authenticate the client. If requested, the client must provide its certificate to the server.

TLS 1.3 configuration

The user can configure the TLS 1.3 cipher list independently of TLS 1.2. TLS 1.3 ciphers are configured using the tls13-cipher command. When the user configures a TLS 1.3 cipher list, TLS 1.3 is included as a supported version in the TLS handshake.

TLS 1.3 also introduces group lists and signature lists for the server and client.

In the Hello message sent by the client, the "supported_groups" extension indicates the named groups that the client supports for the key exchange, ordered from most preferred to least preferred. TLS 1.3 supports Elliptic-curve Diffie-Hellman Ephemeral (ECDHE) groups.

Note: TLS 1.2 does not support Diffie-Hellman groups as an asymmetric key.

TLS 1.3 also allows the selection of signature algorithms. The "signature_algorithms_cert" extension is included to allow implementations that support different sets of algorithms for certificates and in TLS itself to clearly signal their capabilities.

TLS client certificate

The TLS protocol is used for authentication, and therefore the server can ask to authenticate the client via PKI. If the server requests authentication from the client, the client must provide an X.509v3 certificate to the server so that it can be authenticated via the digital signature of its client.

The 7705 SAR supports the configuration of an X.509v3 certificate for TLS clients.

When the server requests a certificate via the server’s Hello message, the client transmits its certificate to the server using a client certificate message.

TLS symmetric key rollover

The 7705 SAR supports key rollover when the TLS server is enabled with a TLS renegotiation timer and sends a HelloRequest message as specified in RFC 5246, section 7.4.1.1.

Supported TLS ciphers

As shown in TLS handshake, TLS negotiates the supported ciphers between the client and the server.

The client sends the supported cipher suites in the client Hello message, and the server compares them with the server cipher list. The top protocol on both lists is chosen and returned from the server in the server Hello message.

The 7705 SAR supports the following ciphers as a TLS 1.2 client:

  • tls-rsa-with3des-ede-cbc-sha

  • tls-rsa-with-aes128-cbc-sha

  • tls-rsa-with-aes256-cbc-sha

  • tls-rsa-with-aes128-cbc-sha256

  • tls-rsa-with-aes256-cbc-sha256

The 7705 SAR supports the following TLS 1.3 ciphers, groups, and signature algorithms as a TLS 1.3 client:

  • ciphers:
    • tls-aes128-gcm-sha256

    • tls-aes256-gcm-sha384

    • tls-chacha20-poly1305-sha256

    • tls-aes128-ccm-sha256

    • tls-aes128-ccm8-sha256

  • groups:
    • tls-ecdhe-256

    • tls-ecdhe-384

    • tls-ecdhe-521

    • tls-x25519

    • tls-x448

  • signature algorithms:
    • tls-rsa-pkcs1-sha256

    • tls-rsa-pkcs1-sha384

    • tls-rsa-pkcs1-sha512

    • tls-ecdsa-secp256r1-sha256

    • tls-ecdsa-secp384r1-sha384

    • tls-ecdsa-secp521r1-sha512

    • tls-rsa-pss-rsae-sha256

    • tls-rsa-pss-rsae-sha384

    • tls-rsa-pss-rsae-sha512

    • tls-rsa-pss-pss-sha256

    • tls-rsa-pss-pss-sha384

    • tls-rsa-pss-pss-sha512

    • tls-ed25519

    • tls-ed448

Certificate management

The 7705 SAR implements a centralized certificate management protocol that can be used by TLS. See the "IPSec" section in the 7705 SAR Services Guide for information about the configuration of the certificates and the corresponding protocols, such as OCSP and CRL.

Certificate profile

The certificate profile is available for the TLS client and is configured with the cert-profile command. The certificate profile contains the certificates that the client sends to the TLS server along with its DS so that the server can authenticate it via the trust-anchor and CA certificate.

Multiple provider certificates can be configured; however, the 7705 SAR currently uses the smallest index as the active provider certificate, and only sends that certificate to the server.

TLS server authentication of the client certificate CN field

If the client provides a certificate, the server checks the common name (CN) field against local CN configurations. The CN is validated via the client IPv4/IPv6 address or FQDN. If the common-name list authentication option is not enabled on the server, it uses certificate signature authentication instead.

Operational guidelines

Server authentication behavior

Following the Hello messages, the server sends its certificate in a certificate message if it is to be authenticated.

The trust-anchor-profile command determines whether the server must be authenticated by the client.

Note: If the trust-anchor-profile is configured and the ca-profile is missing from this trust-anchor-profile, the TLS connection fails and an ‟unknown_ca” error is generated, as per RFC 5246, section 7.2.2.

One of the following configurations can be used to establish server connectivity:

  1. If trust-anchor-profile is configured under the TLS client-tls-profile context, the server must be authenticated via the trust-anchor-profile command before a trusted connection is established between the server and the client.

  2. If there is no trust-anchor-profile under the client-tls-profile context, the trusted connection can be established without server authentication. The RSA key of the certificate is used for public key encryption, requiring basic certificate checks to validate the certificate. These basic checks are as follows:

    • time validity

      The certificate is checked to ensure that it is not expired or not yet valid.

    • certificate type

      The certificate is not a CA certificate.

    • keyUsage extension

      If present, this must contain a digital signature and key encryption.

    • host verification

      The IP address or DNS name of the server is looked up, if available, in the common name (cn) or subjectAltName extension. This is to verify that the certificate was issued to that server and not to another.

TLS client profile and trust anchor behavior and scale

The 7705 SAR supports the creation of TLS client profiles, which can be assigned to applications such as PCEP to encrypt the application layer.

The client-tls-profile command is used for negotiating and authenticating the server. After the server is authenticated via the trust anchor profile (configured using the trust-anchor-profile command) of a TLS client profile, it negotiates the ciphers and authentication algorithms to be used for encryption of the data.

The TLS client profile must be assigned to an application for it to start encrypting. Up to 16 TLS client profiles can be configured. Because each of these client profiles needs a trust anchor profile to authenticate the server, up to 16 trust anchor profiles can be configured. A trust anchor profile holds up to 8 trust anchors (configured using the trust-anchor command), each of which holds a CA profile (ca-profile).

A CA profile is a container for installing CA certificates. These CA certificates are used to authenticate the server certificate. When the client receives the server certificate, it reads through the trust anchor profile CA certificates and tries to authenticate the server certificate against each CA certificate. The first CA certificate that authenticates the server is used.

Basic TLS configuration

Basic TLS client configuration must have a cipher list created using the config>system>security>tls>client-cipher-list command, and the cipher list must be assigned to the TLS client profile using the config>system>security>tls>client-tls-profile>cipher-list command.

TLS imports the trust anchor certificate for peer certificate authentication and public key retrieval. The following example shows a TLS configuration.

Example:
A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-cipher-list "to-active-server" create
            cipher 1 name tls-rsa-with-aes256-cbc-sha256
            cipher 2 name tls-rsa-with-aes128-cbc-sha256
            cipher 3 name tls-rsa-with-aes256-cbc-sha
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit
----------------------------------------------

Common configuration tasks

Configuring a TLS client profile

The following displays the CLI syntax for a TLS client profile:

CLI syntax:
config>system>security>tls
    client-tls-profile name
        trust-anchor-profile name
Configuring a TLS client certificate

The following displays the CLI syntax for TLS certificate management:

CLI syntax:
config>system>security>tls
    cert-profile profile-name
        entry entry-id
            cert cert-filename
            key key-filename
            send-chain
                ca-profile name
            no shutdown
    client-tls-profile name
        cert-profile name
Configuring a TLS trust anchor

The following displays the CLI syntax for a TLS trust anchor:

CLI syntax:
config>system>security>tls
    trust-anchor-profile name
    client-tls-profile name
        cipher-list name
        no shutdown 
        trust-anchor-profile name

The following example shows a TLS trust anchor configuration:

Example:

*A:node-2>config>system>security>tls# info
----------------------------------------------
        trust-anchor-profile "server-1-ca" create
            trust-anchor "tls-server-1-ca"
        exit
        client-tls-profile "server-1-profile" create
            cipher-list "to-active-server"
            trust-anchor-profile ‟server-1-ca‟
            no shutdown
        exit

Configuration notes

The following are security configuration guidelines and restrictions:

  • If a RADIUS or a TACACS+ server is not configured, password, profiles, and user access information must be configured on each router in the domain.

  • If RADIUS authorization is enabled, VSAs must be configured on the RADIUS server.

Setting up security attributes

The following table depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 6. Security configuration requirements

Authentication

Authorization

Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local and TACACS+

TACACS+

Configuring authentication

See the following sections to configure authentication:

Configuring authorization

See the following sections to configure authorization:

Security configurations

To implement security features, configure the following components:

  • management access filters

  • CPM (CSM) filters

  • profiles

  • user access parameters

  • password management parameters

  • RADIUS or TACACS+

    • enable one to five RADIUS or TACACS+ (or both) servers

    • configure RADIUS or TACACS+ (or both) parameters

The following example displays default values for security parameters.

NOK-1>config>system>security# info detail
----------------------------------------------
            no hash-control
            telnet-server
            no telnet6-server
            ftp-server
            management-access-filter
                ip-filter
                    no shutdown
                exit
                ipv6-filter
                    no shutdown
                exit
            exit
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all
                entry 10
                    no description
                    match "configure system security"
                    action permit
                exit
                entry 20
                    no description
                    match "show system security"
                    action permit
                exit
                entry 30
                    no description
                    match "tools perform security"
                    action permit
                exit
                entry 50
                    no description
                    match "admin system security"
                    action permit
                exit
            exit
            password
                authentication-order radius tacplus local
                no aging
                attempts 3 time 5 lockout 10
                health-check interval 30
                no admin-password
                hashing bcrypt
                history-size 0
                minimum-age min 10
                minimum-change 5
                complexity-rules
                    no allow-user-name
                    credits lowercase 0 uppercase 0 numeric 0 special-character 0
                    no minimum-classes
                    minimum-length 6
                    no repeated-characters
                    required lowercase 0 uppercase 0 numeric 0 special-character 0
                exit
            exit
            tech-support
                no ts-location
            exit
            user-template "radius_default"
                access console
                profile "default"
                no home-directory
                restricted-to-home
                save-when-restricted
                console
                    no login-exec
                exit
            exit
            user-template "tacplus_default"
                access console
                profile "default"
                no home-directory
                restricted-to-home
                save-when-restricted
                console
                    no login-exec
                exit
            exit
            user "admin"
                password "$2y$10$TQrZlpBDra86.qoexZUzQeBXDY1FcdDhGWdD9lLxMuFyPVSm0OGy6"
                access console
                no home-directory
                no restricted-to-home
                save-when-restricted
                public-keys
                    ecdsa
                    exit
                    rsa
                    exit
                exit
                console
                    no login-exec
                    no cannot-change-password
                    no new-password-at-login
                    member "administrative"
                    local-lockout
                exit
            exit
            snmp
                view "iso" subtree "1"
                    mask ff type included
                exit
             ...
                access group "snmp-ro" security-model snmpv1 security-level no-auth-no-privacy read "no-security" notify "no-security"
                access group "snmp-ro" security-model snmpv2c security-level no-auth-no-privacy read "no-security" notify "no-security"
                access group "snmp-rw" security-model snmpv1 security-level no-auth-no-privacy read "no-security" write "no-security" notify "no-security"
                access group "snmp-rw" security-model snmpv2c security-level no-auth-no-privacy read "no-security" write "no-security" notify "no-security"
                access group "snmp-rwa" security-model snmpv1 security-level no-auth-no-privacy read "iso" write "iso" notify "iso"
                access group "snmp-rwa" security-model snmpv2c security-level no-auth-no-privacy read "iso" write "iso" notify "iso"
                access group "snmp-mgmt" security-model snmpv1 security-level no-auth-no-privacy context "management" exact read "mgmt-view" write "mgmt-view" notify "mgmt-view"
                access group "snmp-mgmt" security-model snmpv2c security-level no-auth-no-privacy context "management" exact read "mgmt-view" write "mgmt-view" notify "mgmt-view"
                access group "snmp-trap" security-model snmpv1 security-level no-auth-no-privacy notify "iso"
                access group "snmp-trap" security-model snmpv2c security-level no-auth-no-privacy notify "iso"
                access group "snmp-vprn" security-model snmpv1 security-level no-auth-no-privacy context "vprn" prefix read "vprn-view" write "vprn-view" notify "vprn-view"
                access group "snmp-vprn" security-model snmpv2c security-level no-auth-no-privacy context "vprn" prefix read "vprn-view" write "vprn-view" notify "vprn-view"
                access group "cli-readonly" security-model snmpv2c security-level no-auth-no-privacy read "iso" notify "iso"
                access group "snmp-vprn-ro" security-model snmpv1 security-level no-auth-no-privacy context "vprn" prefix read "vprn-view" notify "vprn-view"
                access group "snmp-vprn-ro" security-model snmpv2c security-level no-auth-no-privacy context "vprn" prefix read "vprn-view" notify "vprn-view"
                access group "cli-readwrite" security-model snmpv2c security-level no-auth-no-privacy read "iso" write "iso" notify "iso"
                access group "snmp-vpls-mgmt" security-model snmpv1 security-level no-auth-no-privacy context "vpls-management" prefix read "mgmt-view" write "mgmt-view" notify "mgmt-view"
                access group "snmp-vpls-mgmt" security-model snmpv2c security-level no-auth-no-privacy context "vpls-management" prefix read "mgmt-view" write "mgmt-view" notify "mgmt-view"
                access group "cli-vprn-readwrite" security-model snmpv2c security-level no-auth-no-privacy context "vprn" exact read "vprn-view" write "vprn-view" notify "iso"
                attempts 20 time 5 lockout 10
                community "cV3ISTw2V5pbEWmVEA9jXgB/1EERXQA=" hash2 rwa version both
                community "76HzdddhlPpRo1Vql+ZB5spLqccgYQ==" hash2 r version both
            exit
            ssh
                client-cipher-list
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                exit
                server-cipher-list
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                exit
                client-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 240 name hmac-md5-96
                exit
                server-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 240 name hmac-md5-96
                exit
                client-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
                server-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
                key-re-exchange
                    client
                        mbytes 1024
                        minutes 60
                        no shutdown
                    exit
                    server
                        mbytes 1024
                        minutes 60
                        no shutdown
                    exit
                exit
                no preserve-key
                no server-shutdown
            exit
            dot1x
                shutdown
            exit
            no vprn-network-exceptions
            cli-script
                authorization
                    cron
                        no cli-user
                    exit
                    event-handler
                        no cli-user
                    exit
                exit
            exit
            cpm-filter
                default-action accept
                ip-filter
                    shutdown
                exit
                ipv6-filter
                    shutdown
                exit
            exit
            tls
            exit

Security configuration procedures

Configuring IPv4 or IPv6 management access filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7705 SAR router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router.

Management access filters apply to the management Ethernet port, which supports both IPv4 and IPv6 filters.

The 7705 SAR exits the filter when the first match is found and executes the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.

Use the following CLI commands to configure an IPv4 management access filter.

CLI syntax:
config>system
    security
        management-access-filter
            ip-filter
                default-action {permit | deny | deny-host-unreachable}
            entry entry-id
                action {permit | deny | deny-host-unreachable}
                description description-string
                dst-port port [mask]
                log
                protocol protocol-id
                router router-instance
                src-ip {ip-prefix[/mask][netmask] | ip-prefix-list ip-prefix-list-name}
                src-port {port-id | cpm}
            renum old-entry-number new-entry-number
            no shutdown

Use the following CLI commands to configure an IPv6 management access filter.

CLI syntax:
config>system
    security
        management-access-filter
            ipv6-filter
                default-action {permit | deny | deny-host-unreachable}
                entry entry-id
                    action {permit | deny | deny-host-unreachable}
                    description description-string
                    dst-port port [mask]
                    flow-label value
                    log
                    next-header next-header
                    router router-instance
                    src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
                    src-port {port-id | cpm}
                renum old-entry-number new-entry-number
                no shutdown

The following example displays an IPv4 management access filter configuration. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

Example:
config>system>security# management-access-filter
config>system>security>mgmt-access-filter# ip-filter default-action deny
config>system>security>mgmt-access-filter# ip-filter entry 1
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.104/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit
config>system>security>mgmt-access-filter# entry 2
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.1/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit

The following example displays the management access filter configuration.

ALU-1>config>system>security# info
----------------------------------------------
            management-access-filter
                ip-filter
                default-action deny
                entry 1
                    action permit
                    src-ip 10.10.10.104/32
                exit
                entry 2
                    action permit
                    src-ip 10.10.0.1/32
                exit
            exit
----------------------------------------------
ALU-1>config>system>security#
Note: If configuring management access filters via a Telnet session, ensure that data from the host IP address is permitted before setting the default action to deny; otherwise, the session is dropped. To do this, set the default action to permit, configure an entry with the src-ip address of the host as a permitted match criterion, then set the default action back to deny. Alternatively, use a direct console connection to the node for configuration; in this case, the order of filter configuration does not matter.

Configuring IPv4 or IPv6 CPM (CSM) filters

CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.

Use the following CLI commands to configure an IPv4 CPM filter.

CLI syntax:
config>system>security
cpm-filter
    default-action {accept | drop}
    ip-filter
        entry entry-id [create]
            action {accept | drop}
            description description-string
            log log-id 
            match [protocol protocol-id]
                dscp dscp-name
                dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                dst-port [tcp/udp port-number] [mask]
                fragment {true | false}
                icmp-code icmp-code
                icmp-type icmp-type
                ip-option ip-option-value [ip-option-mask]
                multiple-option {true | false}
                option-present {true | false}
                src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                src-port src-port-number [mask]
                tcp-ack {true | false}
                tcp-syn {true | false}
            renum old-entry-id new-entry-id

Use the following CLI commands to configure an IPv6 CPM filter.

CLI syntax:
config>system>security
cpm-filter
    default-action {accept | drop}
    ipv6-filter
        entry entry-id [create]
            action {accept | drop}
            description description-string
            log log-id 
            match [next-header next-header]
            dscp dscp-name
            dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
            dst-port [tcp/udp port-number] [mask]
            icmp-code icmp-code
            icmp-type icmp-type
            src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
            src-port src-port-number [mask]
            tcp-ack {true | false}
            tcp-syn {true | false}
            renum old-entry-id new-entry-id

The following displays an IPv4 CPM filter configuration example:

A:ALU-49>config>sys>sec>cpm>ip-filter# info
----------------------------------------------
                    entry 10 create
                        action drop
                        description "CPM-Filter 10.4.101.2 #101"
                        log 101
                    exit
                    entry 20 create
                        no action
                        description "CPM-Filter 10.4.101.2 #201"
                        log 101
                    exit
                    no shutdown
----------------------------------------------
A:ALU-49>config>sys>sec>cpm>ip-filter#

Configuring password management parameters

Depending on the authentication requirements, password parameters are configured locally or on the RADIUS or TACACS+ server.

Use the following CLI commands to configure password support:

CLI syntax:
config>system>security
    password
        admin-password password [hash | hash2]
        aging days
        attempts count [time minutes1] [lockout minutes2]
        authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
        complexity-rules 
        hashing hashing {bcrypt | sha2-pbkdf2 | sha3-pbkdf2}
        health-check [interval interval]
        history-size size
        minimum-age [days days] [hrs hours][min minutes] [sec seconds]
        minimum-change distance

The following example displays the default password configuration:

*A:Dut-A>config>system>security>password# info detail
----------------------------------------------
                authentication-order radius tacplus local
                no aging
                attempts 3 time 5 lockout 10
                health-check interval 30
                no admin-password
                hashing bcrypt
                history-size 0
                minimum-age min 10
                minimum-change 5
                complexity-rules
                    no allow-user-name
                    credits lowercase 0 uppercase 0 numeric 0 special-character 0
                    no disallow-sequence-keys
                    no minimum-classes
                    minimum-length 6
                    no repeated-characters
                    required lowercase 0 uppercase 0 numeric 0 special-character 0
                exit
----------------------------------------------

Managing IPSec certificates

The following is an example of importing a certificate from a pem format:

*A:ALU-A# admin certificate import type cert input cf3:/pre-import/
R10cert.pem output R1-0cert.der format pem

The following is an example of exporting a certificate to a pem format:

*A:ALU-A#  admin certificate export type cert input R1-0cert.der output cf3:/
R10cert.pem format pem

The following example displays a profile output:

*A:ALU-A>config>system>security>pki# info
----------------------------------------------
            ca-profile "Root" create
                description "Root CA"
                cert-file "R1-0cert.der"
                crl-file "R1-0crl.der"
                no shutdown
            exit
----------------------------------------------
*A:ALU-A>config>system>security>pki#

The following example displays an ike-policy with cert-auth output:

*A:ALU-A>config>ipsec>ike-policy# info
----------------------------------------------
            auth-method cert-auth
            own-auth-method psk      
----------------------------------------------

The following example displays a static LAN-to-LAN configuration using cert-auth:

         interface "VPRN1" tunnel create
             sap tunnel-1.private:1 create
                  ipsec-tunnel "Sanity-1" create
                      security-policy 1
                      local-gateway-address 192.168.0.0 peer 192.168.0.1 delivery-
                       service 300
                      dynamic-keying
                         ike-policy 1
                         pre-shared-key "Sanity-1"
                         transform 1
                         cert
                           trust-anchor-profile "trustAnchorProfile_1"
                           cert-profile "certProfile_4"
                        exit
                     exit
                  no shutdown
              exit

Configuring profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.

When configuring profiles, put more specific commands in the lower-numbered entries because the lower-numbered entries take precedence over the higher-numbered entries.

In the following example, because the general command in entry 10 takes precedence, entry 20 is ignored and the "show system" command will be permitted because it matches on "show". To avoid this, the "show system" entry needs to be a number lower than 10.
Example:
entry 10
    match "show"
    action permit
exit
entry 20
    match "show system"
    action deny
exit
Note: security commands in the config>system, show>system, admin>system, and tools>perform contexts that are not explicitly permitted are automatically denied.

Use the following CLI commands to configure user profiles:

CLI syntax:
config>system>security
    profile user-profile-name 
    default-action {deny-all | permit-all | none}
    renum old-entry-number new-entry-number
    entry entry-id
        description description-string
        match command-string
        action {permit | deny}

The following displays an example of the user profile command usage.

Example:
config>system>security# profile ghost
config>system>security>profile$ default-action permit-all
config>system>security>profile# entry 1
config>system>security>profile>entry$ action permit
config>system>security>profile>entry# match "configure"	
config>system>security>profile>entry# exit
config>system>security>profile# entry 2
config>system>security>profile>entry$ match "show"
config>system>security>profile>entry# exit
config>system>security>profile# entry 3
config>system>security>profile>entry$ match "exit"

The following example displays the user profile output:

ALU-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit

Configuring users

Access parameters are configured for individual users. For each user, the login name and, optionally, information that identifies the user is defined. Use the following CLI syntax to configure access parameters for users. The snmp authentication des-key keyword is not available if the 7705 SAR node is running in FIPS-140-2 mode.

CLI syntax:
config>system>security
    user user-name
        access [ftp] [snmp] [console] [scp-sftp] [console-port-cli] [ssh-cli] [telnet-cli]
        console
            cannot-change-password
            local-lockout
            login-exec url-prefix:source-url
            member user-profile-name [user-profile-name...(up to 8 max)]
            new-password-at-login
        home-directory url-prefix [directory] [directory/directory ..]
        password [password]
        restricted-to-home
        save-when-restricted
        snmp
            authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {none | des-key key-2 | aes-128-cfb-key key-2}]}
            group group-name

The following example displays the user configuration, including default values:

NOK-1>config>system>security# info detail
----------------------------------------------
...
        user "test"
                password "$2y$10$NXW9rLCSdBZiSUZ0fQGI2.mLh4ofLpXKAnay5SPSDVQI5FtKCottq"
                access console
                no home-directory
                restricted-to-home
                save-when-restricted
                public-keys
                    ecdsa
                    exit
                    rsa
                    exit
                exit
                console
                    no login-exec
                    no cannot-change-password
                    no new-password-at-login
                    member "default"
                    local-lockout
                exit
            exit
            snmp
                view "iso" subtree "1"
                    mask ff type included
                exit        
...
--------------------------------------------
NOK-1>config>system>security#
Note: The restricted-to-home default setting applies to non-administrative users. For administrative users (user "admin"), the default is no restricted-to-home as shown in Security configurations.

Copying and overwriting users and profiles

You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified; otherwise, an error occurs if the destination profile or username already exists.

Copying a user

CLI syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy user "testuser" to 
"testuserA"
MINOR: CLI User "testuserA" already exists - use overwrite flag.
config>system>security#
config>system>security# copy user "testuser" to "testuserA" overwrite
	config>system>security#

The following output displays the copied user configurations:

ALU-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqL 
Sa"
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLW
Sa"
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
ALU-12>config>system>security# info
Note: The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.
ALU-12>config>system>security>user# info
----------------------------------------------
    password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLWSa"
    access snmp
    console
        cannot-change-password 
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user# exit
ALU-12>config>system>security# user testuserA
ALU-12>config>system>security>user# info
----------------------------------------------
    password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLWSa"
    access snmp
    console
        new-password-at-login
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user#

Copying a profile

CLI syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy profile default to testuser

The following output displays the copied profiles:

A:ALU-49>config>system>security# info
----------------------------------------------
...
A:ALU-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...

Configuring SSH

Use the ssh command to configure the SSH server. This command should only be enabled or disabled when the SSH server is disabled. This setting cannot be changed while the SSH server is running.

CLI syntax:
config>system>security
    ssh
        preserve-key
        no server-shutdown
Example:
config>system>security# ssh
config>system>security>ssh# preserve-key

The following example displays the SSH server configuration using a host-key:

A:ALU-1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
----------------------------------------------
A:ALU-1>config>system>security>ssh# 

Configuring SSH cipher lists

Use the ssh command to configure SSHv2 cipher lists. Client cipher lists are used if the 7705 SAR is acting as an SSH client, and server cipher lists are used if the 7705 SAR is acting as an SSH server.

Note: When the 7705 SAR is running in FIPS-140-2 mode, the 3des-cbc cipher is not available.
CLI syntax:
config>system>security
    ssh
        client-cipher-list
            cipher index name cipher-name
        server-cipher-list
            cipher index name cipher-name
Example:
config>system>security# ssh
config>system>security>ssh# client-cipher-list
config>system>security>ssh>client-cipher# cipher 2 name aes256-ctr 
config>system>security>ssh>client-cipher# cipher 4 name aes128-ctr 
config>system>security>ssh>client-cipher# cipher 6 name aes256-cbc 
config>system>security>ssh>client-cipher# cipher 10 name aes128-cbc
config>system>security>ssh>client-cipher# cipher 20 name 3des-cbc
config>system>security>ssh>client-cipher# cipher 60 name aes192-cbc
config>system>security>ssh>client-cipher# cipher 70 name aes256-cbc
config>system>security>ssh>client-cipher# exit
config>system>security>ssh# server-cipher-list
config>system>security>ssh>server-cipher# cipher 2 name aes256-ctr 
config>system>security>ssh>server-cipher# cipher 4 name aes192-ctr 
config>system>security>ssh>server-cipher# cipher 6 name aes128-ctr 
config>system>security>ssh>server-cipher# cipher 10 name aes128-cbc
config>system>security>ssh>server-cipher# cipher 20 name 3des-cbc
config>system>security>ssh>server-cipher# cipher 60 name aes192-cbc
config>system>security>ssh>server-cipher# cipher 70 name aes256-cbc
config>system>security>ssh>server-cipher# exit
config>system>security>ssh# exit

The following example displays SSHv2 client and server cipher list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-cipher-list
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                exit
                server-cipher-list
                    cipher 2 name aes256-ctr
                    cipher 4 name aes192-ctr
                    cipher 6 name aes128-ctr
                    cipher 10 name aes128-cbc
                    cipher 20 name 3des-cbc
                    cipher 60 name aes192-cbc
                    cipher 70 name aes256-cbc
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

Configuring SSH KEX algorithm lists

Use the ssh command to configure SSHv2 client and server KEX algorithm lists. Client KEX algorithm lists are used if the 7705 SAR is acting as an SSH client, and server KEX algorithm lists are used if the 7705 SAR is acting as an SSH server.

Note: When the 7705 SAR node is running in FIPS-140-2 mode, the diffie-hellman-group1-sha1 KEX algorithm is not available.
CLI syntax:
config>system>security
    ssh
        client-kex-list 
            kex index name kex-name
        server-kex-list 
            kex index name kex-name
Example:
config>system>security# ssh
config>system>security>ssh# client-kex-list 
config>system>security>ssh>client-kex# kex 200 name diffie-hellman-group16-sha512
config>system>security>ssh>client-kex# kex 210 name diffie-hellman-group14-sha256
config>system>security>ssh>client-kex# kex 215 name diffie-hellman-group14-sha1
config>system>security>ssh>client-kex# kex 220 name diffie-hellman-group-exchange-sha1
config>system>security>ssh>client-kex# kex 225 name diffie-hellman-group1-sha1
config>system>security>ssh>client-kex# exit
config>system>security>ssh# server-kex-list 
config>system>security>ssh>server-kex# kex 200 name diffie-hellman-group16-sha512
config>system>security>ssh>server-kex# kex 210 name diffie-hellman-group14-sha256
config>system>security>ssh>server-kex# exit
config>system>security>ssh# exit

The following example displays SSHv2 client and server KEX list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
                server-kex-list
                    kex 200 name diffie-hellman-group16-sha512
                    kex 210 name diffie-hellman-group14-sha256
                    kex 215 name diffie-hellman-group14-sha1
                    kex 220 name diffie-hellman-group-exchange-sha1
                    kex 225 name diffie-hellman-group1-sha1
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

Configuring SSH MAC algorithm lists

Use the ssh command to configure SSHv2 client and server MAC algorithm lists. Client MAC algorithm lists are used if the 7705 SAR is acting as an SSH client, and server MAC algorithm lists are used if the 7705 SAR is acting as an SSH server.

Note: When the 7705 SAR node is running in FIPS-140-2 mode, the following MAC algorithms are not available:
  • hmac-sha1-96

  • hmac-md5
  • hmac-mda5-96

CLI syntax:
config>system>security
    ssh
        client-mac-list 
            mac index name mac-name
        server-mac-list 
            mac index name mac-name
Example:
config>system>security# ssh
config>system>security>ssh# client-mac-list 
config>system>security>ssh>client-mac# mac 200 name hmac-sha2-512
config>system>security>ssh>client-mac# mac 210 name hmac-sha2-256
config>system>security>ssh>client-mac# mac 215 name hmac-sha1
config>system>security>ssh>client-mac# mac 220 name hmac-sha1-96
config>system>security>ssh>client-mac# mac 225 name hmac-md5
config>system>security>ssh>client-mac# mac 240 name hmac-md5-96
config>system>security>ssh>client-mac# exit
config>system>security>ssh# server-mac-list 
config>system>security>ssh>server-mac# mac 200 name hmac-sha2-512
config>system>security>ssh>server-mac# mac 210 name hmac-sha2-256
config>system>security>ssh>server-mac# exit
config>system>security>ssh# exit

The following example displays client and server MAC list configurations:

A:Sar8 Dut-A>config>system>security>ssh# info detail
----------------------------------------------
                client-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 240 name hmac-md5-96
                exit
                server-mac-list
                    mac 200 name hmac-sha2-512
                    mac 210 name hmac-sha2-256
                    mac 215 name hmac-sha1
                    mac 220 name hmac-sha1-96
                    mac 225 name hmac-md5
                    mac 240 name hmac-md5-96
                exit
                exit
----------------------------------------------
*A:Sar8 Dut-A>config>system>security>ssh#

Configuring login controls

Use the login-control context to configure parameters for console, FTP, SSH, and Telnet sessions.

CLI syntax:
config>system
    login-control
        exponential-backoff
        ftp
            inbound-max-sessions value
        ssh
            [no] disable-graceful-shutdown 
            inbound-max-sessions value
            outbound-max-sessions value
            ttl-security min-ttl-value
        telnet
            [no] enable-graceful-shutdown 
            inbound-max-sessions value
            outbound-max-sessions value
            ttl-security min-ttl-value
        idle-timeout {minutes | disable}
        pre-login-message login-text-string [name]
        login-banner
        motd {url url-prefix:source-url | text motd-text-string}

The following example displays the login control configuration:

Example:
config>system>login-control# ftp inbound-max-sessions 5
config>system>login-control# ssh inbound-max-sessions 12
config>system>login-control# ssh outbound-max-sessions 8
config>system>login-control# ssh ttl-security 100
config>system>login-control# telnet enable-graceful-shutdown
config>system>login-control# telnet inbound-max-sessions 7
config>system>login-control# telnet outbound-max-sessions 2
config>system>login-control# idle-timeout 1440
config>system>login-control# pre-login-message "Property of Service Routing Inc. Unauthorized access prohibited." 
config>system>login-control# motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"

The following example displays the login control configuration:

ALU-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           ssh
               no disable-graceful-shutdown
               inbound-max-sessions 12
               outbound-max-sessions 8
               ttl-security  100
           telnet
               enable-graceful-shutdown
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login-
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
     no exponential-backoff
...
----------------------------------------------
ALU-1>config>system#

Configuring RADIUS parameters

Configuring RADIUS authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

Also, the system IP address must be configured in order for the RADIUS client to work. See ‟Configuring a System Interface” in the 7705 SAR Router Configuration Guide.

The other commands are optional.

On the local router, use the following CLI commands to configure RADIUS authentication:

CLI syntax:
config>system>security
    radius
        port port
        retry count
        server server-index address ip-address secret key [hash1 | hash2]
        timeout seconds
        no shutdown 

The following example displays the CLI syntax usage:

Example:
config>system>security>
security# radius
security# no shutdown
security>radius# server 1 address A:A:A:A:A:A:A:1 secret test11
security>radius# server 2 address 10.10.0.1 secret test2
security>radius# server 3 address 10.10.0.2 secret test3
security>radius# server 4 address 10.10.0.3 secret test4
security>radius# retry 5
security>radius# timeout 5
config>system>security>radius# exit

The following example displays the RADIUS authentication configuration:

ALU-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address A:A:A:A:A:A:A:1 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
ALU-1>config>system>security#

Configuring RADIUS authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS authentication.

In addition to the local configuration requirements, VSAs must be configured on the RADIUS server. See RADIUS VSAs.

On the local router, use the following CLI commands to configure RADIUS authorization:

CLI syntax:
config>system>security
    radius
        authorization

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# authorization

The following example displays the RADIUS authorization configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------

Configuring RADIUS accounting

On the local router, use the following CLI commands to configure RADIUS accounting:

CLI syntax:
config>system>security
    radius
        accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# accounting

The following example displays the RADIUS accounting configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
ALU-1>config>system>security#

Configuring 802.1x RADIUS policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured on Ethernet ports. See the 7705 SAR Interface Configuration Guide, ‟Configuration Command Reference”, for more information about configuring 802.1x parameters on Ethernet ports.

To configure generic parameters for 802.1x authentication, enter the following CLI syntax:

CLI syntax:
config>system>security
     dot1x
        radius-plcy name [create]
            retry count
            server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
            no shutdown
            source-address ip-address
            timeout seconds
        no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# dot1x
config>system>security>dot1x# radius-plcy dot1x_plcy
create
config>system>security>dot1x>radius-plcy# server 1 address 10.10.10.1 secret abc auth-port 65000
config>system>security>dot1x>radius-plcy# server 2 address 10.10.10.3 secret xyz auth-port 862
config>system>security>dot1x>radius-plcy# source-address 10.10.10.255

The following example displays an 802.1x configuration:

*A:7705_custDoc>config>system>security>dot1x# info
----------------------------------------------
       radius-plcy "dot1x_plcy" create
           server 1 address 10.10.10.1 auth-port 65000 acct-
port 1813 secret "WDoQz6DJf4.0M5dlpwjHbk" hash2 type authorization
           server 2 address 10.10.10.3 auth-port 862 acct-port 1813 secret
 "WDoQz6DJf4.j1WcCeHZwz." hash2 type authorization
           source-address 10.10.10.255
           shutdown
       exit
...
----------------------------------------------
A:ALU-1>config>system#

Configuring TACACS+ parameters

Enabling TACACS+ authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following CLI commands to configure TACACS+ authentication:

CLI syntax:
config>system>security
    tacplus
        server server-index address ip-address secret key [hash1 | hash2]
        timeout seconds
        no shutdown 

The following example is configured in the config>system context:

Example:
security# tacplus
security>tacplus# server 1 address A:A:A:A:A:A:A:1 secret test1
security>tacplus# server 2 address 10.10.0.6 secret test2
security>tacplus# server 3 address 10.10.0.7 secret test3
security>tacplus# server 4 address 10.10.0.8 secret test4
security>tacplus# server 5 address 10.10.0.9 secret test5
config>system>security>tacplus# timeout 5
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authentication configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                server 1 address A:A:A:A:A:A:A:1 secret "h6.TeL7YPohbmhlvz0gob."   
          hash2   
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2

Configuring TACACS+ authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ authentication.

On the local router, use the following CLI commands to configure TACACS+ authorization:

CLI syntax:
config>system>security
    tacplus
        authorization
        no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# authorization
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authorization configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus# 

Configuring TACACS+ accounting

On the local router, use the following CLI commands to configure TACACS+ accounting:

CLI syntax:
config>system>security
    tacplus
        accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# accounting

The following example displays the TACACS+ accounting configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus#

Configuring keychain authentication

The keychain authentication mechanism protects communication between routing protocol neighbors against malicious attacks. Keychain authentication provides the ability to configure authentication keys and update them through key rollover without affecting the state of the routing protocol adjacencies. See Key rollover for more information about begin-time and end-time configuration.

This procedure describes how to set up keychain authentication.

Note: The user must perform this procedure on both devices that will use keychain authentication to communicate.
  1. Configure the keychain instance using the following command:
    Note: A keychain must be configured on the system before it can be applied to a session.
    config>system>security>keychain name 
  2. Configure keychain authentication under the keychain context. The keychain must have at least one valid entry and an authentication algorithm:
    config>system>security>keychain
                direction
                    bi 
                        entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] 
                            begin-time [date] [hours-minutes] [UTC]
                        exit
                        entry entry-id2 [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] 
                            begin-time [date] [hours-minutes] [UTC]
                        exit
                    exit
                exit
                no shutdown
  3. Associate the configured authentication keychain with a protocol; for example:
    config>router# isis [isis-instance]
        auth-keychain name
        level {1 | 2}
            auth-keychain name
    Depending on the protocol, authentication keychains can be used for authentication at the global, level, and interface contexts. For IS-IS, Hello authentication keychains can be used for authentication at the interface and interface level contexts.

Configuring keychains

The keychain mechanism allows for the creation of keys used to authenticate protocol communications. Each keychain entry defines the authentication attributes to be used in authenticating protocol messages from remote peers or neighbors; the keychain must include at least one key entry to be valid.

Each key within a keychain must include the following attributes for the authentication of protocol messages:

  • key identifier

  • authentication algorithm

  • authentication key

  • direction

  • begin time

Optionally, each key can include an end time and tolerance.

Use the following CLI commands to configure a keychain:

CLI syntax:
config>system>security
    keychain name
        description description-string
        direction
            bi 
                entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] 
                    begin-time [date] [hours-minutes] [UTC]
                    tolerance {seconds | forever}
            uni
                receive
                    entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] 
                        begin-time [date] [hours-minutes] [UTC]
                        tolerance {seconds | forever}
            send
                entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] 
                    begin-time [date] [hours-minutes] [UTC]

The following example displays a keychain configuration:

A:ALU-1>config>system>security># info detail
----------------------------------------------
...
            keychain "ospf-md5"
                description "MD5 keychain for OSPF interfaces"
                tcp-option-number
                    send 254
                    receive 254
                exit
                direction
                    bi
                        entry 0 key "VyScMGuUfEQw9vxb9YWEG8oEeyRxTrGC.aFwWKzlO1E
" hash2 algorithm message-digest
                            no shutdown
                            begin-time 2016/06/01 00:00:00 UTC
                            no option
                        exit
                        entry 1 key "VyScMGuUfEQw9vxb9YWEG6rfIEGa/.sGbxt3BaeWYO.
" hash2 algorithm message-digest
                            no shutdown
                            begin-time 2016/06/09 00:00:00 UTC
                            no option
                            tolerance 600
                        exit
                    exit
                exit
                no shutdown
            exit
            keychain "rsvp-md5"
                description "MD5 keychain for RSVP interfaces"
                tcp-option-number
                    send 254
                    receive 254
                exit
                direction
                    uni
                        send
                            entry 0 key "f4L8216viTz8OMIKEcNfF/0BxU12MaZskrUHlTN
YMwY" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/01 00:00:00 UTC
                            exit
                            entry 1 key "f4L8216viTz8OMIKEcNfF0VmwDJEUYqX1ob50zL
E0HY" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/09 00:00:00 UTC
                            exit
                        exit
                        receive
                            entry 0 key "dE.xAjca3DLqssbdJ8zc8vblBwYsvFXL57dvJEu
RQHE" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/01 00:00:00 UTC
                                tolerance 600
                            exit
                            entry 1 key "dE.xAjca3DLqssbdJ8zc4ty4BxUSFV5xl9ejgfr
YHGG" hash2 algorithm message-digest
                                no shutdown
                                begin-time 2016/06/09 00:00:00 UTC
                                tolerance 600
                        exit
                    exit
                exit
----------------------------------------------
A:ALU-1>config>system>security#

In the above example, two separate keychains are created, ‟ospf-md5” and ‟rsvp-md5”, each with two possible keys.

For ospf-md5:

  • entry 0 is valid starting at midnight (UTC) on 2016/06/01

  • entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0

  • there is an overlap (tolerance) period of 600 seconds in which packets with either key (entry 0 or entry 1) will be accepted

For rsvp-md5:

  • for transmitted packets:

    • send key entry 0 is valid starting at midnight (UTC) on 2016/06/01

    • send key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0

  • for received packets:

    • receive key entry 0 is valid starting at midnight (UTC) on 2016/06/01

    • receive key entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry 0

    • there is an overlap (tolerance) period of 600 seconds in which receive packets with either key (entry 0 or entry 1) will be accepted

Security command reference

Command hierarchies

Admin commands

admin
    - system
        - security
            - system-password admin-password

Configuration commands

Security configuration commands
config
- system 
        - security
            - copy {user source-user | profile source-profile} to destination [overwrite]
            - ftp-server 
            - no ftp-server
            - hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]
            - no hash-control
            - source-address 
                - application app [ip-int-name | ip-address]
                - no application app
                - application6 app ipv6-address
                - no application6 app
            - telnet
                -listening-port port
                -no listening-port
            - [no] telnet-server
            - [no] telnet6-server
            - vprn-network-exceptions [number seconds]
            - no vprn-network-exceptions
Management access filter commands
config
- system 
        - security
            - [no] management-access-filter 
                - ip-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - [no] log
                        - [no] protocol  protocol-id
                        - router router-instance
                        - router service-name service-name
                        - no router
                        - src-ip {ip-prefix [/mask] [netmask] | ip-prefix-list ip-prefix-list-name}
                        - no src-ip
                        - src-port {port-id | cpm | lag lag-id}
                        - no src-port
                    - renum old-entry-number new-entry-number
                    - [no] shutdown
IPv6 management access filter commands
config
- system 
        - security
            - [no] management-access-filter 
                - ipv6-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - flow-label value
                        - no flow-label
                        - [no] log
                        - [no] next-header next-header
                        - router router-instance
                        - router service-name service-name
                        - no router
                        - src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
                        - no src-ip
                        - src-port {port-id | cpm | lag lag-id}
                        - no src-port
                    - renum old-entry-number new-entry-number
                    - [no] shutdown
CPM filter commands
config
- system 
        - security
            - [no] cpm-filter
                - default-action {accept | drop}
                - ip-filter
                    - entry entry-id [create]
                    - no entry entry-id
                        - action {accept | drop}
                        - no action
                        - description description-string
                        - no description
                        - log log-id
                        - no log
                        - match [protocol protocol-id]
                        - no match
                            - dscp dscp-name
                            - no dscp
                            - dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                            - no dst-ip
                            - dst-port tcp/udp port-number [mask]
                            - no dst-port
                            - fragment {true | false}
                            - no fragment
                            - icmp-code icmp-code
                            - no icmp-code
                            - icmp-type icmp-type
                            - no icmp-type
                            - ip-option ip-option-value [ip-option-mask]
                            - no ip-option
                            - multiple-option {true | false}
                            - no multiple-option
                            - option-present {true | false}
                            - no option-present
                            - src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}
                            - no src-ip
                            - src-port tcp/udp port-number [mask]
                            - no src-port
                            - tcp-ack {true | false}
                            - no tcp-ack
                            - tcp-syn {true | false}
                            - no tcp-syn
                    - renum old-entry-id new-entry-id
                    - [no] shutdown
IPv6 CPM filter commands
config
- system 
        - security
            - [no] cpm-filter
                - default-action {accept | drop}
                - ipv6-filter
                    - entry entry-id [create]
                    - no entry entry-id
                        - action {accept | drop}
                        - no action
                        - description description-string
                        - no description
                        - log log-id
                        - no log
                        - match [next-header next-header]
                        - no match
                            - dscp dscp-name
                            - no dscp
                            - dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
                            - no dst-ip
                            - dst-port tcp/udp port-number [mask]
                            - no dst-port
                            - icmp-code icmp-code
                            - no icmp-code
                            - icmp-type icmp-type
                            - no icmp-type
                            - src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}
                            - no src-ip
                            - src-port tcp/udp port-number [mask]
                            - no src-port
                            - tcp-ack {true | false}
                            - no tcp-ack
                            - tcp-syn {true | false}
                            - no tcp-syn
                    - renum old-entry-id new-entry-id
                    - [no] shutdown
Password commands
config
- system 
        - security
            - password
                - admin-password password [hash | hash2]
                - no admin-password
                - aging days
                - no aging
                - attempts count [time minutes1] [lockout minutes2]
                - no attempts
                - authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
                - no authentication-order
                - complexity-rules
                    - [no] allow-user-name
                    - credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
                    - no credits
                    - disallow-sequence-keys value
                    - no disallow-sequence-keys
                    - minimum-classes minimum
                    - no minimum-classes
                    - minimum-length value
                    - no minimum-length
                    - repeated-characters count
                    - no repeated-characters
                    - required [lowercase count] [uppercase count] [numeric count] [special-character count]
                    - no required
                - hashing hashing {bcrypt | sha2-pbkdf2 | sha3-pbkdf2}
                - [no] health-check [interval interval]
                - history-size size
                - no history-size
                - minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
                - no minimum-age
                - minimum-change length
                - no minimum-change
User commands
config
- system 
        - security
            - [no] user user-name
                - [no] access [ftp] [snmp] [console] [scp-sftp] [console-port-cli] [ssh-cli] [telnet-cli]
                - console
                    - [no] cannot-change-password
                    - [no] local-lockout
                    - login-exec url-prefix:source-url
                    - no login-exec
                    - member user-profile-name [user-profile-name…(up to 8 max)]
                    - no member user-profile-name
                    - [no] new-password-at-login 
                - home-directory url-prefix [directory] [directory/directory…]
                - no home-directory 
                - password [password]
                - public-keys
                    - ecdsa
                        - [no] ecdsa-key key-id [create] 
                            - description description-string
                            - no description
                            - key-value public-key-value
                            - no key-value 
                    - rsa
                        - [no] rsa-key key-id [create] 
                            - description description-string
                            - no description
                            - key-value public-key-value
                            - no key-value 
                - [no] restricted-to-home
                - [no] save-when-restricted
                - snmp 
                    - authentication none
                    - authentication authentication-protocol authentication-key [privacy none] [hash | hash2]
                    - authentication authentication-protocol authentication-key privacy privacy-protocol privacy-key [hash | hash2]
                    - no authentication
                    - group group-name
                    - no group
            - user-template {tacplus_default | radius_default}
                - [no] access [ftp] [console] [scp-sftp] [console-port-cli] [ssh-cli] [telnet-cli]
                - console
                    - login-exec url-prefix:source-url
                    - no login-exec
                - home-directory url-prefix [directory] [directory/directory ..]
                - no home-directory
                - profile user-profile-name
                - no profile
                - [no] restricted-to-home
                - [no] save-when-restricted
SSH commands
config
- system 
        - security
            - ssh
                - client-cipher-list
                    - cipher index name cipher-name
                    - no cipher index
                - client-kex-list 
                    - kex index name kex-name
                    - no kex index 
                - client-mac-list 
                    - mac index name mac-name
                    - no mac index 
                - key-re-exchange 
                    - client 
                        - mbytes {mbytes | disable}
                        - no mbytes
                        - minutes {minutes | disable}
                        - no minutes
                        - [no] shutdown
                    - server 
                        - mbytes {mbytes | disable}
                        - no mbytes
                        - minutes {minutes | disable}
                        - no minutes
                        - [no] shutdown
                - listening-port port
                - no listening-port
                - [no] preserve-key
                - server-cipher-list
                    - cipher index name cipher-name
                    - no cipher index
                - server-kex-list 
                    - kex index name kex-name
                    - no kex index 
                - server-mac-list 
                    - mac index name mac-name
                    - no mac index 
                - [no] server-shutdown
TLS commands
config
    system
        security
            tls
               cert-profile profile-name [create]
               no cert-profile profile-name
                   entry entry-id [create]
                   no entry entry-id
                        cert cert-filename
                        no cert
                        key key-filename
                        no key
                        [no] send-chain
                            [no] ca-profile name
                [no] shutdown
            client-cipher-list name [create]
            no client-cipher-list name
                cipher index name cipher-suite-code
                no cipher index
                tls13-cipher index name cipher-suite-code
                no tls13-cipher index
            client-group-list name [create]
            no client-group-list name
                tls13-group index name group-suite-code
                no tls13-group index
            client-signature-list name [create]
            no client-signature-list name
                tls13-signature index name signature-suite-code
                no tls13-signature index
            client-tls-profile name [create]
            no client-tls-profile name
                cert-profile name
                no cert-profile
                cipher-list name
                no cipher-list
                group-list name
                no group-list
                protocol-version TLS version
                no protocol-version
                [no] shutdown
                signature-list name
                no signature-list
                trust-anchor-profile name
                no trust-anchor-profile
            trust-anchor-profile name [create]
            no trust-anchor-profile name
                [no] trust-anchor ca-profile-name
Keychain authentication commands
config
- system 
        - security
            - [no] keychain keychain-name
                - description description-string
                - no description
                - direction
                    - bi
                        - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                        - no entryentry-id
                                - begin-time date hours-minutes [UTC]
                                - begin-time {now | forever}
                                - no begin-time
                                - option {basic | isis-enhanced}
                                - no option
                                - [no] shutdown
                                - tolerance {seconds | forever}
                                - no tolerance
                    - uni
                        - receive
                            - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                            - no entry entry-id 
                                - begin-time date hours-minutes [UTC]
                                - begin-time {now | forever}
                                - no begin-time
                                - end-time date hours-minutes [UTC]
                                - end-time {now | forever}
                                - no end-time
                                - [no] shutdown
                                - tolerance {seconds | forever}
                                - no tolerance
                        - send
                            - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                            - no entry entry-id 
                                - begin-time date hours-minutes [UTC]
                                - begin-time {now | forever}
                                - no begin-time
                                - [no] shutdown
                - [no] shutdown
                - tcp-option-number
                    - receive option-number
                    - no receive
                    - send option-number
                    - no send
Login control commands
config
- system 
        - login-control
            - [no] exponential-backoff
            - ftp
                - inbound-max-sessions value
                - no inbound-max-sessions
            - idle-timeout {minutes | disable}
            - no idle-timeout
            - [no] login-banner
            - motd {url url-prefix: source-url | text motd-text-string}
            - no motd
            - pre-login-message login-text-string [name]
            - no pre-login-message
            - ssh
                - [no] disable-graceful-shutdown 
                - inbound-max-sessions value
                - no inbound-max-sessions
                - outbound-max-sessions value
                - no outbound-max-sessions
                - ttl-security min-ttl-value
                - no ttl-security
            - telnet
                - [no] enable-graceful-shutdown
                - inbound-max-sessions value
                - no inbound-max-sessions
                - outbound-max-sessions value
                - no outbound-max-sessions
                - ttl-security min-ttl-value
                - no ttl-security

Show commands

Security commands
show
- system
        - security 
            - access-group [group-name]
            - authentication [statistics]
            - communities
            - cpm-filter
                - ip-filter [entry entry-id]
                - ipv6-filter [entry entry-id]
            - keychain [keychain] [detail]
            - management-access-filter
                - ip-filter [entry entry-id]
                - ipv6-filter [entry entry-id]
            - password-options
            - profile user-profile-name
            - source-address
            - ssh
            - tls
                - cert-profile name association
                - cert-profile [name]
                - cert-profile name entry 1..8
                - client-tls-profile [client-tls-profile]
                - client-tls-profile client-tls-profile association
                - client-tls-profile client-tls-profile [connections]
                - trust-anchor-profile trust-anchor-profile association
                - trust-anchor-profile [trust-anchor-profile]
            - user [user-id] detail
            - user [user-id] lockout
            - view [view-name] [detail] [capabilities]
Login control commands
show
- users

Monitor commands

monitor
- cpm-filter
        - ip entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
        - ipv6 entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
        - mac entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
- management-access-filter
        - ip entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
        - ipv6 entry entry-id [interval seconds] [repeat repeat] [absolute | rate]
        - mac entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Command descriptions

Admin commands

system-password
Syntax

system-password admin-password

Context

admin>system>security

Description

This operational command changes a local administrative password.

When invoked, the user is prompted to enter the old password, the new password, and then the new password again to verify the correct input. Any subsequent invocation of enable-admin will require this new admin-password.

Parameters
admin-password

specifies to change the administrative password which is requested when a user tries to enable admin mode by running enable-admin to attain administrative privileges

Configuration commands

Generic security commands
description
Syntax

description description-string

no description

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

config>system>security>cpm-filter>ip-filter>entry

config>system>security>cpm-filter>ipv6-filter>entry

config>system>security>keychain

config>system>security>user>public-keys>ecdsa>ecdsa-key

config>system>security>user>public-keys>rsa>rsa-key

Description

This command creates a text description stored in the configuration file for a configuration context.

The no form of the command removes the string.

Default

n/a

Parameters
description-string

the description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

shutdown
Syntax

[no] shutdown

Context

config>system>security>management-access-filter>ip-filter

config>system>security>management-access-filter>ipv6-filter

config>system>security>cpm-filter>ip-filter

config>system>security>cpm-filter>ipv6-filter

config>system>security>keychain

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

config>system>security>radius

config>system>security>tacplus

Description

This command administratively disables the entity. The operational state of the entity is disabled as well as the operational state of any entities contained within. When disabled, an entity does not change, reset, or remove any configuration settings or statistics, other than the administrative state. Many objects must be shut down before they can be deleted.

The no form of the command puts an entity into the administratively enabled state. Many entities must be explicitly enabled using the no shutdown command.

Default

no shutdown

Security commands
security
Syntax

security

Context

config>system

Description

This command enables the context to configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

copy
Syntax

copy {user source-user | profile source-profile} to destination [overwrite]

Context

config>system>security

Description

This command copies the specified user or profile configuration parameters to another (destination) user or profile.

The password is set to the Return key and a new password at login must be selected.

Parameters
source-user

the user to copy from. The user must already exist.

source-profile

the profile to copy from. The profile must already exist.

destination

the destination user or profile

overwrite

specifies that the destination user or profile configuration will be overwritten with the copied source user or profile configuration. A configuration will not be overwritten if the overwrite command is not specified.

ftp-server
Syntax

[no] ftp-server

Context

config>system>security

Description

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH servers are enabled.

The no form of the command disables FTP servers running on the system.

Default

no ftp-server

hash-control
Syntax

hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]

no hash-control

Context

config>system>security

Description

Whenever the user executes a save or info command, the system will encrypt all passwords, keys, and so on for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, it is obvious that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.

Default

all – read-version set to accept both versions 1 and 2

Parameters
read-version {1 | 2 | all}

when the read-version is configured as ‟all,” both versions 1 and 2 will be accepted by the system. Otherwise, only the selected version will be accepted when reading configuration or exec files. The presence of incorrect hash versions will abort the script/startup.

write-version {1 | 2}

selects the hash version that will be used the next time the configuration file is saved (or an info command is executed). Be careful to save the read and write version correctly, so that the file can be properly processed after the next reboot or exec.

source-address
Syntax

source-address

Context

config>system>security

Description

This command specifies the source address that should be used in all unsolicited packets sent by the application.

application
Syntax

application app [ip-int-name | ip-address]

no application app

Context

config>system>security>source-address

Description

This command specifies the application to use the source IPv4 address specified by the source-address command.

The no form of the command removes the specified source address from the application, causing the application to use the system IP address as the source address.

Parameters
app

specifies the application name

Values

cflowd, dns, ftp, ntp, ping, radius, snmptrap, sntp, ssh, syslog, tacplus, telnet, traceroute

ip-int-name | ip-address

specifies the name of the IP interface or IPv4 address. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

application6
Syntax

application6 app ipv6-address

no application6 app

Context

config>system>security>source-address

Description

This command specifies the application to use the source IPv6 address specified by the source-address command.

The no form of the command removes the specified source address from the application, causing the application to use the system IP address as the source address.

Parameters
app

specifies the application name

Values

cflowd, dns, ftp, ssh, ntp, ping, radius, snmptrap, syslog, tacplus, telnet, traceroute

ipv6-address

specifies the IPv6 address

telnet
Syntax

telnet

Context

config>system>security

Description

This command enables the context to configure Telnet parameters.

listening-port
Syntax

listening-port port

no listening-port

Context

config>system>security>telnet

Description

This command configures the listening TCP port of the Telnet server for incoming Telnet connections via base or management routing. VPRN node management is done via GRT leaking and uses base routing.

The no form of this command resets the listening port to its default of 23.

Default

no listening port

Parameters
port

specifies the port number

Values

1024 to 49151

telnet-server
Syntax

[no] telnet-server

Context

config>system>security

Description

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.

The no form of the command disables Telnet servers running on the system.

Default

no telnet-server

telnet6-server
Syntax

[no] telnet6-server

Context

config>system>security

Description

This command enables Telnet IPv6 servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.

The no form of the command disables Telnet servers running on the system.

Default

no telnet6-server

vprn-network-exceptions
Syntax

vprn-network-exceptions [number seconds]

no vprn-network-exceptions

Context

config>system>security

Description

This command configures the rate at which the 7705 SAR sends ICMP replies to a source IP address in response to TTL expiry IP packets that have been received for all VPRN instances in the system and from all network IP interfaces. Packets include labeled user packets as well as ping and traceroute packets within a VPRN.

This command does not apply to MPLS packets or service OAM packets such as VPRN ping and trace, LSP ping and trace, and VCC ping and trace.

When the command is issued without any number and seconds parameters specified, the default rate is 100 ICMP reply packets sent per 10 seconds. The no form of the command disables the rate-limiting of ICMP replies.

Default

no vprn-network-exceptions

Parameters
number

specifies the maximum number of ICMP reply messages that can be sent within the configured number of seconds

Values

10 to 1000

seconds

specifies the time frame in which the configured number of ICMP reply messages can be sent

Values

1 to 60

Management access filter commands
management-access-filter
Syntax

[no] management-access-filter

Context

config>system>security

Description

This command enables the context to edit management access filters and to reset match criteria.

Management access filters control all traffic in and out of the CSM. They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of the command removes management access filters from the configuration.

Default

n/a

ip-filter
Syntax

ip-filter

Context

config>system>security>management-access-filter

Description

This command enables the context to configure IP filter commands.

ipv6-filter
Syntax

ipv6-filter

Context

config>system>security>management-access-filter

Description

This command enables the context to configure IPv6 filter commands.

default-action
Syntax

default-action {permit | deny | deny-host-unreachable}

Context

config>system>security>management-access-filter>ip-filter

config>system>security>management-access-filter>ipv6-filter

Description

This command creates the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

Default

n/a

Parameters
permit

specifies that packets not matching the configured selection criteria in any of the filter entries will be permitted

deny

specifies that packets not matching the selection criteria will be denied

deny-host-unreachable

specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued

entry
Syntax

[no] entry

Context

config>system>security>management-access-filter>ip-filter

config>system>security>management-access-filter>ipv6-filter

Description

This command is used to create or edit a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7705 SAR exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The no form of the command removes the specified entry from the management access filter.

Default

n/a

Parameters
entry-id

an entry ID uniquely identifies a match criteria and the corresponding action. It is recommended that entries be numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Values

1 to 9999

action
Syntax

action {permit | deny | deny-host-unreachable}

no action

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command creates the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria, the configured default action is applied.

Default

n/a

Parameters
permit

specifies that packets matching the configured criteria will be permitted

deny

specifies that packets not matching the selection criteria will be denied

deny-host-unreachable

specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued

dst-port
Syntax

dst-port port [mask]

no dst-port

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command configures a destination TCP or UDP port number or port range for a management access filter match criterion.

The no form of the command removes the destination port match criterion.

Default

n/a

Parameters
port

the source TCP or UDP port number as match criteria

Values

1 to 65535 (decimal)

mask

mask used to specify a range of destination port numbers as the match criterion

This 16-bit mask can be configured using the formats in the following table.

Table 7. 16-bit mask formats

Format style

Format syntax

Example

Decimal

DDDDD

63488

Hexadecimal

0xHHHH

0xF800

Binary

0bBBBBBBBBBBBBBBBB

0b1111100000000000

For example, to select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.

Values

1 to 65535 (decimal)

Default

65535 (exact match)

flow-label
Syntax

flow-label value

no flow-label

Context

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command configures flow label match conditions for a management access filter match criterion. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default QoS or real-time service.

This command applies to IPv6 filters only.

Parameters
value

the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows (see RFC 3595, Textual Conventions for IPv6 Flow Label)

Values

0 to 1048575

log
Syntax

[no] log

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command enables match logging.

The no form of this command disables match logging.

Default

no log

next-header
Syntax

[no] next-header next-header

Context

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command specifies the next header to match as a management access filter match criterion.

This command applies to IPv6 filters only.

Parameters
next-header

protocol-number or protocol-name

protocol-number

the IPv6 next header to match, expressed as a protocol number in decimal, hexadecimal, or binary. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See IP protocol IDs and descriptions for the protocol IDs and descriptions for the IP protocols.

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

the IPv6 next header to match, expressed as a protocol name. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See IP protocol IDs and descriptions for the protocol IDs and descriptions for the IP protocols.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard

protocol
Syntax

[no] protocol protocol-id

Context

config>system>security>management-access-filter>ip-filter>entry

Description

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17). The following table lists the protocol IDs and descriptions for the IP protocols.

Table 8. IP protocol IDs and descriptions

Protocol ID

Protocol

Description

1

icmp

Internet Control Message

2

igmp

Internet Group Management

4

ip

IP in IP (encapsulation)

6

tcp

Transmission Control

8

egp

Exterior Gateway Protocol

9

igp

Any private interior gateway

17

udp

User Datagram

27

rdp

Reliable Data Protocol

41

ipv6

IPv6

43

ipv6-route

Routing Header for IPv6

44

ipv6-frag

Fragment Header for IPv6

45

idrp

Inter-Domain Routing Protocol

46

rsvp

Reservation Protocol

47

gre

General Routing Encapsulation

58

ipv6-icmp

ICMP for IPv6

59

ipv6-no-nxt

No Next Header for IPv6

60

ipv6-opts

Destination Options for IPv6

80

iso-ip

ISO Internet Protocol

88

eigrp

EIGRP

89

ospf-igp

OSPFIGP

97

ether-ip

Ethernet-within-IP Encapsulation

98

encap

Encapsulation Header

102

pnni

PNNI over IP

103

pim

Protocol Independent Multicast

112

vrrp

Virtual Router Redundancy Protocol

115

l2tp

Layer Two Tunneling Protocol

118

stp

Schedule Transfer Protocol

123

ptp

Performance Transparency Protocol

124

isis

ISIS over IPv4

126

crtp

Combat Radio Transport Protocol

127

crudp

Combat Radio User Datagram

132

sctp

Stream Control Transmission Protocol

137

mpls-in-ip

MPLS in IP

This command applies to IPv4 filters only.

The no form of the command removes the protocol from the match criteria.

Default

n/a

Parameters
protocol-id

protocol-number or protocol-name

protocol-number

the protocol number for the match criterion, expressed in decimal, hexadecimal, or binary

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

the protocol name for the match criterion

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard

router
Syntax

router router-instance

router service-name service-name

no router

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command configures a router name or service ID to be used as a management access filter match criterion.

The no form of the command removes the router name or service ID from the match criteria.

Parameters
router-instance

specifies one of the following parameters for the router instance:

router-name – specifies a router name up to 32 characters to be used in the match criteria

service-id – specifies an existing service ID to be used in the match criteria

Values

1 to 2147483647

service-name

specifies the service name of an existing service

Values

up to 64 characters

src-ip
Syntax

src-ip {ip-prefix[/mask] [/netmask]| ip-prefix-list ip-prefix-list-name}

no src-ip

Context

config>system>security>management-access-filter>ip-filter>entry

Description

This command specifies a source IPv4 address range or specifies an IPv4 prefix list configured under the match-list command to be used as a match criterion for a management access filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the source IP address, specify the address and the associated mask (for example, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The no form of the command removes the source IPv4 address or IPv4 prefix list match criterion.

Default

n/a

Parameters
ip-prefix

the IP prefix for the IP match criterion in dotted-decimal notation

Values

a.b.c.d (host bits must be 0)

mask

the subnet mask length expressed as a decimal integer

Values

1 to 32

netmask

the subnet mask in dotted-decimal notation

Values

a.b.c.d (network bits all 1, host bits must all 0)

ip-prefix-list-name

the name of the IP prefix list configured with the match-list command

src-ip
Syntax

src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}

no src-ip

Context

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command configures a source IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as a match criterion for a management access filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address or IPv6 prefix list match criterion.

Default

n/a

Parameters
ipv6-address/prefix-length

the IPv6 address on the interface

Values

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

prefix-length:      1 to 128

ipv6-prefix-list-name

the name of the IPv6 prefix list configured with the match-list command

src-port
Syntax

src-port {port-id | cpm | lag lag-id}

no src-port

Context

config>system>security>management-access-filter>ip-filter>entry

config>system>security>management-access-filter>ipv6-filter>entry

Description

This command restricts ingress management traffic to either the CSM Ethernet port or any other logical port (port or channel) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.

The no form of the command reverts to the default value.

Default

any interface

Parameters
port-id

the port ID

Values

port-id

slot/mda/port

bundle-id

bundle-type-slot/mda.bundle-num

type

ima, ppp

bundle-num

1 to 128

cpm

specifies that ingress management traffic is restricted to the CSM Ethernet port

lag-id

the LAG ID

Values

1 to 32

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>management-access-filter>ip-filter

config>system>security>management-access-filter>ipv6-filter

Description

This command renumbers existing management access filter entries to resequence filter entries.

The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered from most to least explicit.

Parameters
old-entry-number

the entry number of the existing entry

Values

1 to 9999

new-entry-number

the new entry number that will replace the old entry number

Values

1 to 9999

CPM filter commands
cpm-filter
Syntax

[no] cpm-filter

Context

config>system>security

Description

This command enables the context to configure a CPM (referred to as CSM on the 7705 SAR) filter. A CPM filter is a hardware filter (that is, implemented on the network processor) for the CSM-destined traffic that applies to all the traffic destined for the CSM CPU. It can be used to drop or accept packets, as well as allocate dedicated hardware queues for the traffic. The hardware queues are not user-configurable.

The no form of the command disables the CPM filter.

default-action
Syntax

default-action {accept | drop}

Context

config>system>security>cpm-filter

Description

This command specifies the action to be applied to packets when the packets do not match the specified criteria in all of the IP filter entries of the filter. If there are no filter entries defined, the packets received is either accepted or dropped based on that default action.

Default

accept

Parameters
accept

packets are accepted unless there is a specific filter entry that causes the packet to be dropped

drop

packets are dropped unless there is a specific filter entry that causes the packet to be accepted

ip-filter
Syntax

ip-filter

Context

config>system>security>cpm-filter

Description

This command enables the context to configure IPv4 CPM filter parameters.

ipv6-filter
Syntax

ipv6-filter

Context

config>system>security>cpm-filter

Description

This command enables the context to configure IPv6 CPM filter parameters.

entry
Syntax

entry entry-id [create]

no entry entry-id

Context

config>system>security>cpm-filter>ip-filter

config>system>security>cpm-filter>ipv6-filter

Description

This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. A filter entry with no match criteria set matches every packet, and the entry action is taken.

The create keyword must be used with every new entry configured. After the entry has been created, you can navigate to the entry context without using the create keyword.

All IPv4 filter entries can specify one or more matching criteria. There are no range-based restrictions on any IPv4 filter entries.

For IPv6 filters, the combined number of fields for all entries in a filter must not exceed 16 fields (or 256 bits), where a field contains the bit representation of the matching criteria.

Parameters
entry-id

identifies a CPM filter entry as configured on this system.

Values

1 to 64

action
Syntax

action {accept | drop}

no action

Context

config>system>security>cpm-filter>ip-filter>entry

config>system>security>cpm-filter>ipv6-filter>entry

Description

This command specifies the action to take for packets that match this filter entry.

Default

drop

Parameters
accept

packets matching the entry criteria are forwarded

drop

packets matching the entry criteria are dropped

log
Syntax

log log-id

no log

Context

config>system>security>cpm-filter>ip-filter>entry

config>system>security>cpm-filter>ipv6-filter>entry

Description

This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled.

The no form of the command deletes the log ID.

Parameters
log-id

the log ID where packets matching this entry should be entered

Values

101 to 199

match
Syntax

match [protocol protocol-id]

no match

Context

config>system>security>cpm-filter>ip-filter>entry

Description

This command enables the context to enter match criteria for the IPv4 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

This command also optionally specifies the IP protocol to be used as an IP filter match criterion. See IP protocol IDs and descriptions .

The no form of the command removes the match criteria for the entry-id.

Parameters
protocol-id

protocol-number or protocol-name

protocol-number

the protocol number in decimal, hexadecimal, or binary, to be used as an IP filter match criterion

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

protocol-name

the protocol name to be used as an IP filter match criterion

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard

match
Syntax

match [next-header next-header]

no match

Context

config>system>security>cpm-filter>ipv6-filter>entry

Description

This command enables the context to enter match criteria for the IPv6 filter entry. When the match criteria have been satisfied, the action associated with the match criteria is executed.

If more than one match criterion (within one match statement) is configured, all criteria must be satisfied (AND function) before the action associated with the match is executed.

A match context may consist of multiple match criteria, but multiple match statements cannot be entered per entry.

This command also optionally specifies the IPv6 next header (protocol number or protocol name) to be used as an IPv6 match criterion. See IP protocol IDs and descriptions .

The no form of the command removes the match criteria for the entry-id.

Parameters
next-header

protocol-number or protocol-name

protocol-number

the IPv6 next header to match, expressed as a protocol number in decimal, hexadecimal, or binary. This parameter is similar to the protocol parameter used in IPv4 filter match criteria.

Values

[1 to 42 | 45 to 49 | 52 to 59 | 61 to 255]D

[0x0 to 0x2A | 0x2D to 0x31 | 0x34 to 0x3B | 0x3D to 0xFF]H

[0b0 to 0b101010 | 0b101101 to 0b110001 | 0b110100 to 0b111011 | 0b111101 to 0b11111111]B

protocol-name

the IPv6 next header to match, expressed as a protocol name. This parameter is similar to the protocol parameter used in IPv4 filter match criteria.

Values

none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard

dscp
Syntax

dscp dscp-name

no dscp

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.

The no form of the command removes the DSCP match criterion.

Default

no dscp

Parameters
dscp-name

a DSCP name that has been previously mapped to a value using the dscp-name command. The DiffServ Code Point can only be specified by its name.

Values

be|cp1|cp2|cp3|cp4|cp5|cp6|cp7|cs1|cp9|af11|cp11|

af12|cp13|af13|cp15|cs2|cp17|af21|cp19|af22|cp21|

af23|cp23|cs3|cp25|af31|cp27|af32|cp29|af33|cp31|cs4|

cp33|af41|cp35|af42|cp37|af43|cp39|cs5|cp41|cp42|

cp43|cp44|cp45|ef|cp47|nc1|cp49|cp50|cp51|cp52|cp53|

cp54|cp55|nc2|cp57|cp58|cp59|cp60|cp61|cp62|cp63

dst-ip
Syntax

dst-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}

no dst-ip

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command configures a destination IPv4 address range or specifies an IPv4 prefix list configured under the match-list command to be used as an IP filter match criterion. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The no form of the command removes the destination IPv4 address or IPv4 prefix list match criterion.

Default

no dst-ip

Parameters
ip-address

the IP prefix for the IP match criterion in dotted-decimal notation

Values

0.0.0.0 to 255.255.255.255

mask

the subnet mask length expressed as a decimal integer

Values

1 to 32

ipv4-address-mask

the dotted-decimal equivalent of the mask length

Values

0.0.0.0 to 255.255.255.255

prefix-list-name

the name of the IPv4 prefix list configured with the match-list command

dst-ip
Syntax

dst-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}

no dst-ip

Context

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures a destination IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as an IP filter match criterion. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the destination IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the destination IPv6 address or IPv6 prefix list match criterion.

Default

n/a

Parameters
ipv6-address/prefix-length

the IPv6 address on the interface

Values

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

prefix-length:      1 to 128

ipv6-prefix-list-name

the name of the IPv6 prefix list configured with the match-list command

dst-port
Syntax

dst-port tcp/udp port-number [mask]

no dst-port

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command specifies the TCP/UDP port to match the destination port of the packet.

The no form of the command removes the destination port match criterion.

The TCP or UDP protocol must be configured using the match command before this filter can be configured.

Parameters
tcp/udp port-number

the destination port number to be used as a match criterion

Values

[0 to 65535]D

[0x0 to 0xFF]H

[0b0 to 0b1111111111111111]B

mask

the 16-bit mask to be applied when matching the destination port

Values

[0 to 65535]D

[0x0000 to 0xFFFF]H

[0b0000000000000000 to 0b1111111111111111]B

fragment
Syntax

fragment {true | false}

no fragment

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command configures fragmented or non-fragmented IP packets as an IP filter match criterion.

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default

false

Parameters
true

configures a match on all fragmented IP packets. A match occurs for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.

false

configures a match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

icmp-code
Syntax

icmp-code icmp-code

no icmp-code

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion.

The ICMP protocol must be configured using the match command before this filter can be configured.

The no form of the command removes the criterion from the match entry.

Default

no icmp-code

Parameters
icmp-code

icmp-code-number or icmp-code-keyword

icmp-code-number

the ICMP code number in decimal, hexadecimal, or binary, to be used as a filter match criterion

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

icmp-code-keyword

the ICMP code keyword to be used as a filter match criterion

Values

For IPv4 filter: none, network-unreachable, host-unreachable, protocol-unreachable, port-unreachable, fragmentation-needed, source-route-failed, dest-network-unknown, dest-host-unknown, src-host-isolated, network-unreachable-for-tos, host-unreachable-for-tos

For IPv6 filter: none, no-route-to-destination, comm-with-dest-admin-prohibited, beyond-scope-src-addr, address-unreachable, port-unreachable

icmp-type
Syntax

icmp-type icmp-type

no icmp-type

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures matching on an ICMP type field in the ICMP header of an IP packet as an IP filter match criterion.

The ICMP protocol must be configured using the match command before this filter can be configured.

The no form of the command removes the criterion from the match entry.

Default

no icmp-type

Parameters
icmp-type

icmp-type-number or icmp-type-keyword

icmp-type-number

the ICMP type number in decimal, hexadecimal, or binary, to be used as a match criterion

Values

[0 to 255]D

[0x0 to 0xFF]H

[0b0 to 0b11111111]B

icmp-type-keyword

the ICMP type keyword to be used as a match criterion

Values

For IPv4 filter: none, echo-reply, dest-unreachable, source-quench, redirect, echo-request, router-advt, router-selection, time-exceeded, parameter-problem, timestamp-request, timestamp-reply, addr-mask-request, addr-mask-reply, photuris

For IPv6 filter: none, dest-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, echo-reply, multicast-listen-query, multicast-listen-report, multicast-listen-done, router-solicitation, router-advt, neighbor-solicitation, neighbor-advertisement, redirect-message, router-renumbering, icmp-node-info-query, icmp-node-info-resp, inv-nd-solicitation, inv-nd-adv-message, multicast-listener-report-v2, home-agent-ad-request, home-agent-ad-reply, mobile-prefix-solicitation, mobile-prefix-advt, cert-path-solicitation, cert-path-advt, multicast-router-advt, multicast-router-solicitation, multicast-router-termination, fmipv6, rpl-control, ilnpv6-locator-update, duplicate-addr-request, duplicate-addr-confirmation

ip-option
Syntax

ip-option ip-option-value [ip-option-mask]

no ip-option

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion.

The option type octet contains 3 fields:

  • 1 bit copied flag (copy options in all fragments)

  • 2 bits option class

  • 5 bits option number

The no form of the command removes the match criterion.

This command applies to IPv4 filters only.

Default

no ip-option

Parameters
ip-option-value

the 8-bit option type (can be entered using decimal, hexadecimal, or binary formats). The mask is applied as an AND to the option byte and the result is compared with the option value.

The decimal value entered for the match should be a combined value of the 8-bit option type field and not just the option number. Therefore, to match on IP packets that contain the Router Alert option (option number = 20), enter the option type of 148 (10010100).

Values

0 to 255

ip-option-mask

specifies a range of option numbers to use as the match criteria

This 8-bit mask can be entered using decimal, hexadecimal, or binary formats as shown in the following table.

Table 9. IP option formats

Format style

Format syntax

Example

Decimal

DDD

20

Hexadecimal

0xHH

0x14

Binary

0bBBBBBBBB

0b0010100

Values

0 to 255

Default

255 (decimal) (exact match)

multiple-option
Syntax

multiple-option {true | false}

no multiple-option

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.

This command applies to IPv4 filters only.

Default

no multiple-option

Parameters
true

specifies matching on IP packets that contain more than one option field in the header

false

specifies matching on IP packets that do not contain multiple option fields in the header

option-present
Syntax

option-present {true | false}

no option-present

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command configures matching packets that contain the option field or have an option field of 0 in the IP header as an IP filter match criterion.

The no form of the command removes the checking of the option field in the IP header as a match criterion.

This command applies to IPv4 filters only.

Parameters
true

specifies matching on all IP packets that contain the option field in the header. A match occurs for all packets that have the option field present. An option field of 0 is considered as no option present.

false

specifies matching on IP packets that do not have any option field present in the IP header (an option field of 0)

src-ip
Syntax

src-ip {ip-address/mask | ip-address ipv4-address-mask | ip-prefix-list prefix-list-name}

no src-ip

Context

config>system>security>cpm-filter>ip-filter>entry>match

Description

This command specifies the IPv4 address or specifies an IPv4 prefix list configured under the match-list command to be used as a match criterion for an IP filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the source IPv4 address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The no form of the command removes the source IPv4 address or IPv4 prefix list match criterion.

Default

no src-ip

Parameters
ip-address

the IP prefix for the IP match criterion in dotted-decimal notation

Values

0.0.0.0 to 255.255.255.255

mask

the subnet mask length expressed as a decimal integer

Values

1 to 32

ipv4-address-mask

the dotted-decimal equivalent of the mask length

Values

0.0.0.0 to 255.255.255.255

prefix-list-name

the name of the IPv4 prefix list configured with the match-list command

src-ip
Syntax

src-ip {ipv6-address/prefix-length | ipv6-prefix-list ipv6-prefix-list-name}

no src-ip

Context

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures a source IPv6 address range or specifies an IPv6 prefix list configured under the match-list command to be used as a match criterion for an IP filter. See the 7705 SAR Router Configuration Guide for information about the match-list command.

To match on the source IP address, specify the address and prefix length; for example, 11::12/128.

The no form of the command removes the source IP address match criterion.

Default

n/a

Parameters
ipv6-address/prefix-length

the IPv6 address on the interface

Values

ipv6-address:       x:x:x:x:x:x:x:x (eight 16-bit pieces)

                              x:x:x:x:x:x:d.d.d.d

                              x:   [0 to FFFF]H

                              d:   [0 to 255]D

                              prefix-length        1 to 128

ipv6-prefix-list-name

the name of the IPv6 prefix list configured with the match-list command

src-port
Syntax

src-port tcp/udp port-number [mask]

no src-port

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command specifies the TCP/UDP port to match the source port of the packet.

Default

no src-port

Parameters
tcp/udp port-number

the source port number to be used as a match criterion

Values

[0 to 65535]D

[0x0 to 0xFF]H

[0b0 to 0b1111111111111111]B

mask

the 16-bit mask to be applied when matching the source port

Values

[0 to 65535]D

[0x0000 to 0xFFFF]H

[0b0000000000000000 to 0b1111111111111111]B

tcp-ack
Syntax

tcp-ack {true | false}

no tcp-ack

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The no form of the command removes the criterion from the match entry.

Default

no tcp-ack

Parameters
true

specifies matching on IP packets that have the ACK bit set in the control bits of the TCP header of an IP packet

false

specifies matching on IP packets that do not have the ACK bit set in the control bits of the TCP header of the IP packet

tcp-syn
Syntax

tcp-syn {true | false}

no tcp-syn

Context

config>system>security>cpm-filter>ip-filter>entry>match

config>system>security>cpm-filter>ipv6-filter>entry>match

Description

This command configures matching on the SYN bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.

The SYN bit is normally set when the source of the packet wants to initiate a TCP session with the specified destination IP address.

The no form of the command removes the criterion from the match entry.

Default

no tcp-syn

Parameters
true

specifies matching on IP packets that have the SYN bit set in the control bits of the TCP header

false

specifies matching on IP packets that do not have the SYN bit set in the control bits of the TCP header

renum
Syntax

renum old-entry-id new-entry-id

Context

config>system>security>cpm-filter>ip-filter

config>system>security>cpm-filter>ipv6-filter

Description

This command renumbers existing IP filter entries to resequence filter entries.

Resequencing may be required in some cases because the process is exited when the first match is found and the actions are executed according to the accompanying action command. This requires that entries be sequenced correctly from most to least explicit.

Parameters
old-entry-id

the entry number of an existing entry

Values

1 to 64

where: 1 to 29 are filter entries

30 to 64 are extended filter entries

new-entry-id

the new entry number to be assigned to the old entry

Values

1 to 64

where: 1 to 29 are filter entries

30 to 64 are extended filter entries

Global password commands
enable-admin
Syntax

enable-admin

Context

<global>

Description
Note: See the description for the admin-password command. If the admin-password is configured in the config>system>security>password context, any user can enter the special administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users have access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user receives unrestricted access to all the commands.

There are two ways to verify that a user is in enable-admin mode:

  • enter the show users command – the administrator can see which users are in enable-admin mode, indicated by the "A" on the same line as that username

  • enter the enable-admin command again at the root prompt and an error message is returned

The # sign indicates the current session.

A:7705:Dut-C# show users
===============================================================================
Username                                           Type
    From
    Router instance
    Connection ID                                  Login time
        Session ID             SSH Channel ID          Idle time
===============================================================================
                                                   Console
    --
    --
    6                                                    --
        6                      --                      0d 00:03:20  --
-------------------------------------------------------------------------------
admin                                              Telnet
    192.168.192.37
    management
    8                                              03OCT2023 14:06:52
        8                      --                      0d 00:01:04  --
-------------------------------------------------------------------------------
bla                                                Telnet
    192.168.192.37
    management
    9                                              03OCT2023 14:08:42
        9                      --                      0d 00:00:09  A-
-------------------------------------------------------------------------------
admin                                              SSHv2
    192.168.192.37
    management
    7                                              03OCT2023 14:06:24
       #7                      0                       0d 00:00:00  --
-------------------------------------------------------------------------------
Number of users: 3
Number of sessions: 3
'#' indicates the current active session
'A' indicates user is in admin mode
===============================================================================
*A:7705:Dut-C#
Password commands
password
Syntax

password

Context

config>system>security

Description

This command enables the context to configure password management parameters.

admin-password
Syntax

admin-password password [hash | hash2]

no admin-password

Context

config>system>security>password

Description

This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

Note: See the description for the enable-admin command. If the admin-password is configured in the config>system>security>password context, then any user can enter the admin mode by entering the enable-admin command and the correct admin password.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the complexity command.

Note: The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets. Usernames and passwords in the FTP and TFTP URLs are not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@192.0.2.0/test/srcfile cf3:\destfile

In this example, the username ‟test” and password ‟secret” are not sent to the AAA servers (or to any logs). They are replaced with ‟****”.

Note: See the description for the system-password command. Any user that either has administrative privileges or has entered enable-admin mode can run the admin>system>security>system-password admin-password command to change this admin-password as required.

The no form of the command removes the admin password from the configuration.

Default

no admin-password

Parameters
password

configures the password that enables a user to become a system administrator. The maximum length is as follows:

  • 56 characters if in unhashed plaintext

    The unhashed plaintext form must meet all the requirements that are defined within the complexity-rules command context.

  • 60 characters if hashed with bcrypt

  • from 87 to 92 characters if hashed with PBKDF2 SHA-2

  • from 131 to 136 characters if hashed with PBKDF2 SHA-3

  • 32 characters if the hash keyword is specified

  • 54 characters if the hash2 keyword is specified

hash

specifies that the key is entered and stored on the node in encrypted form

hash2

specifies that the key is entered and stored on the node in a more complex encrypted form

Note: If neither the hash nor hash2 keyword is specified, the key is entered in clear text. However, for security purposes, the key is stored on the node using bcrypt or PBKDF2 hash encryption.
aging
Syntax

aging days

no aging

Context

config>system>security>password

Description

This command configures the number of days a user password is valid before the user must change their password.

The no form of the command reverts to the default value.

Default

no aging is enforced

Parameters
days

the maximum number of days the password is valid

Values

1 to 500

attempts
Syntax

attempts count [time minutes1] [lockout minutes2]

no attempts

Context

config>system>security>password

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no attempts command resets all values to the default.

Default

count: 3 minutes1: 5 minutes2: 10

Parameters
count

the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

minutes1

the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out

Values

0 to 60

minutes2

the lockout period, in minutes, where the user is not allowed to log in

Values

0 to 1440

When the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured time period.

authentication-order
Syntax

authentication-order [method-1] [method-2] [method-3] [exit-on-reject]

no authentication-order

Context

config>system>security>password

Description

This command configures the sequence in which password authentication and authorization is attempted among RADIUS, TACACS+, and local servers.

The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, then an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The no form of the command reverts to the default authentication sequence.

Default

authentication-order radius tacplus local

Parameters
method-1

the first password authentication method to attempt

Values

radius, tacplus, local

Default

radius

method-2

the second password authentication method to attempt

Values

radius, tacplus, local

Default

tacplus

method-3

the third password authentication method to attempt

Values

radius, tacplus, local

Default

local

radius

RADIUS authentication

tacplus

TACACS+ authentication

local

password authentication based on the local password database

exit-on-reject

when enabled, and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order are not tried. If the exit-on-reject keyword is not specified and one AAA method sends a reject, the next AAA method is attempted. If in this process all the AAA methods are exhausted, it is considered a reject.

A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration other configured methods are attempted. If the local keyword is the first authentication and:

  • exit-on-reject is configured and the user does not exist, the user is not authenticated

  • the user is authenticated locally, then other methods, if configured, is used for authorization and accounting

  • the user is configured locally but without console access, login is denied

complexity-rules
Syntax

complexity-rules

Context

config>system>security>password

Description

This command enables the context to configure security password complexity rules.

allow-user-name
Syntax

[no] allow-user-name

Context

config>system>security>password>complexity-rules

Description

This command allows a login name to be included as part of the password.

The no form of this command prevents a login name from being included as part of the password.

credits
Syntax

credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]

no credits

Context

config>system>security>password>complexity-rules

Description

This command configures a credit value for each of the different character classes in a local password. When a password is created, credits are assigned for each character in a character class, up to the assigned credits limit. The credits each count as one additional character toward the minimum length of the password. This allows a trade-off between a very long, simple password and a short, complex one.

For example, if the password minimum length is seven and lowercase credits is set to 3, a password with four lowercase letters, such as ‟srty”, is accepted. The first three lowercase letters are each given a credit worth one extra character. Combined with the four characters in the password, the total reaches the minimum length. If lowercase credits is set to 2 instead of 3, only the first two lowercase letters are given credit. In this case, the ‟srty” password is worth only six characters (four characters plus two extra characters from credits) and would fail to reach the seven character minimum length.

The no form of this command removes all credit values.

Default

no credits

Parameters
credits

the number of credits allowed for each character class

Values

0 to 10

disallow-sequence-keys
Syntax

disallow-sequence-keys value

no disallow-sequence-keys

Context

config>system>security>password>complexity-rules

Description

This command configures the number of consecutive characters that are not allowed to be entered as part of the password on a U.S. English or Korean keyboard. These characters can be lowercase or uppercase letters, or numbers. Special characters are not taken into account. These consecutive characters can be horizontal (left to right or right to left), diagonal (top to bottom or bottom to top), or wrapped (for example, "dsalkj" is a sequence of 6 characters). If the number of consecutive characters is equal to or larger than the configured value, the password is disallowed.

For example, if the user attempts to use the password "dsalkjhgfdsa" with this command configured to 8 (meaning any sequence of 8 or more characters fails), the system rejects the password because the substring “lkjhgfdsa” is a sequence of 9 letters and therefore does not pass the check. If the user attempts to use the password “9lkjhgfd5c”, the system accepts the password because the substring “lkjhgfd” is a sequence of 7 characters, which passes the check.

The no form of this command removes the restriction on the number of characters.

Default

no disallow-sequence-keys

Parameters
value
specifies the number of disallowed sequential characters in the password
Values
2 to 8
minimum-classes
Syntax

minimum-classes minimum

no minimum-classes

Context

config>system>security>password>complexity-rules

Description

This command enforces a minimum number of different character classes to be used in the password. The possible character classes are lowercase letters, uppercase letters, numbers, and special characters.

The no form of this command removes the minimum character class requirement.

Default

no minimum-classes

Parameters
minimum

the minimum number of character classes required in a password

Values

2 to 4

minimum-length
Syntax

minimum-length value

no minimum-length

Context

config>system>security>password>complexity-rules

Description

This command configures the minimum number of characters required for passwords.

If multiple minimum-length commands are entered, each command overwrites the previously entered command.

The no form of the command reverts to the default value.

Default

6

Parameters
value

the minimum number of characters required for a password

Values

6 to 50

repeated-characters
Syntax

repeated-characters count

no repeated-characters

Context

config>system>security>password>complexity-rules

Description

This command configures the maximum number of times a character can be repeated consecutively in a password.

The no form of the command resets to the default value, which removes the restriction on repeated characters in passwords.

Default

no repeated-characters

Parameters
count

the maximum number of consecutive repeated characters allowed in the password

Values

1 to 8

required
Syntax

required [lowercase count] [uppercase count] [numeric count] [special-character count]

no required

Context

config>system>security>password>complexity-rules

Description

This command configures the minimum number of characters from each character class that are required for a password to be valid.

The no form of the command removes the minimum required characters from each character class.

Default

no required

Parameters
count

the minimum number of characters required from the character class

Values

0 to 10

hashing
Syntax

hashing {bcrypt | sha2-pbkdf2 | sha3-pbkdf2}

Context

config>system>security>password

Description

This command configures the password hashing algorithm.

Default

bcrypt

Parameters
bcrypt

sets the password hashing algorithm to bcrypt

sha2-pbkdf2

sets the password hashing algorithm to PBKDF2 with SHA-2 hashing

sha3-pbkdf2

sets the password hashing algorithm to PBKDF2 with SHA-3 hashing

health-check
Syntax

[no] health-check [interval interval]

Context

config>system>security>password

Description

This command specifies that RADIUS and TACACS+ servers are monitored for 3 s each during every polling interval. Servers that are not configured have 3 s of idle time. If a server is found to be unreachable, or a previously unreachable server starts responding, depending on the type of server, a trap is sent.

The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server is up if the last access was successful.

Default

30

Parameters
interval

the polling interval for RADIUS and TACACS+ servers, in seconds

Values

6 to 1500

history-size
Syntax

history-size size

no history-size

Context

config>system>security>password

Description

This command configures the number of previous passwords to save in the system. A new password is matched against every old password and is rejected if it is identical to a password in the history.

The no form of the command prevents password history matching.

Default

no history-size

Parameters
size

specifies how many previous passwords are stored in the history

Values

1 to 20

minimum-age
Syntax

minimum-age [days days] [hrs hours] [min minutes] [sec seconds]

no minimum-age

Context

config>system>security>password

Description

This command configures the minimum required age of a password before it can be changed again.

The no form of this command removes the minimum password age requirement.

Default

no minimum-age

Parameters
days

the minimum number of days before a password can be changed again

Values

0 to 1

hours

the minimum number of hours before a password can be changed again

Values

0 to 23

minutes

the minimum number of minutes before a password can be changed again

Values

0 to 59

seconds

the minimum number of seconds before a password can be changed again

Values

0 to 59

minimum-change
Syntax

minimum-change length

no minimum-change

Context

config>system>security>password

Description

This command configures the minimum number of characters in a new password that must be unique from the previous password.

The no form of the command removes the unique character requirement.

Default

no minimum-change

Parameters
length

the minimum number of characters in a new password that must be unique from a previous password

Values

1 to 20

Profile management commands
profile
Syntax

[no] profile user-profile-name

Context

config>system>security

Description

This command creates a context to create user profiles for CLI command tree permissions.

Profiles are used to either deny or allow user console access to a hierarchical branch or to specific commands.

After the profiles are created, the user command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user.

The no form of the command deletes a user profile.

Default

user-profile default

Parameters
user-profile-name

the user profile name entered as a character string. The string is case-sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

default-action
Syntax

default-action {deny-all | permit-all | none}

Context

config>system>security>profile

Description

This command specifies the default action to be applied when no match conditions are met.

Default

none

Parameters
deny-all

sets the default of the profile to deny access to all commands

permit-all

sets the default of the profile to allow access to all commands

Note: The permit-all parameter does not change access to security commands. Security commands are only and always available to members of the admin-user profile.
none

sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user.

For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile will never be evaluated because permit-all is executed first. If the first profile default action is set to none and if no match conditions are met in the first profile, then the second profile will be evaluated. If the default action of the last profile is none and no explicit match is found, then the default-action deny-all takes effect.

entry
Syntax

[no] entry entry-id

Context

config>system>security>profile

Description

This command is used to create a user profile entry.

More than one entry can be created with unique entry-id numbers. The 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of the command removes the specified entry from the user profile.

Default

no entry IDs are defined

Parameters
entry-id

an entry ID uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry-ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.

Values

1 to 9999

action
Syntax

action {deny | permit}

Context

config>system>security>profile>entry

Description

This command configures the action associated with the profile entry.

Parameters
deny

specifies that commands matching the entry command match criteria will be denied

permit

specifies that commands matching the entry command match criteria will be permitted

match
Syntax

match command-string

no match

Context

config>system>security>profile>entry

Description

This command configures a command or command subtree.

Because the 7705 SAR exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated prior to this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

Default

no match command string is specified

Parameters
command-string

the CLI command or CLI tree level that is the scope of the profile entry

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>profile

Description

This command renumbers profile entries to resequence the entries.

Because the 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command, renumbering is useful to rearrange the entries from most explicit to least explicit.

Parameters
old-entry-number

the entry number of an existing entry

Values

1 to 9999

new-entry-number

the new entry number

Values

1 to 9999

User management commands
user
Syntax

[no] user user-name

Context

config>system>security

Description

This command creates a local user and a context to edit the user configuration.

If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.

When a new user is created and the info command is entered, the system displays a password with hash2 encryption in the output screen. However, when using that username, there is no password required. The user can log in to the system by entering their username and then pressing ↵ at the password prompt.

Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.

The no form of the command deletes the user and all configuration data. Users cannot delete themselves.

Default

n/a

Parameters
user-name

the name of the user, up to 32 characters

user-template
Syntax

user-template {tacplus_default | radius_default}

Context

config>system>security

Description

This command configures default security user template parameters.

Parameters
tacplus_default

specifies that the TACACS+ default template is used for the configuration

radius_default

specifies that the RADIUS default template is used for the configuration

access
Syntax

[no] access [ftp] [snmp] [console] [scp-sftp] [console-port-cli] [ssh-cli] [telnet-cli]

[no] access [ftp] [console] [scp-sftp] [console-port-cli] [ssh-cli] [telnet-cli]

Context

config>system>security>user

config>system>security>user-template

Description

This command specifies user permissions for one or more methods of management access.

If a user requires access to more than one method, multiple methods can be specified in a single command. Multiple commands are treated sequentially.

The no form of the command removes access for a specific method.

The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied; for example, no access ftp denies FTP access.

Default

no access

Parameters
ftp

specifies FTP access permission

snmp

specifies SNMP access permission. This keyword is only configurable in the config>system>security>user context.

console

specifies SCP/SFTP, Telnet, SSH, and console port CLI access permissions

scp-sftp

specifies SCP/SFTP access permissions

console-port-cli

specifies console port CLI access permission

ssh-cli

specifies SSH CLI access permission

telnet-cli

specifies Telnet CLI access permission

console
Syntax

console

Context

config>system>security>user

config>system>security>user-template

Description

This command enables the context to configure user profile membership for the console.

cannot-change-password
Syntax

[no] cannot-change-password

Context

config>system>security>user>console

Description

This command allows a user to change their password for both FTP and console login.

To disable a user’s privilege to change their password, use the cannot-change-password form of the command.

The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

Default

no cannot-change-password

local-lockout
Syntax

[no] local-lockout

Context

config>system>security>user>console

Description

This command prevents console or local serial access if a user is locked out remotely.

The no version of this command allows locked-out users to log in only for console or local serial access.

Default

local-lockout

login-exec
Syntax

[no] login-exec url-prefix:source-url

Context

config>system>security>user>console

config>system>security>user-template>console

Description

This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of the command disables the login exec file for the user.

Default

no login exec file is defined

Parameters
url-prefix: source-url

enter either a local or remote URL, up to 200 characters in length, that identifies the exec file that is executed after the user successfully logs in

member
Syntax

member user-profile-name [user-profile-name]

no member user-profile-name

Context

config>system>security>user>console

Description

This command allows the user access to a profile.

A user can participate in up to eight profiles.

The no form of this command deletes access user access to a profile.

Default

default

Parameters
user-profile-name

the user profile name

new-password-at-login
Syntax

[no] new-password-at-login

Context

config>system>security>user>console

Description

This command forces the user to change passwords at the next console or FTP login.

If the user is limited to FTP access, the administrator must create the new password.

The no form of the command does not force the user to change passwords.

Default

no new-password-at-login

home-directory
Syntax

home-directory url-prefix [directory] [directory/directory]

no home-directory

Context

config>system>security>user

config>system>security>user-template

Description

This command configures the local home directory for the user for file access. Files on the 7705 SAR can be accessed locally using the CLI file commands and output modifiers, such as > (file redirect), or remotely via FTP or SCP.

If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.

The no form of the command removes the configured home directory.

Default

no home-directory

Note: If restricted-to-home has been configured, no file access is granted and no home directory is created; if restricted-to-home is not applied, root becomes the user’s home directory.
Parameters
url-prefix [directory] [directory/directory…]

the user’s local home directory URL prefix and directory structure, up to 190 characters in length

password
Syntax

password [password]

Context

config>system>security>user

Description

This command configures the user password for console and FTP access.

Passwords must be enclosed in double quotes (‟ ”) at the time of password creation if they contain any special characters (such as #, $, or spaces). The double quote character (‟) is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.

The question mark character (?) cannot be directly inserted as input during a Telnet connection because the character is bound to the help command during a normal Telnet/console connection. To insert # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in double quotes as delimiters for the password.

If a password is entered without any parameters, a password length of zero is implied (return key).

The password is stored in an encrypted format in the configuration file when specified.

Parameters
password

the password that must be entered by this user during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length is as follows:

  • 56 characters if in unhashed plaintext

    The unhashed plaintext form must meet all the requirements that are defined within the complexity-rules command context.

  • 60 characters if hashed with bcrypt

  • from 87 to 92 characters if hashed with PBKDF2 SHA-2

  • from 131 to 136 characters if hashed with PBKDF2 SHA-3

profile
Syntax

profile user-profile-name

no profile

Context

config>system>security>user-template

Description

This command specifies the user profile to associate with the user template. The profile must already be configured with the profile command under the config>system>security context.

The no form of this command removes the profile.

Default

profile "default"

Parameters
user-profile-name

an existing user profile name

public-keys
Syntax

public-keys

Context

config>system>security>user

Description

This command enables the context to configure public keys for SSH.

ecdsa
Syntax

ecdsa

Context

config>system>security>user>public-keys

Description

This command enables the context to configure ECDSA public keys.

ecdsa-key
Syntax

ecdsa-key key-id [create]

no ecdsa-key key-id

Context

config>system>security>user>public-keys>ecdsa

Description

This command creates an ECDSA public key and associates it with the specified user. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

Default

n/a

Parameters
key-id

the key identifier

Values

1 to 32

create

keyword required when first creating the ECDSA key. When the key is created, you can navigate into the context without the create keyword.

key-value
Syntax

key-value public-key-value

no key-value

Context

config>system>security>user>public-keys>ecdsa>ecdsa-key

config>system>security>user>public-keys>rsa>rsa-key

Description

This command configures a value for the ECDSA or RSA public key. The public key must be enclosed in quotation marks. For ECDSA, the key is between 1 and 1024 bits. For RSA, the key is between 768 and 4096 bits.

Default

no key-value

Parameters
public-key-value

the value for the ECDSA or RSA key

Values

255 characters max (ECDSA)

800 characters max (RSA)

rsa
Syntax

rsa

Context

config>system>security>user>public-keys

Description

This command enables the context to configure RSA public keys.

rsa-key
Syntax

rsa-key key-id [create]

no rsa-key key-id

Context

config>system>security>user>public-keys>rsa

Description

This command creates an RSA public key and associates it with the specified user. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

Parameters
key-id

the key identifier

Values

1 to 32

create

keyword required when first creating the RSA key. When the key is created, you can navigate into the context without the create keyword.

restricted-to-home
Syntax

[no] restricted-to-home

Context

config>system>security>user

config>system>security>user-template

Description

This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.

If a home directory is not configured or the home directory is not available, the user has no file access.

The no form of the command allows the user access to navigate to directories above their home directory.

Default

restricted-to-home

Note: This default applies to non-administrative users. For administrative users (user "admin"), the default is no restricted-to-home.
save-when-restricted
Syntax

[no] save-when-restricted

Context

config>system>security>user

config>system>security>user-template

Description

This command specifies whether the system allows all configuration save operations (for example, admin save) via the CLI even if restricted-to-home is enabled.

The home directory does not need to be configured.

The no form of the command prevents the user from performing any configuration save operations outside of their home directory when restricted-to-home is enabled.

Default

save-when-restricted

snmp
Syntax

snmp

Context

config>system>security>user

Description

This command enables the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.

All SNMPv3 users must be configured with the commands available in this CLI context.

The 7705 SAR always uses the configured SNMPv3 username as the security username.

authentication
Syntax

authentication none

authentication authentication-protocol authentication-key [privacy none] [hash | hash2]

authentication authentication-protocol authentication-key privacy privacy-protocol privacy-key [hash | hash2]

no authentication

Context

config>system>security>user>snmp

Description

This command configures the SNMPv3 authentication and privacy protocols for the user to communicate with the router. The keys are stored in an encrypted format in the configuration.

The keys configured with these commands must be localized keys, which are a hash of the SNMP engine ID and a password. The password is not entered directly in this command. Use the generate-key command under the tools>perform>system>management-interface >snmp context to generate localized authentication and privacy keys. See the 7705 SAR OAM and Diagnostics Guide, ‟Tools perform commands” for information about this command.

If authentication none is configured, only the username is required to allow and authenticate SNMPv3 operations.

The no form of the command prevents the username used to configure the command from getting recognized by SNMP, and the same user cannot be used for any SNMP operations.

Default

authentication none – no authentication protocol is configured and privacy cannot be configured

Parameters
none

specifies that no authentication protocol is used

authentication-protocol authentication-key

specifies the SNMPv3 authentication protocol and localized authentication key

Values

hmac-md5-96 – specifies use of the HMAC-MD5-96 authentication protocol; the key must be entered as a 32-character hexadecimal string

hmac-sha1-96 – specifies use of the HMAC-SHA1-96 authentication protocol; the key must be entered as a 40-character hexadecimal string

hmac-sha2-224 – specifies use of the HMAC-SHA2-224 authentication protocol; the key must be entered as a 56-character hexadecimal string

hmac-sha2-256 – specifies use of the HMAC-SHA2-256 authentication protocol; the key must be entered as a 64-character hexadecimal string

hmac-sha2-384 – specifies use of the HMAC-SHA2-384 authentication protocol; the key must be entered as a 96-character hexadecimal string

hmac-sha2-512 – specifies use of the HMAC-SHA2-512 authentication protocol; the key must be entered as a 128-character hexadecimal string

privacy-protocol privacy-key

specifies the SNMPv3 privacy protocol and localized privacy key

Values

cbc-des – specifies use of the CBC-DES privacy protocol; the key must be entered as a 32-character hexadecimal string. This parameter is not available in FIPS-140-2 mode.

cfb128-aes-128 – specifies use of the CFB128-AES-128 privacy protocol; the key must be entered as a 32-character hexadecimal string

cfb128-aes-192 – specifies use of the CFB128-AES-192 privacy protocol; the key must be entered as a 48-character hexadecimal string

cfb128-aes-256 – specifies use of the CFB128-AES-256 privacy protocol; the key must be entered as a 64-character hexadecimal string

privacy none

specifies that a privacy protocol is not used in the communication

Default

privacy none

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

group
Syntax

group group-name

no group

Context

config>system>security>user>snmp

Description

This command associates (or links) a user to a group name. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.

Default

no group name is associated with a user

Parameters
group-name

enter the group name (between 1 and 32 alphanumeric characters) that is associated with this user. A user can be associated with one group name per security model.

CLI script authorization commands
cli-script
Syntax

cli-script

Context

config>system>security

Description

This command enables the context to configure CLI script security.

authorization
Syntax

authorization

Context

config>system>security>cli-script

Description

This command enables the context to authorize CLI script execution for CRON and Event Handling System (EHS) scripts.

cron
Syntax

cron

Context

config>system>security>cli-script>authorization

Description

This command enables the context to configure authorization for the CRON scheduler.

cli-user
Syntax

cli-user user-name

no cli-user

Context

config>system>security>cli-script>authorization>cron

config>system>security>cli-script>authorization>event-handler

Description

This command defines the user context under which CRON and EHS CLI scripts must execute in order to authorize the script commands. The user must be a local user; TACACS+ and RADIUS users and authorization are not permitted for cli-script authorization.

Two unique users can be defined: one to authorize CLI commands for CRON scripts and one to authorize CLI commands for EHS scripts.

The no form of this command configures scripts to execute with no restrictions and without performing authorization.

Default

no cli-user

Parameters
user-name

the name of a user in the local node database. TACACS+ or RADIUS users cannot be used. The user configuration must reference a valid local profile for authorization.

event-handler
Syntax

event-handler

Context

config>system>security>cli-script>authorization

Description

This command enables the context to configure authorization for EHS. EHS is a tool that enables operator-defined behavior to be configured on the 7705 SAR. The operator can define a CLI script that the router executes in response to a log event.

RADIUS client commands
radius
Syntax

[no] radius

Context

config>system>security

Description

This command enables the context to configure RADIUS authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the RADIUS configuration.

access-algorithm
Syntax

access-algorithm {direct | round-robin}

[no] access-algorithm

Context

config>system>security>radius

Description

This command configures the algorithm used to access the set of RADIUS servers. Up to five servers can be configured.

In direct mode, the first server, as defined by the server command, is the primary server. This server is always used first when authenticating a request. In round-robin mode, the server used to authenticate a request is the next server in the list, following the last authentication request. For example, if server 1 is used to authenticate the first request, server 2 is used to authenticate the second request, and so on.

Default

direct

Parameters
direct

first server is always used to authenticate a request

round-robin

server used to authenticate a request is the next server in the list, following the last authentication request

accounting
Syntax

[no] accounting

Context

config>system>security>radius

Description

This command enables RADIUS accounting. The no form of this command disables RADIUS accounting.

Default

no accounting

accounting-port
Syntax

accounting-port port

no accounting-port

Context

config>system>security>radius

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Parameters
port

specifies the UDP port number

Values

1 to 65535

Default

1813

authorization
Syntax

[no] authorization

Context

config>system>security>radius

Description

This command configures RADIUS authorization parameters for the system.

The no form of this command disables RADIUS authorization for the system.

Default

no authorization

port
Syntax

port port

no port

Context

config>system>security>radius

Description

This command configures the TCP port number to contact the RADIUS server.

The no form of the command reverts to the default value.

Default

1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))

Parameters
port

the TCP port number to contact the RADIUS server

Values

1 to 65535

retry
Syntax

retry count

no retry

Context

config>system>security>radius

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of the command reverts to the default value.

Default

3

Parameters
count

the retry count

Values

1 to 10

server
Syntax

server server-index address ip-address secret key [hash | hash2]

no server server-index

Context

config>system>security>radius

Description

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher-indexed server is only queried if no response is received from a lower-indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of the command removes the server from the configuration.

Default

no RADIUS servers are configured

Parameters
index

the index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

ip-address

the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address:       a.b.c.d (host bits must be 0)

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

key

the secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.

Values

up to 20 characters in length

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>radius

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default

3

Parameters
seconds

the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer

Values

1 to 90

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>radius

Description

This command specifies whether the user template defined by this entry is to be actively applied to the RADIUS user.

Default

no use-default-template

TACACS+ client commands
tacplus
Syntax

[no] tacplus

Context

config>system>security

Description

This command enables the context to configure TACACS+ authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the TACACS+ configuration.

accounting
Syntax

accounting [record-type {start-stop | stop-only}]

no accounting

Context

config>system>security>tacplus

Description

This command enables TACACS+ accounting and configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.

Default

record-type stop-only

Parameters
record-type start-stop

specifies that a TACACS+ start packet is sent whenever the user executes a command and a stop packet is sent when the command is complete

record-type stop-only

specifies that a stop packet is sent when the command execution is complete

authorization
Syntax

[no] authorization

Context

config>system>security>tacplus

Description

This command configures TACACS+ authorization parameters for the system.

Default

no authorization

server
Syntax

server index address ip-address secret key [hash | hash2] [port port]

no server index

Context

config>system>security>tacplus

Description

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from the lowest index to the highest index for authentication requests.

The no form of the command removes the server from the configuration.

Default

no TACACS+ servers are configured

Parameters
index

the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.

Values

1 to 5

ip-address

the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address:       a.b.c.d (host bits must be 0)

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

key

the secret key to access the RADIUS server. This secret key must match the password on the TACACS+ server.

Values

up to 128 characters in length

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

port

the port ID

Values

0 to 65535

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>tacplus

Description

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

Default

3

Parameters
seconds

the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer

Values

1 to 90

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>tacplus

Description

This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.

802.1x commands
dot1x
Syntax

[no] dot1x

Context

config>system>security

Description

This command enables the context to configure 802.1x network access control on the 7705 SAR.

The no form of the command removes the 802.1x configuration.

radius-plcy
Syntax

[no] radius-plcy name [create]

Context

config>system>security>dot1x

Description

This command enables the context to configure RADIUS server parameters for 802.1x network access control on the 7705 SAR.

The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7705 SAR. This configuration differs from the RADIUS server configured under the config>system>security>radius context that authenticates CLI login users who get access to the management plane of the 7705 SAR.

The no form of the command removes the RADIUS server configuration for 802.1x.

Parameters
name

the RADIUS policy name, up to 32 characters

create

keyword required when first creating the configuration context. When the context is created, you can navigate into the context without the create keyword.

retry
Syntax

retry count

no retry

Context

config>system>security>dot1x

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of the command reverts to the default value.

Default

3

Parameters
count

the retry count

Values

1 to 10

server
Syntax

server server-index address ip-address secret key [hash | hash2] [auth-port auth-port]

[acct-port acct-port] [type server-type]

no server server-index

Context

config>system>security>dot1x>radius-plcy

Description

This command adds an 802.1x server and configures the IP address, index, and key values.

Up to five 802.1x servers can be configured at any one time. These servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher- indexed server is only queried if no response is received from a lower-indexed server (which implies that the server is not available). If a response from a server is received, no other 802.1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of the command removes the server from the configuration.

Default

n/a

Parameters
server-index

the index for the 802.1x server

Values

1 to 5

ip-address

the IP address of the 802.1x server. Each 802.1x server must have a unique IP address. An error message is generated if the server address is a duplicate.

Values

a.b.c.d

key

the secret key to access the 802.1x server. This secret key must match the password on the 802.1x server.

Values

up to 20 alphanumeric characters

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone. This means that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

auth-port

the UDP port number used to contact the RADIUS server for authentication

Values

1 to 65535

acct-port

the UDP port number used to contact the RADIUS server for accounting requests

Values

1 to 65535

server-type

the server type

Values

authorization, accounting, or combined

source-address
Syntax

source-address ip-address

no source-address

Context

config>system>security>dot1x>radius-plcy

Description

This command configures the NAS IP address to be sent in the RADIUS packet.

The no form of the command reverts to the default value.

Default

system IP address

Parameters
ip-address

the source address of the RADIUS packet in dotted-decimal notation

Values

0.0.0.0 to 255.255.255.255

shutdown
Syntax

[no] shutdown

Context

config>system>security>dot1x

config>system>security>dot1x>radius-plcy

Description

This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within.

The no form of the command administratively enables the protocol.

Default

shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>dot1x>radius-plcy

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default

5

Parameters
seconds

the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer

Values

1 to 90

SSH commands
ssh
Syntax

ssh

Context

config>system>security

Description

This command enables the context to configure the SSH server parameters on the system.

Quitting SSH while in the process of authentication is accomplished by either executing a ctrl-c or ‟~.” (tilde and dot), assuming the ‟~” is the default escape character for the SSH session.

Default

n/a

client-cipher-list
Syntax

client-cipher-list

Context

config>system>security>ssh

Description

This command enables the context to configure the list of allowed ciphers on the SSH client.

Default

n/a

cipher
Syntax

cipher index name cipher-name

no cipher index

Context

config>system>security>ssh>client-cipher-list

config>system>security>ssh>server-cipher-list

Description

This command configures the allowed SSHv2 ciphers that are available on the SSH client or server. Client cipher and server cipher lists are used to negotiate the best compatible cipher between the SSH client and SSH server. Client ciphers are used when the 7705 SAR node is acting as an SSH client; server ciphers are used when the 7705 SAR node is acting as an SSH server.

Each list contains ciphers and their corresponding index values, where a lower index has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest.

The following table lists the default index values used for SSHv2, in order of preference.

Table 10. SSHv2 default index values

Cipher index value

Cipher name

2

aes256-ctr

4

aes192-ctr

6

aes128-ctr

10

aes128-cbc

20

3des-cbc

60

aes192-cbc

70

aes256-cbc

Note: When the 7705 SAR is running in FIPS-140-2 mode, the 3des-cbc cipher is not available.

The no form of this command deletes the specified cipher index.

Default

n/a

Parameters
index

the index of the cipher in the list

Values

1 to 255

cipher-name

the allowed cipher name

Values

For SSHv2 client ciphers: aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc

For SSHv2 server ciphers: aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, aes128-cbc, aes192-cbc, aes256-cbc

client-kex-list
Syntax

client-kex-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred KEX algorithms to be used by an SSHv2 client.

Default

n/a

kex
Syntax

kex index name kex-name

no kex index

Context

config>system>security>ssh>client-kex-list

config>system>security>ssh>server-kex-list

Description

This command configures the list of preferred KEX algorithms that are negotiated by the client and server using an SSHv2 phase one handshake.

By default, a KEX client and KEX server each have a hard-coded list that contains the default indexes and their corresponding algorithms. The following table lists the default index values and algorithms, in order of preference.

Table 11. Default KEX index values

KEX index value

KEX algorithm name

200

diffie-hellman-group16-sha512

210

diffie-hellman-group14-sha256

215

diffie-hellman-group14-sha1

220

diffie-hellman-group-exchange-sha1

225

diffie-hellman-group1-sha1

The default list can be changed by manually removing a single index or as many indexes as required using the no kex index command. The default list can also be customized by first removing an index and then redefining it for each algorithm as required. To go back to using the original hard-coded list, the default KEX indexes must be manually re-entered with their corresponding algorithms.

In a KEX list, the algorithm with the lowest index value has the highest preference in the SSH negotiation. The list is ordered by preference from highest to lowest. When the client and server exchange their KEX lists, the first algorithm in the client list that is also supported by the server is the algorithm that is agreed upon.

Note: When the 7705 SAR is running in FIPS-140-2 mode, the diffie-hellman-group1-sha1 KEX algorithm is not available.

The no form of this command removes the specified KEX index. Removing all the indexes from a client or server list results in an empty list, and any KEX algorithm the client or server brings to the SSHv2 negotiation will be rejected.

Default

no kex

Parameters
index

the index of the KEX algorithm in the list. The list is ordered from highest to lowest.

Values

1 to 255

kex-name

the KEX algorithm for computing the shared secret key

Values

diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

client-mac-list
Syntax

client-mac-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred MAC algorithms to be used by an SSHv2 client.

Default

n/a

mac
Syntax

mac index name mac-name

no mac index

Context

config>system>security>ssh>client-mac-list

config>system>security>ssh>server-mac-list

Description

This command configures the list of preferred MAC algorithms that are negotiated by an SSHv2 server or client.

Each algorithm in the list has a corresponding index value, where a lower index has a higher preference in the SSH negotiation. The list is ordered by preference from highest to lowest.

The following table lists the default client and server MAC index values used for SSHv2.

Table 12. Default SSHv2 MAC index values

MAC index value

MAC algorithm name

200

hmac-sha2-512

210

hmac-sha2-256

215

hmac-sha1

220

hmac-sha1-96

225

hmac-md5

240

hmac-md5-96

Note: When the 7705 SAR is running in FIPS-140-2 mode, the following MAC algorithms are not available: hmac-sha1-96, hmac-md5, and hmac-mda5-96.

The no form of this command removes the specified MAC index from the list.

Default

no mac

Parameters
index

the index of the MAC algorithm in the list

Values

1 to 255

mac-name

the algorithm for calculating the message authentication code

Values

hmac-sha2-512, hmac-sha2-256, hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96

key-re-exchange
Syntax

key-re-exchange

Context

config>system>security>ssh

Description

This command enables the context to configure key re-exchange parameters for an SSH client or server.

client
Syntax

client

Context

config>system>security>ssh>key-re-exchange

Description

This command enables the context to configure key re-exchange parameters for an SSH client.

mbytes
Syntax

mbytes {mbytes| disable}

no mbytes

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command configures the maximum number of megabytes that can be transmitted during an SSH session before an SSH client or server initiates the key re-exchange procedure.

If both the mbytes and minutes key re-exchange parameters are configured, the key re-exchange will occur at whatever limit is reached first.

The no form of this command returns the setting to the default value.

Default

1024

Parameters
mbytes

specifies the number of megabytes that can be transmitted during an SSH session before the key re-exchange occurs

Values

1 to 64000

disable

specifies that a session will never time out

minutes
Syntax

minutes {minutes | disable}

no minutes

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command configures the maximum time that an SSH session can be up before an SSH client or server initiates the key re-exchange procedure.

If both the mbytes and minutes key re-exchange parameters are configured, the key re-exchange will occur at whatever limit is reached first.

The no form of this command returns the setting to the default value.

Default

60

Parameters
minutes

specifies the number of minutes before an SSH client or server initiates the key re-exchange

Values

1 to 1440

disable

specifies that a session will never time out

shutdown
Syntax

[no] shutdown

Context

config>system>security>ssh>key-re-exchange>client

config>system>security>ssh>key-re-exchange>server

Description

This command enables or disables initiating of the key re-exchange procedure when the configured thresholds are reached.

Default

no shutdown

server
Syntax

server

Context

config>system>security>ssh>key-re-exchange

Description

This command enables the context to configure key re-exchange parameters for an SSH server.

listening-port
Syntax

listening-port port

no listening-port

Context

config>system>security>ssh

Description

This command configures the listening TCP port of the SSH server for incoming SSH connections via base or management routing. VPRN node management is done via GRT leaking and uses base routing.

The no form of this command resets the listening port to its default of 22.

Default

no listening port

Parameters
port

specifies the port number

Values

1024 to 49151

preserve-key
Syntax

[no] preserve-key

Context

config>system>security>ssh

Description

This command specifies the persistence of the SSH server host key. When enabled, the host key will be saved by the server and restored following a system reboot. This command can only be enabled or disabled when no SSH session is running.

The no form of the command specifies that the host key will be held in memory by the SSH server and not be restored following a system reboot.

Default

no preserve-key

server-cipher-list
Syntax

server-cipher-list

Context

config>system>security>ssh

Description

This command enables the context to configure the list of allowed ciphers on the SSH server.

Default

n/a

server-kex-list
Syntax

server-kex-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred KEX algorithms to be used by an SSHv2 server.

Default

n/a

server-mac-list
Syntax

server-mac-list

Context

config>system>security>ssh

Description

This command enables the context to configure a list of preferred MAC algorithms to be used by an SSHv2 server.

Default

n/a

server-shutdown
Syntax

[no] server-shutdown

Context

config>system>security>ssh

Description

This command disables the SSH server running on the system. The no version of the command enables the SSH server.

When the no server-shutdown command is executed, an SSH security key is generated. Unless the preserve-key command is enabled, this key is valid until either the node is restarted or the SSH server is stopped with the server-shutdown command and restarted. The key size is non-configurable and is set to 2048 for SSHv2 RSA and to 1024 for SSHv2 DSA. Only SSHv2 RSA is supported in FIPS-140-2 mode.

Default

no server-shutdown

Security TLS commands
tls
Syntax

tls

Context

config>system>security

Description

This command enables the context to configure TLS parameters.

Default

n/a

cert-profile
Syntax

cert-profile profile-name [create]

no cert-profile profile-name

Context

config>system>security>tls

Description

This command creates a new TLS certificate profile or specifies an existing certificate profile. The certificate profile contains the certificates that are sent to the TLS peer to authenticate itself. The TLS server must send this information. The TLS client can optionally send this information upon request from the TLS server.

The no form of the command deletes the specified TLS certificate profile.

Default

n/a

Parameters
profile-name

the name of the TLS certificate profile, up to 32 characters in length

create
keyword is mandatory when creating a new certificate profile
entry
Syntax

entry entry-id [create]

no entry entry-id

Context

config>system>security>tls>cert-profile

Description

This command configures an entry for the TLS certificate profile. A certificate profile can have up to eight entries. Currently, TLS uses the entry with the lowest ID number when responding to server requests.

The no form of the command deletes the specified entry.

Default

n/a

Parameters
entry-id

the identification number of the TLS certificate profile entry

Values

1 to 8

create
keyword is mandatory when creating a new certificate profile
cert
Syntax

cert cert-filename

no cert

Context

config>system>security>tls>cert-profile>entry

Description

This command specifies the filename of an imported certificate for the cert-profile entry.

The no form of the command removes the certificate.

Default

no cert

Parameters
cert-filename

the filename of the TLS certificate, up to 95 characters in length

key
Syntax

key key-filename

no key

Context

config>system>security>tls>cert-profile>entry

Description

This command specifies the filename of an imported key for the cert-profile entry.

The no form of the command removes the key.

Default

no key

Parameters
key-filename

the filename of the key, up to 95 characters in length

send-chain
Syntax

[no] send-chain

Context

config>system>security>tls>cert-profile>entry

Description

This command enables the sending of certificate authority (CA) certificates and enables the context to configure send-chain information.

By default, the system only sends the TLS client certificate specified by the cert command. This command allows the system to send additional CA certificates to the peer. The certificates must be in the chain of certificates specified by the config>system>security>pki>ca-profile command. The specification of the send-chain is not necessary for a working TLS profile if the TLS peer has the CA certificate used to sign the client certificate in its own trust anchor.

For example, with a TLS client running on the 7705 SAR, the ROOT CA certificate resides on the TLS server, but the subsequent SUB-CA certificate needed to complete the chain resides within the 7705 SAR. The send-chain command allows these SUB-CA certificates to be sent from the 7705 SAR to the peer to be authenticated using the ROOT CA certificate that resides on the peer.

The no form of the command disables the send-chain.

Default

no send-chain

ca-profile
Syntax

[no] ca-profile name

Context

config>system>security>tls>cert-profile>entry>send-chain

Description

This command specifies that a CA certificate in the specified ca-profile is to be sent to the peer.

Up to seven configurations of this command are allowed in the same entry.

The no form of the command disables the transmission of a CA certificate from the specified CA profile.

Default

n/a

Parameters
name

the name of an existing CA

shutdown
Syntax

[no] shutdown

Context

config>system>security>tls>cert-profile

Description

This command disables the certificate profile. When the certificate profile is disabled, it will not be sent to the TLS server.

The no form of the command enables the certificate profile and allows it to be sent to the TLS server.

Default

shutdown

client-cipher-list
Syntax

client-cipher-list name [create]

no client-cipher-list name

Context

config>system>security>tls

Description

This command creates a cipher list or specifies an existing list that the client sends to the server in the client Hello message. The list contains ciphers that are supported and preferred by the 7705 SAR to be used in the TLS session. The server matches this list against the server cipher list. The most preferred cipher found in both lists is chosen.

The no form of the command deletes the specified cipher list.

Default

n/a

Parameters
name

the name of the client cipher list, up to 32 characters in length

create
keyword is mandatory when creating a new certificate profile
cipher
Syntax

cipher index name cipher-suite-code

no cipher index

Context

config>system>security>tls>client-cipher-list

Description

This command configures the TLS cipher suite code to be negotiated by the server and client.

The no form of the command removes the cipher suite code.

Default

n/a

Parameters
index

the index number of the cipher suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)

Values
1 to 255
cipher-suite-code
specifies the cipher suite code
Values

tls-rsa-with3des-ede-cbc-sha | tls-rsa-with-aes128-cbc-sha | tls-rsa-with-aes256-cbc-sha | tls-rsa-with-aes128-cbc-sha256 | tls-rsa-with-aes256-cbc-sha256

tls13-cipher
Syntax

tls13-cipher index name cipher-suite-code

no tls13-cipher index

Context

config>system>security>tls>client-cipher-list

Description

This command configures the TLS 1.3 supported ciphers that are used by the client and server.

The no form of the command removes the cipher suite code.

Default

n/a

Parameters
index

the index number of the TLS 1.3 cipher suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)

Values

1 to 255

cipher-suite-code

specifies the cipher suite code

Values

tls-aes128-gcm-sha256 | tls-aes256-gcm-sha384 | tls-chacha20-poly1305-sha256 (not supported in FIPS mode) | tls-aes128-ccm-sha256 | tls-aes128-ccm8-sha256

client-group-list
Syntax

client-group-list name [create]

no client-group-list name

Context

config>system>security>tls

Description

This command creates a client group list or specifies an existing group list that the client sends in a client Hello message. The list contains group suite codes configured with the tls13-group command.

The no form of the command removes the client group list.

Default

n/a

Parameters
name

the name of the client group list, up to 32 characters

create
keyword is mandatory when creating a new certificate profile
tls13-group
Syntax

tls13-group index name group-suite-code

no tls13-group index

Context

config>system>security>tls>client-group-list

Description

This command configures the TLS 1.3 supported group suite codes sent by the client in the Hello message.

The 7705 SAR supports the use of Elliptic-curve Diffie-Hellman Ephemeral (ECDHE) groups.

The no form of the command removes the group suite code.

Default

n/a

Parameters
index

the index number of the group suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)

Values

1 to 255

group-suite-code

specifies the group suite code

Values

tls-ecdhe-256 | tls-ecdhe-384 | tls-ecdhe-521 | tls-x25519 | tls-x448

client-signature-list
Syntax

client-signature-list name [create]

no client-signature-list name

Context

config>system>security>tls

Description

This command creates a client signature list or specifies an existing signature list that the client sends in a client Hello message.

The no form of the command removes the client signature list.

Default

n/a

Parameters
name

the name of the client signature list, up to 32 characters

create
keyword is mandatory when creating a new certificate profile
tls13-signature
Syntax

tls13-signature index name signature-suite-code

no tls13-signature index

Context

config>system>security>tls>client-signature-list

Description

This command configures the TLS 1.3 supported signature suite codes sent in the client Hello message.

The no form of the command removes the signature suite code.

Default

n/a

Parameters
index

the index number of the TLS 1.3 signature suite code, which indicates the position of the code in the negotiation list (the lower the index number, the higher the priority of the code)

Values

1 to 255

signature-suite-code

specifies the signature suite code

Values

tls-rsa-pkcs1-sha256 | tls-rsa-pkcs1-sha384 | tls-rsa-pkcs1-sha512 | tls-ecdsa-secp256r1-sha256 | tls-ecdsa-secp384r1-sha384 | tls-ecdsa-secp521r1-sha512 | tls-rsa-pss-rsae-sha256 | tls-rsa-pss-rsae-sha384 | tls-rsa-pss-rsae-sha512 | tls-rsa-pss-pss-sha256 | tls-rsa-pss-pss-sha384 | tls-rsa-pss-pss-sha512 | tls-ed25519 | tls-ed448

client-tls-profile
Syntax

client-tls-profile name [create]

no client-tls-profile name

Context

config>system>security>tls

Description

This command creates a TLS client profile or specifies an existing client profile to be assigned to applications for encryption. Up to 16 TLS client profiles can be configured.

The no form of the command deletes the TLS client profile.

Default

n/a

Parameters
name

the name of the TLS client profile, up to 32 characters in length

create
keyword is mandatory when creating a new certificate profile
cert-profile
Syntax

cert-profile name

no cert-profile

Context

config>system>security>tls>client-tls-profile

Description

This command assigns an existing TLS certificate profile to be used by the TLS client profile. This certificate is sent to the server for authentication of the client and public key.

The no form of the command removes the TLS certificate profile assignment.

Default

no cert-profile

Parameters
name

the name of the TLS certificate profile

cipher-list
Syntax

cipher-list name

no cipher-list

Context

config>system>security>tls>client-tls-profile

Description

This command assigns an existing cipher list to be used by the TLS client profile for negotiation in the client Hello message.

Default

no cipher-list

Parameters
name

the name of the cipher list

group-list
Syntax

group-list name

no group-list

Context

config>system>security>tls>client-tls-profile

Description

This command assigns an existing TLS 1.3 group list to the TLS client profile.

The no form of the command removes the group list from the client profile.

Default

no group-list

Parameters
name

the name of the group list

protocol-version
Syntax

protocol-version TLS version

no protocol-version

Context

config>system>security>tls>client-tls-profile

Description

This command configures the TLS version to be negotiated between the client and server.

When configured, the client adds the specified version as a supported version in its Hello message to the server. If tls-version-all is specified, the client adds both TLS 1.2 and TLS 1.3 as supported versions in its Hello message.

The no form of the command reverts to the default TLS version.

Default

tls-version12

Parameters
TLS version

specifies the TLS version to include in the client Hello message

Values

tls-version12 | tls-version13 | tls-version-all

shutdown
Syntax

[no] shutdown

Context

config>system>security>tls>client-tls-profile

Description

This command disables the client TLS profile.

The no form of the command enables the client TLS profile.

Default

shutdown

signature-list
Syntax

signature-list name

no signature-list

Context

config>system>security>tls>client-tls-profile

Description

This command assigns an existing TLS 1.3 signature list to the TLS client profile.

The no form of the command removes the signature list from the client profile.

Default

no signature-list

Parameters
name

the name of the signature list

trust-anchor-profile
Syntax

trust-anchor-profile name

no trust-anchor-profile

Context

config>system>security>tls>client-tls-profile

Description

This command assigns an existing trust anchor profile to be used by this TLS client profile to authenticate the server.

The no form of the command removes the trust anchor profile from the client profile.

Default

no trust-anchor-profile

Parameters
name

the name of the trust anchor profile

trust-anchor-profile
Syntax

trust-anchor-profile name [create]

no trust-anchor-profile name

Context

config>system>security>tls

Description

This command creates a trust anchor profile or specifies an existing trust anchor profile to be used in the TLS client profile. The trust anchor is used for authentication of the server certificate. Up to 16 trust anchor profiles can be configured, with up to 8 trust anchors in each profile.

Default

n/a

Parameters
name

the name of the trust anchor profile, up to 32 characters

create
keyword is mandatory when creating a new certificate profile
trust-anchor
Syntax

[no] trust-anchor ca-profile-name

Context

config>system>security>tls>trust-anchor-profile

Description

This command configures a trust anchor with a CA profile used by the TLS profile. Up to eight trust anchors can be configured under the TLS profile.

Default

n/a

Parameters
ca-profile-name

the name of the TLS trust anchor

Keychain authentication commands
keychain
Syntax

[no] keychain keychain-name

Context

config>system>security

Description

This command enables the context to configure keychain parameters that are used to authenticate protocol communications. A keychain must be configured on the system before it can be applied to a protocol session.

The keychain must include at least one key entry to be valid.

The no form of the command removes the keychain and all commands configured in the keychain context. If the keychain is associated with a protocol when the no keychain command is entered, the command will be rejected and an error indicating that the keychain is in use will be displayed.

Default

n/a

Parameters
keychain-name

the keychain name, up to 32 characters

direction
Syntax

direction

Context

config>system>security>keychain

Description

This command specifies the stream direction on which the keys will be applied.

Default

n/a

bi
Syntax

bi

Context

config>system>security>keychain>direction

Description

This command configures keys for both send and receive stream directions.

Default

n/a

entry
Syntax

entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]

no entry entry-id

Context

config>system>security>keychain>direction>bi

config>system>security>keychain>direction>uni>receive

config>system>security>keychain>direction>uni>send

Description

This command defines a key in the keychain. A keychain must have at least one key entry to be valid.

The key and algorithm keywords are mandatory when the entry is first created.

The no form of the command removes the entry from the keychain. If the key is the active key for sending, this command will cause a new active key to be selected (if one is available). If the key is the only possible send key, the command will be rejected and an error indicating that the configured key is the only available send key will be displayed. If the key is one of the eligible keys for receiving, it will be removed. If the key is the only eligible key for receiving, the command will be rejected and an error indicating that this is the only eligible key will be displayed.

Default

n/a

Parameters
entry-id

the ID of the key entry

Values

0 to 63 | null-key (the null-key parameter does not apply and should be ignored)

key

the authentication key ID that is used along with keychain-name and direction to uniquely identify this particular key entry

authentication-key

the authentication key that will be used by the encryption algorithm, up to 20 characters in any combination of letters and numbers. The key is used to sign and authenticate a protocol packet.

Values

the key must be 160 bits for algorithm hmac-sha-1-96 and must be 128 bits for algorithm aes-128-cmac-96. If the key is configured with fewer than this number of bits, it is padded internally with zero bits up to the correct length.

hash-key | hash2-key

the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and up to 96 for the hash2-key (encrypted). If spaces are used in the string, the entire string must be enclosed in double quotes.

This parameter is useful when a user must configure the parameter, but for security purposes, the actual unencrypted key value is not provided.

hash

specifies that the key is entered in an encrypted form. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 parameter specified.

algorithm

the encryption algorithm to be used by the key defined in the keychain

Values

aes-128-cmac-96 – specifies an algorithm based on the AES standard for TCP authentication (BGP and LDP)

hmac-sha-1-96 – specifies an algorithm based on SHA-1 for OSPF, RSVP-TE, and TCP authentication

password – specifies a simple password authentication for OSPF and IS-IS

message-digest – specifies the MD5 hash authentication for OSPF

hmac-sha-1 – specifies the SHA-1 algorithm for OSPF, IS-IS, and RSVP-TE authentication

hmac-sha-256 – specifies the SHA-256 algorithm for OSPF, IS-IS, and RSVP-TE authentication

hmac-md5 – specifies the MD5 hash authentication for IS-IS and RSVP-TE

begin-time
Syntax

begin-time date hours-minutes [UTC]

begin-time {now | forever}

no begin-time

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Description

This command specifies the calendar date and time after which the key specified by the keychain authentication key entry is used to sign and authenticate the protocol stream.

Each entry within a bidirectional keychain or for a keychain direction (if unidirectional keys are used) must have a unique begin time.

If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid.

Default

forever

Parameters
date hours-minutes

the date (in YYYY/MM/DD format) and time (in hh:mm[:ss] format) at which the key becomes active

UTC

specifies that the date and time should be in UTC time rather than local time

now

specifies that the key should become active immediately (current system time)

forever

specifies that the key is always inactive

option
Syntax

option {basic | isis-enhanced}

no option

Context

config>system>security>keychain>direction>bi>entry

Description

This command enables options to be associated with the authentication key for IS-IS. The command is only applicable for IS-IS and will be ignored by other protocols associated with the keychain.

Default

no option

Parameters
basic

specifies that IS-IS should use RFC 5304 encoding of the authentication information

isis-enhanced

specifies that IS-IS should use RFC 5310 encoding of the authentication information

tolerance
Syntax

tolerance {seconds | forever}

no tolerance

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

Description

This command configures the amount of time that an eligible receive key overlaps with the currently active key. During that time, packets with either key will be accepted. Tolerance only applies to received packets. Transmitted packets always use the newest key, regardless of the tolerance value.

If a tolerance value is set for a key, the key is returned as part of the key set if the current time is within the key’s begin time, plus or minus the tolerance value. For example, if the begin time is 12:00 p.m. and the tolerance is 600 seconds, the new key should be included from 11:55 a.m. and the key to be replaced should be included until 12:05 p.m.

Default

300

Parameters
seconds

specifies the length of time that an eligible receive key overlaps with the active key

Values

0 to 4294967294 seconds

forever

specifies that an eligible receive key will overlap with the active key forever

uni
Syntax

uni

Context

config>system>security>keychain>direction

Description

This command configures keys for send or receive stream directions.

Default

n/a

receive
Syntax

receive

Context

config>system>security>keychain>direction>uni

Description

This command enables the receive context. Entries defined under this context are used to authenticate packets that are received by the router.

Default

n/a

end-time
Syntax

end-time date hours-minutes [UTC]

end-time {now | forever}

no end-time

Context

config>system>security>keychain>direction>uni>receive>entry

Description

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to authenticate the protocol stream.

Default

forever

Parameters
date hours minutes

the date (in YYYY/MM/DD format) and time (in hh:mm[:ss] format) after which the key is no longer eligible to sign and authenticate the protocol stream. If no year is specified, the system assumes the current year.

UTC

specifies that the date and time should be in UTC time rather than local time

now

specifies that the key should become inactive immediately (current system time)

forever

specifies that the key is always active

send
Syntax

send

Context

config>system>security>keychain>direction>uni

Description

This command enables the send context. Entries defined under this context are used to sign packets that are being sent by the router to another device.

Default

n/a

tcp-option-number
Syntax

tcp-option-number

Context

config>system>security>keychain

Description

This command enables the context to configure the TCP option number to be placed in the TCP packet header.

receive
Syntax

receive option-number

no receive

Context

config>system>security>keychain>tcp-option-number

Description

This command configures the TCP option number that will be accepted in the header of received TCP packets.

Default

254

Parameters
option-number

the TCP option number to be used in the TCP header

Values

253, 254, 253&254

send
Syntax

send option-number

no send

Context

config>system>security>keychain>tcp-option-number

Description

This command configures the TCP option number that will be inserted in the header of sent TCP packets.

Default

254

Parameters
option-number

the TCP option number to be used in the TCP header

Values

253, 254

Login control commands
login-control
Syntax

login-control

Context

config>system

Description

This command enables the context to configure the session control for console, FTP, SSH, and Telnet sessions.

exponential-backoff
Syntax

[no] exponential-backoff

Context

config>system>login-control

Description

This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of the command disables exponential-backoff.

Default

no exponential-backoff

ftp
Syntax

ftp

Context

config>system>login-control

Description

This command enables the context to configure FTP login control parameters.

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>ftp

Description

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of the command reverts to the default value.

Default

3

Parameters
value

the maximum number of concurrent FTP sessions on the node

Values

0 to 5

idle-timeout
Syntax

idle-timeout {minutes | disable}

no idle-timeout

Context

config>system>login-control

Description

This command configures the idle timeout for FTP, console, SSH, and Telnet sessions before the session is terminated by the system.

By default, each idle FTP, console, SSH, or Telnet session times out after 30 minutes of inactivity.

The no form of the command reverts to the default value.

Default

30

Parameters
minutes

the idle timeout in minutes

Values

1 to 1440

disable

when the disable option is specified, a session will never time out. To re-enable idle timeout, enter the command without the disable option.

login-banner
Syntax

[no] login-banner

Context

config>system>login-control

Description

This command enables or disables the display of a login banner. The login banner contains the 7705 SAR copyright and build date information for a console login attempt.

The no form of the command causes only the configured pre-login-message and a generic login prompt to display.

motd
Syntax

motd {url url-prefix:source-url | text motd-text-string}

no motd

Context

config>system>login-control

Description

This command creates the message of the day that is displayed after a successful console login. Only one message can be configured.

The no form of the command removes the message.

Default

no motd

Parameters
url-prefix: source-url

when the message of the day is present as a text file, provide both the url-prefix and the source-url of the file containing the message of the day. The URL prefix can be local or remote.

motd-text-string

the text of the message of the day, up to 900 characters long. The motd-text-string must be enclosed in double quotes. Multiple text strings are not appended to one another.

Some special characters can be used to format the message text. The ‟\n” character creates multi-line MOTDs and the ‟\r” character restarts at the beginning of the new line. For example, entering ‟\n\r” will start the string at the beginning of the new line, while entering ‟\n” will start the second line below the last character from the first line.

pre-login-message
Syntax

pre-login-message login-text-string [name]

no pre-login-message

Context

config>system>login-control

Description

This command creates a message displayed prior to console login attempts on the console via Telnet.

Only one message can be configured. If multiple pre-login messages are configured, the last message entered overwrites the previous entry.

The system name can be added to an existing message without affecting the current pre-login message.

The no form of the command removes the message.

Default

no pre-login-message

Parameters
login-text-string

a text string, up to 900 characters. Any printable, 7-bit ASCII characters can be used. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

name

when the keyword name is defined, the configured system name is always displayed first in the login message. To remove the name from the login message, the message must be cleared and a new message entered without the name.

ssh
Syntax

ssh

Context

config>system>login-control

Description

This command enables the context to configure SSH login control parameters.

disable-graceful-shutdown
Syntax

[no] disable-graceful-shutdown

Context

config>system>login-control>ssh

Description

This command disables graceful shutdown of SSH sessions.

By default, SSH always performs a graceful shutdown on a TCP connection. When graceful shutdown is disabled, SSH sends a FIN message and then immediately terminates the connection.

The no form of the command enables graceful shutdown of SSH sessions.

Default

no disable-graceful-shutdown

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>ssh

Description

This command limits the number of inbound SSH sessions (channels). Each 7705 SAR router is limited to a total of 15 inbound SSH sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

Default

5

Parameters
value

the maximum number of concurrent inbound SSH sessions, expressed as an integer

Values

0 to 15

outbound-max-sessions
Syntax

outbound-max-sessions value

no outbound-max-sessions

Context

config>system>login-control>ssh

Description

This command limits the number of outbound SSH sessions (channels). Each 7705 SAR router is limited to a total of 15 outbound SSH sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

Default

5

Parameters
value

the maximum number of concurrent outbound SSH sessions, expressed as an integer

Values

0 to 15

telnet
Syntax

telnet

Context

config>system>login-control

Description

This command enables the context to configure the Telnet login control parameters.

enable-graceful-shutdown
Syntax

[no] enable-graceful-shutdown

Context

config>system>login-control>telnet

Description

This command enables graceful shutdown of Telnet sessions.

When graceful shutdown is enabled, Telnet sends a FIN message and waits for an acknowledgment before terminating the TCP connection.

The no form of the command disables graceful shutdown of Telnet sessions.

Default

no enable-graceful-shutdown

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>telnet

Description

This command limits the number of inbound Telnet sessions. Each 7705 SAR router is limited to a total of 15 inbound Telnet sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

Default

5

Parameters
value

the maximum number of concurrent inbound Telnet sessions, expressed as an integer

Values

0 to 15

outbound-max-sessions
Syntax

outbound-max-sessions value

no outbound-max-sessions

Context

config>system>login-control>telnet

Description

This command limits the number of outbound Telnet sessions. Each 7705 SAR router is limited to a total of 15 outbound Telnet sessions (IPv4 and IPv6).

The no form of the command reverts to the default value.

Default

5

Parameters
value

the maximum number of concurrent outbound Telnet sessions, expressed as an integer

Values

0 to 15

ttl-security
Syntax

ttl-security min-ttl-value

no ttl-security

Context

config>system>login-control>telnet

config>system>login-control>ssh

Description

This command configures TTL security parameters for incoming packets. When the feature is enabled, SSH or Telnet connections will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer.

The no form of the command disables TTL security.

Default

no ttl-security

Parameters
min-ttl-value

specifies the minimum TTL value for an incoming packet

Values

1 to 255

Show commands

Security show commands
Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.
access-group
Syntax

access-group [group-name]

Context

show>system>security

Description

This command displays SNMP access group information.

Parameters
group-name

displays information for the specified access group

Output

The following output is an example of system security access group information, and System security access group field descriptions describes the fields.

Output example
A:ALU-4# show system security access-group
===============================================================================
Access Groups                                                                  
===============================================================================
group name        security  security  read          write         notify       
                  model     level     view          view          view         
-------------------------------------------------------------------------------
snmp-ro           snmpv1    none      no-security                 no-security  
snmp-ro           snmpv2c   none      no-security                 no-security  
snmp-rw           snmpv1    none      no-security   no-security   no-security  
snmp-rw           snmpv2c   none      no-security   no-security   no-security  
snmp-rwa          snmpv1    none      iso           iso           iso          
snmp-rwa          snmpv2c   none      iso           iso           iso          
snmp-trap         snmpv1    none                                  iso          
snmp-trap         snmpv2c   none                                  iso          
===============================================================================
A:ALU-7#
Table 13. System security access group field descriptions

Label

Description

Group name

The access group name

Security model

The security model required to access the views configured in this node

Security level

Specifies the required authentication and privacy levels to access the views configured in this node

Read view

Specifies the variable of the view to read the MIB objects

Write view

Specifies the variable of the view to configure the contents of the agent

Notify view

Specifies the variable of the view to send a trap about MIB objects

authentication
Syntax

authentication [statistics]

Context

show>system>security

Description

This command displays system login authentication configuration and statistics.

Parameters
statistics

appends login and accounting statistics to the display

Output

The following output is an example of system security authentication information, and System security authentication field descriptions describes the fields.

Output example
A:ALU-4# show system security authentication
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
type                               status  timeout      retry
   server address                          (secs)       count
-------------------------------------------------------------------------------
radius
   10.10.10.103                    up       5             5
radius
   10.10.0.1                       up       5             5
radius
   10.10.0.2                       up       5             5
tacplus
   10.10.0.9(49)                   down     5            n/a
-------------------------------------------------------------------------------
radius admin status  : up
tacplus admin status : down
health check         : enabled (interval 30)
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALU-4#
A:ALU-7>show>system>security# authentication statistics
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
type                               status  timeout        retry
   server address                          (secs)         count
-------------------------------------------------------------------------------
radius
   10.10.10.103                    up        5             5
radius
   10.10.0.1                       up        5             5
radius
   10.10.0.2                       up        5             5
tacplus
   10.10.0.9(49)                   down      5            n/a
-------------------------------------------------------------------------------
radius admin status  : up
tacplus admin status : down
health check         : enabled (interval 30)
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address                                      conn    accepted   rejected 
                                                    errors  logins     logins
-------------------------------------------------------------------------------
10.10.10.103                                        0       0          0
10.10.0.1                                           0       0          0
10.10.0.2                                           0       0          0
10.10.0.9                                           0       0          0
local                                               n/a     1          0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address                                      conn    sent       rejected 
                                                    errors  pkts       pkts
-------------------------------------------------------------------------------
10.10.0.9                                           0       0          0
===============================================================================
Accounting Statistics
===============================================================================
server address                                      conn    sent       rejected 
                                                    errors  pkts       pkts
-------------------------------------------------------------------------------
10.10.10.103                                        0       0          0
10.10.0.1                                           0       0          0
10.10.0.2                                           0       0          0
===============================================================================
A:ALU-7#
Table 14. System security authentication field descriptions

Label

Description

Sequence

The sequence in which authentication is processed

Server address

The IP address of the RADIUS server

Status

The current status of the RADIUS server

Type

The authentication type

Timeout (secs)

The number of seconds the router waits for a response from a RADIUS server

Retry count

The number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server

Connection errors

The number of times a user has attempted to log in irrespective of whether the login succeeded or failed

Accepted logins

The number of times the user has successfully logged in

Rejected logins

The number of unsuccessful login attempts

Sent packets

The number of packets sent

Rejected packets

The number of packets rejected

communities
Syntax

communities

Context

show>system>security

Description

This command displays SNMP communities and characteristics.

Output

The following output is an example of community information, and Communities field descriptions describes the fields.

Output example
A:ALU-48# show system security communities
=============================================================================
Communities
=============================================================================
community           access  view                version   group name
-----------------------------------------------------------------------------
cli-readonly        r       iso                 v2c       cli-readonly
cli-readwrite       rw      iso                 v2c       cli-readwrite
public              r       no-security         v1 v2c    snmp-ro
-----------------------------------------------------------------------------
No. of Communities: 3
=============================================================================
A:ALU-48#
Table 15. Communities field descriptions

Label

Description

Community

The community string name for SNMPv1 and SNMPv2c access only

Access

r: The community string allows read-only access

rw: The community string allows read-write access

rwa: The community string allows read-write access

mgmt: The unique SNMP community string assigned to the management router

View

The view name

Version

The SNMP version

Group Name

The access group name

No of Communities

The total number of configured community strings

cpm-filter
Syntax

cpm-filter ip-filter [entry entry-id]

cpm-filter ipv6-filter [entry entry-id]

Context

show>system>security

Description

This command displays information for CPM (CSM) filters.

If an entry number is not specified, all entries are displayed.

Parameters
entry-id

displays information for the specified CPM filter entry

Values

1 to 9999

Default

all filter entries

Output

The following output is an example of CPM filter information, and CPM filter field descriptions describes the fields.

Output example
A:ALU-35# show system security cpm-filter ip-filter 
===============================================================================
CPM IP Filters
===============================================================================
Entry-Id  Dropped   Forwarded Description                                      
-------------------------------------------------------------------------------
2         0         0         CPM filter #2                      
3         25880     0         CPM filter #3                       
4         25880     0         CPM filter #4                      
5         25882     0         CPM filter #5                      
6         25926     0         CPM filter #6                       
7         25926     0         CPM filter #7                       
8         25944     0         CPM filter #8                       
9         25950     0         CPM filter #9                       
10        25968     0         CPM filter #10                       
11        25984     0         CPM filter #11                      
12        26000     0         CPM filter #12                       
13        26018     0         CPM filter #13                       
14        26034     0         CPM filter #14                       
15        26050     0         CPM filter #15           
===============================================================================
A:ALU-35# 
A:ALU-35# show system security cpm-filter ip-filter entry 2
===============================================================================
CPM IP Filter Entry
===============================================================================
Entry Id           : 2                                                       
Description : CPM filter #2
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id             : 101                                                      
Src. IP            : 10.4.101.2/32      Src. Port          : 0                 
Dest. IP           : 10.4.101.1/32      Dest. Port         : 0                 
Protocol           : tcp                Dscp               : ef                
ICMP Type          : Undefined          ICMP Code          : Undefined         
Fragment           : True               Option-present     : Off               
IP-Option          : n/a                Multiple Option    : True              
TCP-syn            : Off                TCP-ack            : True              
Match action       : Drop  
Dropped pkts       : 0                  Forwarded pkts     : 0             
===============================================================================
A:ALU-35#
A:ALU-35# show system security cpm-filter ipv6-filter entry 101
===============================================================================
CPM IPv6 Filter Entry
===============================================================================
Entry Id : 1
Description : CPM-Filter 11::101:2 #101
-------------------------------------------------------------------------------
Filter Entry Match Criteria :
-------------------------------------------------------------------------------
Log Id : n/a
Src. IP : 11::101:2       Src. Port : 0
Dest. IP : 11::101:1      Dest. Port : 0
next-header : none Dscp : Undefined
ICMP Type : Undefined     ICMP Code : Undefined
TCP-syn : Off             TCP-ack : Off
Match action : Drop
Dropped pkts : 25880      Forwarded pkts : 0
===============================================================================
Table 16. CPM filter field descriptions

Label

Description

CPM IP (or IPv6) Filter Entry

Entry-id

Displays information for the specified CPM filter entry

Dropped

The number of dropped events

Forwarded

The number of forwarded events

Description

The CPM filter description

Filter Entry Match Criteria

Log Id

The log ID where matched packets will be logged

Src. IP

The source IP address

Dest. IP

The destination IP address

Protocol

The Protocol field in the IP header (IPv4 filters only)

next-header

The next header ID. Undefined indicates no next header is specified. (IPv6 filters only)

ICMP Type

The ICMP type field in the ICMP header

Fragment

The 3-bit fragment flags or 13-bit fragment offset field (IPv4 filters only)

IP-Option

The IP option setting (IPv4 filters only)

TCP-syn

The SYN flag in the TCP header

Match action

When the criteria matches, displays drop or forward packet

Dropped pkts

The number of matched dropped packets

Src. Port

The source port number (range)

Dest. Port

The destination port number (range)

Dscp

The DSCP field in the IP header

ICMP Code

The ICMP code field in the ICMP header

Option-present

The option present setting (IPv4 filters only)

Multiple Option

The multiple option setting (IPv4 filters only)

TCP-ack

The ACK flag in the TCP header

Match action

When the criteria matches, displays drop or forward packet

Next Hop

If match action is forward, indicates destination of the matched packet

Forwarded pkts

Indicates number of matched forwarded packets

keychain
Syntax

keychain [keychain] [detail]

Context

show>system>security

Description

This command displays information about keychains.

If a keychain name is not specified, all keychains are displayed.

Parameters
keychain

displays information for the specified keychain

detail

displays detailed keychain information

Output

The following output is an example of keychain information, and Keychain field descriptions describes the fields.

Output example
===============================================================================
Key chain:ospf-md5
===============================================================================
Description                : MD5 keychain for OSPF interfaces
TCP-Option number send     : 254                    Admin state   : Up
TCP-Option number receive  : 254                    Oper state    : Up
Used by                    : None
Expired                    : No
===============================================================================
*A:ALU-35#
A:ALU-35# show system security keychain ospf-md5 detail
===============================================================================
Key entries for key chain: ospf-md5
===============================================================================
Id               : 0                    Direction        : send-receive
Algorithm        : message-digest       Option           : none
Admin State      : Up                   RX Valid         : No
TX Active        : No                   Tolerance        : 300
Begin Time       : 2016/06/01 01:01:00  Begin Time (UTC) : 2016/06/01 01:01:00
End Time         : 2016/09/01 01:01:00  End Time (UTC)   : 2016/09/01 01:01:00
===============================================================================
Id               : 1                    Direction        : send-receive
Algorithm        : message-digest       Option           : none
Admin State      : Up                   RX Valid         : Yes
TX Active        : Yes                  Tolerance        : 600
Begin Time       : 2016/09/01 01:01:00  Begin Time (UTC) : 2016/09/01 01:01:00
End Time         : Forever              End Time (UTC)   : Forever
===============================================================================
*A:Sar18 Dut-B#
Table 17. Keychain field descriptions

Label

Description

Key chain: name

Description

The text string description for the keychain

TCP-Option number send

The TCP option number to be inserted in the header of sent TCP packets

Admin state

The administrative state of the keychain: up or down

TCP-Option number receive

The TCP option number that will be accepted in the header of received TCP packets

Oper state

The operational state of the keychain: up or down

Used by

The protocols associated with this keychain

Expired

Indicates whether the keychain has expired

Key entries for key chain: name

Id

The ID of the key entry

Direction

The stream direction on which keys will be applied for this entry: send, receive, or send-receive

Algorithm

The encryption algorithm to be used by this key entry

Option

Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS)

Admin State

The administrative state of the key entry: up or down

RX Valid

Indicates if the receive key is valid

TX Active

Indicates if the transmit (sent) key is active

Tolerance

The tolerance time configured for support of both currently active and new keys

Begin Time

The time at which the new key is used to sign and/or authenticate protocol packets

Begin Time (UTC)

The begin time in UTC time

End Time

The time at which the key is no longer eligible to authenticate protocol packets

End Time (UTC)

The end time in UTC time

management-access-filter
Syntax

management-access-filter ip-filter [entry entry-id]

management-access-filter ipv6-filter [entry entry-id]

Context

show>system>security

Description

This command displays management access control filter information.

If no specific entry number is specified, all entries are displayed.

Parameters
entry-id

displays information for the specified management access filter entry

Values

1 to 9999

Default

All filter entries

Output

The following output is an example of management access filter information, and Management access filter field descriptions describes the fields.

Output example
A:ALU-7# show system security management-access-filter ip-filter entry 1
=============================================================================
IPv4 Management Access Filters                                                    
=============================================================================
                                                                             
filter type:  : ip
Def. Action   : permit
Admin Status  : enabled (no shutdown)
-----------------------------------------------------------------------------
Entry         : 1
Description   : test description
Src IP        : 10.10.10.104
Src interface : undefined
Dest port     : 10.10.10.103
Protocol      : 6
Router        : undefined
Action        : permit
Log           : disabled
Matches       : 0
=============================================================================
A:ALU-7# 
A:ALU-7# show system security management-access-filter ipv6-filter entry 2
=============================================================================
IPv6 Management Access Filter
=============================================================================
filter type   : ipv6
Def. Action   : permit
Admin Status  : enabled (no shutdown)
-----------------------------------------------------------------------------
Entry         : 1
Src IP        : 2001::1/128
Flow label    : undefined
Src interface : undefined
Dest port     : undefined
Next-header   : undefined
Router        : undefined
Action        : permit
Log           : enabled
Matches       : 0
=============================================================================
A:ALU-7#
Table 18. Management access filter field descriptions

Label

Description

IPv4 (or IPv6) Management Access Filters

filter type

The management access filter type

Def. Action

Permit: Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted

Deny: Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued

Deny-host-unreachable: Specifies that packets not matching the configured selection criteria in the filter entries are denied

Admin Status

Up: indicates that the management access filter is administratively enabled

Down: indicates that the management access filter is administratively disabled

Entry

The entry ID in a policy or filter table

Description

A text string describing the filter

Src IP

The source IP address used for management access filter match criteria

Flow label

The flow label to match (IPv6 filters only)

Src interface

The interface name for the next hop to which the packet should be forwarded if it hits this filter entry

Dest port

The destination port

Next-header

The next header ID to match. Undefined indicates no next header is specified. (IPv6 filters only)

Protocol

The IP protocol to match (IPv4 filters only)

Action

The action to take for packets that match this filter entry

Matches

The number of times a management packet has matched this filter entry

password-options
Syntax

password-options

Context

show>system>security

Description

This command displays configured password options.

Output

The following output is an example of password options information, and Password options field descriptions describes the fields.

Output example
A:7705:Dut-A# show system security password-options
===============================================================================
Password Options
===============================================================================
Password aging in days                           : none
Time required between password changes           : 0d 00:10:00
Number of invalid attempts permitted per login   : 3
Time in minutes per login attempt                : 5
Lockout period (when threshold breached)         : 10
Authentication order                             : radius tacplus local
User password history length                     : disabled
Password hashing                                 : bcrypt
Accepted password length                         : 6..56 characters
Credits for each character class                 : none
Number of required characters per class          : none
Minimum number of required character classes     : 0
Required distance with previous password         : 5
Allow consecutively repeating a character        : always
Allow passwords containing username              : no
Palindrome allowed                               : no
===============================================================================
A:7705:Dut-A#
Table 19. Password options field descriptions

Label

Description

Password aging in days

The number of days a user password is valid before the user must change their password

Time required between password changes

The time interval required before a password can be changed

Number of invalid attempts permitted per login

The number of unsuccessful login attempts allowed for the specified time

Time in minutes per login attempt

The period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out

Lockout period (when threshold breached)

The lockout period, in minutes, during which the user is not allowed to log in

Authentication order

The sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords

User password history length

The number of recent passwords stored in the history file to compare against new passwords. If a new password matches any of the passwords in the history file, it is rejected

Password hashing

The password hashing type, either bcrypt, sha2-pbkdf2, or sha3-pbkdf2

Accepted password length

The minimum and maximum password length

Credits for each character class

The maximum number of credits given for each character class

Number of required characters per class

The minimum number of characters for each character classes that is required in a password: uppercase, lowercase, numeric, or special character

Minimum number of required character classes

The number of different character classes that is required in a password: uppercase, lowercase, numeric, or special character

Required distance with previous password

The minimum number of characters required to be different in the new password from the old password.

Allow consecutively repeating a character

The number of times the same character is allowed to be repeated consecutively in a new command

Allow passwords containing username

Displays whether the username is allowed as part of the password

Palindrome allowed

Displays whether palindromes are allowed as part of the password

profile
Syntax

profile user-profile-name

Context

show>system>security

Description

This command displays user profile information.

If the user-profile-name is not specified, then information for all profiles is displayed.

Parameters
user-profile-name

displays information for the specified user profile

Output

The following output is an example of user profile information, and User profile field descriptions describes the fields.

Output example
A:ALU-7# show system security profile administrative
=============================================================================== 
User Profile                                                                    
=============================================================================== 
User Profile : administrative                                                   
Def. Action  : permit-all
LI           : no                                                     
------------------------------------------------------------------------------- 
Entry        : 10                                                               
Description  :                                                                  
Match Command: configure system security                                        
Action       : permit                                                           
------------------------------------------------------------------------------- 
Entry        : 20                                                               
Description  :                                                                  
Match Command: show system security                                             
Action       : permit                                                           
-------------------------------------------------------------------------------
No. of profiles: 1
===============================================================================
A:ALU-7#
Table 20. User profile field descriptions

Label

Description

User Profile

The profile name used to deny or permit user console access to a hierarchical branch or to specific commands

Def. action

Permit all: Permits access to all commands

Deny: Denies access to all commands

None: No action is taken

Entry

The entry ID in a policy or filter table

Description

Displays the text string describing the entry

Match Command

Displays the command or subtree commands in subordinate command levels

Action

Permit all: Commands matching the entry command match criteria are permitted

Deny: Commands not matching the entry command match criteria are not permitted

No. of profiles

The total number of profiles listed

source-address
Syntax

source-address

Context

show>system>security

Description

This command displays the source address configured for applications.

Output

The following output is an example of source address information, and Source address field descriptions describes the fields.

Output example
A:ALU-1# show system security source-address
===============================================================================
Source-Address applications
===============================================================================
Application         IP address/Interface Name                    Oper status
-------------------------------------------------------------------------------
telnet              10.20.1.7                                    Up
radius              loopback1                                    Up
===============================================================================
A:ALU-1#
Table 21. Source address field descriptions

Label

Description

Application

The source-address application

IP address: Interface Name

The source address IP address or interface name

Oper status

Up: The source address is operationally up

Down: The source address is operationally down

ssh
Syntax

ssh

Context

show>system>security

Description

This command displays all the SSH sessions as well as the SSH status and fingerprint. The type of SSH application (CLI, SCP, or SFTP) is indicated for each SSH connection.

Output

The following output is an example of SSH information for an SSH server, and SSH field descriptions describes the fields.

Output example
*A:7705:Dut-C# show system security ssh
 
===============================================================================
SSH Server
===============================================================================
Administrative State      : Enabled
Operational State         : Up
Preserve Key              : Disabled
Key-re-exchange           : 60 minutes / 1024 MB
 
SSH Protocol Version 2    : Enabled
DSA Host Key Fingerprint  : MD5:0a:89:df:09:d8:8c:c4:0d:6c:dc:42:28:79:f9:a1:cf
                            SHA256:VY42oECtkK3Qy+H+FMKShDzjqGKFlo/cxCdfemVNfwE
RSA Host Key Fingerprint  : MD5:8f:cf:0e:5e:48:1b:5d:ce:1a:fb:f6:15:57:1b:82:ac
                            SHA256:DEf9VOKmUz0rxRxhxoCmWs2E+Ny9ryVCADdornzCk/I
-------------------------------------------------------------------------------
Connection                                            ConnectionID
   Username                                           ConnectionStatus
   RouterInstance                                     Key-re-exchange
   Version   KEX
             Cipher
             MAC
   SessionID                  ChannelID   ServerName  ChannelStatus
-------------------------------------------------------------------------------
192.168.192.29                                        14
   admin                                              connected
   management                                         60 minutes / 1024 MB
   SSHv2     diffie-hellman-group-exchange-sha1
             aes128-ctr
             hmac-sha1
   16                         0           cli         connected
   17                         1           cli         connected
   18                         2           cli         connected
-------------------------------------------------------------------------------
192.168.192.29                                        17
   admin                                              connected
   management                                         60 minutes / 1024 MB
   SSHv2     diffie-hellman-group-exchange-sha1
             aes128-ctr
             hmac-sha1
   21                         0           sftp        connected
-------------------------------------------------------------------------------
Number of SSH connections : 2
Number of SSH sessions    : 4
===============================================================================
*A:7705
Table 22. SSH field descriptions

Label

Description

Administrative State

The administrative state of the SSH server: enabled or disabled

Operational State

The operational state of the SSH server: up or down

Preserve Key

The preserve-key configuration: enabled or disabled

Key-re-exchange

The maximum number of minutes elapsed or maximum number of megabytes transmitted before a key re-exchange is initiated

SSH Protocol Version 2

The SSHv2 configuration: enabled or disabled

DSA Host Key Fingerprint

RSA Host Key Fingerprint

The key fingerprint is the digital signal algorithm (DSA) or Rivest, Shamir, and Adleman (RSA) host server’s identity. Clients trying to connect to the server verify the server fingerprint. If the server fingerprint is not known, the client will get a warning message that the server may be spoofed and they will not be allowed to log in until the administrator fixes the issue. The MD5 and SHA 256 versions of the keys are supported.

Connection

The IP address of the connected routers (remote client)

ConnectionID The SSH connection identifier
Username The name of the user
ConnectionStatus The status of the SSH connection: connected or disconnected
RouterInstance The router instance used to establish the connection, either management or base
Key-re-exchange

The number of minutes or the number of megabytes transmitted after which a key re-exchange should occur for this connection

Version

SSHv2

KEX

The KEX algorithm used by the SSH session

Cipher

The cipher used by the SSH session

MAC

The MAC algorithm used by the SSH session

SessionID The identifier for the session
ChannelID The identifier for the channel
ServerName The name of the server. For an SSH session, the value is cli. For an SFTP session, the value is sftp.

ChannelStatus

The status of the channel: connected or disconnected

Number of SSH connections

The total number of SSH connections

Number of SSH sessions The total number of SSH sessions
cert-profile
Syntax

cert-profile name association

cert-profile [name]

cert-profile name entry 1..8

Context

show>system>security>tls

Description

This command displays information about TLS certificate profiles.

Parameters
name

the name of a certificate profile for which to display information

association
displays TLS client profiles that are associated with the certificate profile
1..8
Values

1 to 8

Output

The following outputs are examples of client certificate profile information.

Output example
*A:7705# show system security tls cert-profile 

===============================================================================
Certificate Profile 
===============================================================================
Certificate Profile Name          AdminState  OperState  OperFlags
-------------------------------------------------------------------------------
certProfile1                      up          up         
===============================================================================
A:7705# show system security tls cert-profile "certProfile1" 

===============================================================================
Certificate Profile Entry "certProfile1"
===============================================================================
Id  Certificate File Name     Key File Name             Status Flags
-------------------------------------------------------------------------------
1   sarcert1                  sarkey1                   
===============================================================================
*A:7705# show system security tls cert-profile "certProfile1" entry 1 

===============================================================================
TLS Certificate Profile: "certProfile1" Entry: 1 Detail
===============================================================================
Certificate File : sarcert1
Key File         : sarkey1
Status Flags     : (Not Specified)
===============================================================================
*A:7705# show system security tls cert-profile "certProfile1" association 

===============================================================================
TLS Client Profiles using cert-profile "certProfile1"
===============================================================================
TLS Client Profile Name
-------------------------------------------------------------------------------
tlsClientProfile
-------------------------------------------------------------------------------
Number of TLS Client Profile entries: 1
===============================================================================
client-tls-profile
Syntax

client-tls-profile [client-tls-profile]

client-tls-profile client-tls-profile association

client-tls-profile client-tls-profile [connections]

Context

show>system>security>tls

Description

This command displays TLS client profile information.

Parameters
client-tls-profile

the name of the client TLS profile

association
displays TLS certificate profiles that are associated with the TLS client profile
connections
displays active TLS connections using the TLS client profile
Output

The following outputs are examples of TLS client profile information.

Output example
*A:7705# show system security tls client-tls-profile "tlsClientProfile" 

===============================================================================
Client Profile Entry "tlsClientProfile"
===============================================================================
Cipher List Name             : tlsClientCipherList
Certificate Profile Name     : certProfile1
Trust Anchor Profile Name    : trustAnchorProfile1
===============================================================================
A:7705:Dut-A# show system security tls client-tls-profile "tlsClientProfile" connections 

===============================================================================
Active TLS connections using client-tls-profile "tlsClientProfile"
===============================================================================
     Cipher                       Client Signature       Server Signature
       Matched Trust Anchor         Server IP            
-------------------------------------------------------------------------------
Pcep
1    AES_128_CCM_8_SHA256         RSASSA-PSS-SHA256      RSASSA-PSS-SHA256
       rootCA                       10.20.1.4:4189       
-------------------------------------------------------------------------------
Number of TLS connections: 1
===============================================================================
trust-anchor-profile
Syntax

trust-anchor-profile trust-anchor-profile association

trust-anchor-profile [trust-anchor-profile]

Context

show>system>security>tls

Description

This command displays information about TLS client profiles that are using the specified TLS trust anchor profile.

Parameters
trust-anchor-profile

specifies the trust anchor profile, up to 32 characters

association

displays TLS profiles that are associated with the trust anchor profile

Output

The following outputs are examples of trust anchor profile information.

Output example
*A:7705# show system security tls trust-anchor-profile
===============================================================================
Trust Anchor Profile Information
===============================================================================
Name                                           CA Profiles Down
-------------------------------------------------------------------------------
trustAnchorProfile1                            0
===============================================================================
*A:7705# show system security tls trust-anchor-profile "trustAnchorProfile1"
===============================================================================
CA-profile List for Trust Anchor "trustAnchorProfile1"
===============================================================================
CA Profile Name                                AdminState     OperState
-------------------------------------------------------------------------------
rootCA                                         up             up
===============================================================================
*A:7705:Dut-A# show system security tls trust-anchor-profile "trustAnchorProfile1" association
===============================================================================
TLS Client Profiles using trust-anchor-profile trustAnchorProfile1
===============================================================================
TLS Client Profile Name
-------------------------------------------------------------------------------
tlsClientProfile
-------------------------------------------------------------------------------
Number of TLS Client Profile entries: 1
===============================================================================
user
Syntax

user [user-id] [detail]

user [user-id] lockout

Context

show>system>security

Description

This command displays user registration and security information. You can clear lockouts for users with the lockout command.

If no command line options are specified, summary information for all users displays.

Parameters
user-id

displays information for the specified user

Default

all users

detail

displays detailed user information to the summary output

lockout

displays information about users that are currently locked out for too many failed login attempts

Output

The following output is an example of user information, and User field descriptions describes the fields.

Note: Bluetooth (bt), gRPC (gc), LI (li), and NETCONF (nc) are not supported on the 7705 SAR and appear as "--" in the show system security user detail command output.
Output example
*A:7705:Dut-C>config>system>security# show system security user "test" detail
 
===============================================================================
Users
===============================================================================
User ID      New Access                           Password Login   Failed Local
             Pwd Permissions                      Expires  Attempt Logins Conf
-------------------------------------------------------------------------------
test         n   -- -- -- -- -- -- -- -- sc --    never    0       0      y
-------------------------------------------------------------------------------
Number of users : 1
Permissions: (bt) Bluetooth, (cc) Console port CLI, (fp) FTP, (gc) gRPC,
             (li) LI, (nc) NETCONF, (sp) SCP/SFTP, (sn) SNMP, (sc) SSH CLI,
             (tc) Telnet CLI
===============================================================================
 
===============================================================================
User Configuration Detail
===============================================================================
===============================================================================
user id            : test
-------------------------------------------------------------------------------
console parameters
-------------------------------------------------------------------------------
new pw required    : no                 cannot change pw   : no
home directory     :
restricted to home : yes
save when restrict*: yes
login exec file    :
profile            : default
locked-out         : no
-------------------------------------------------------------------------------
snmp parameters
-------------------------------------------------------------------------------
===============================================================================
* indicates that the corresponding row element may have been truncated.
*A:7705:Dut-C>config>system>security#
ALU-7# show system security user lockout
===============================================================================
Currently Failed Login Attempts
===============================================================================
User ID        Remaining Login attempts      Remaining Lockout Time (min:sec)
-------------------------------------------------------------------------------
jason123               N/A                                  9:56
-------------------------------------------------------------------------------
Number of users : 1
===============================================================================
Table 23. User field descriptions

Label

Description

Users

User ID

The name of a system user

New Pwd

Indicates whether the user must change their password at the next login: y or n

Access Permissions

bt

Indicates whether the user is authorized for Bluetooth access (not supported on the 7705 SAR and always displays "--")

cc

Indicates whether the user is authorized for console port CLI access

fp

Indicates whether the user is authorized for FTP access

gc

Indicates whether the user is authorized for gRPC access (not supported on the 7705 SAR and always displays "--")

li

Indicates whether the user is authorized for lawful intercept (LI) access (not supported on the 7705 SAR and always displays "--")

nc

Indicates whether the user is authorized for NETCONF access (not supported on the 7705 SAR and always displays "--")

sp

Indicates whether the user is authorized for SCP/SFTP access

sn

Indicates whether the user is authorized for SNMP access

sc

Indicates whether the user is authorized for SSH CLI access

tc

Indicates whether the user is authorized for Telnet CLI access

Password Expires

The number of days the user has left before they must change their login password

Login Attempt

The number of times the user has attempted to log in regardless of whether the login succeeded or failed

Failed Logins

The number of unsuccessful login attempts

Local Conf

Indicates whether password authentication is based on the local password database: y or n

Number of users

The total number of listed users

User Configuration Detail

console parameters

new pw required

Indicates whether the user must change their password at the next login: yes or no

cannot change pw

Indicates whether the user is prevented from changing their password: yes or no

home directory

The local home directory for the user for both console and FTP access

restricted to home

Indicates whether the user is restricted from navigating to a directory higher in the directory tree on the home directory device: yes or no

save when restricted Indicates whether configuration save operations are allowed when the user is restricted to home: yes or no

login exec file

The user’s login exec file, which executes whenever the user successfully logs in to a console session

profile

The security profiles associated with the user

locked-out

Indicates whether the user is locked out, and if they are locked out, how much time remains before the user can attempt to log in to the node again

snmp parameters

auth protocol

The SNMPv3 authentication protocol

auth key

The SNMPv3 authentication key

privacy protocol

The SNMPv3 privacy protocol

privacy key

The SNMPv3 privacy key

group

The group to which the protocols apply

Currently Failed Login Attempts

Remaining Login attempts

The number of login attempts remaining before the user is locked out

Remaining Lockout Time (min:sec)

The time remaining before the lockout time expires and the user can attempt another login

With the support of PKI on the 7705 SAR as an SSH server, the authentication process can be done via PKI or password. SSH clients usually authenticate via PKI and password if PKI is configured on the client. In this case, PKI takes precedence over password authentication in most clients.

All client authentications are logged and displayed in the show>system>security>user detail output. The following table shows the rules where pass and fail attempts are logged.

Table 24. Pass/fail login attempts

Authentication order

Client (for example, PuTTY)

Server (for example, 7705 SAR)

CLI show system security attempts

Private key programmed

Public key configured

Password configured

Login attempts

Failed logins

1. Public key

2. Password

Yes

Yes

N/A

Increment

Yes

Yes (if no match between client and server, go to password)

Yes

Increment

Yes

No

Yes

Increment

No

N/A

Yes

Increment

No

N/A

No

Increment

1. Public key (only)

Yes

Yes

N/A

Increment

Yes

Yes (if no match between client and server, go to password)

N/A

Increment

Yes

No

N/A

Increment

No

N/A

N/A

Increment

view
Syntax

view [view-name] [detail] [capabilities]

Context

show>system>security

Description

This command displays one or all views and permissions in the MIB-OID tree.

Parameters
view-name

specifies the name of the view to display. If no view name is specified, the complete list of views displays.

detail

displays detailed view information

Output

The following output is an example of view information, and View field descriptions describes the fields.

Output example
A:ALU-48# show system security view
===============================================================================
Views
===============================================================================
view name         oid tree                        mask              permission
-------------------------------------------------------------------------------
iso               1                                                 included
read1             1.1.1.1                         11111111          included
write1            2.2.2.2                         11111111          included
testview          1                               11111111          included
testview          1.3.6.1.2                       11111111          excluded
mgmt-view         1.3.6.1.2.1.2                                     included
mgmt-view         1.3.6.1.2.1.4                                     included
mgmt-view         1.3.6.1.2.1.5                                     included
mgmt-view         1.3.6.1.2.1.6                                     included
mgmt-view         1.3.6.1.2.1.31                                    included
mgmt-view         1.3.6.1.2.1.77                                    included
mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.7                        included
mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.11                       included
vprn-view         1.3.6.1.2.1.2                                     included
vprn-view         1.3.6.1.2.1.4                                     included
vprn-view         1.3.6.1.2.1.5                                     included
vprn-view         1.3.6.1.2.1.6                                     included
vprn-view         1.3.6.1.2.1.7                                     included
vprn-view         1.3.6.1.2.1.23                                    included
vprn-view         1.3.6.1.2.1.31                                    included
vprn-view         1.3.6.1.2.1.77                                    included
vprn-view         1.3.6.1.4.1.6527.3.1.2.3.7                        included
vprn-view         1.3.6.1.4.1.6527.3.1.2.3.11                       included
vprn-view         1.3.6.1.4.1.6527.3.1.2.20.1                       included
no-security       1                                                 included
no-security       1.3.6.1.6.3                                       excluded
no-security       1.3.6.1.6.3.10.2.1                                included
no-security       1.3.6.1.6.3.11.2.1                                included
no-security       1.3.6.1.6.3.15.1.1                                included
on-security       2                               00000000          included
-------------------------------------------------------------------------------
No. of Views: 30
===============================================================================
A:ALU-48#
Table 25. View field descriptions

Label

Description

view name

The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree

oid tree

The object identifier of the ASN.1 subtree

mask

The bit mask that defines a family of view subtrees

permission

Indicates whether each view is included or excluded

No. of Views

The total number of views

Login control show commands
Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration.
users
Syntax

users

Context

show

Description

This command displays console user login and connection information.

Output

The following output is an example of user login information, and Users field descriptions describes the fields.

Output example
*A:7705:Dut-C# show users
===============================================================================
Username                                           Type
    From
    Router instance
    Connection ID                                  Login time
        Session ID             SSH Channel ID          Idle time
===============================================================================
                                                   Console
    --
    --
    6                                                    --
        6                      --                      0d 07:11:00  --
-------------------------------------------------------------------------------
admin                                              Telnet
    192.168.192.29
    management
    16                                             28SEP2023 21:03:11
       #20                     --                      0d 00:00:00  --
-------------------------------------------------------------------------------
admin                                              Telnet
    192.168.192.30
    management
    12                                             28SEP2023 16:58:33
        14                     --                      0d 04:40:43  --
-------------------------------------------------------------------------------
admin                                              SSHv2
    192.168.192.29
    management
    14                                             28SEP2023 20:29:54
        16                     0                       0d 00:00:25  --
        17                     1                       0d 00:17:59  --
        18                     2                       0d 01:17:08  --
-------------------------------------------------------------------------------
admin                                              SSHv2
    192.168.192.29
    management
    17                                                   --
        21                     0                       0d 00:11:18  --
-------------------------------------------------------------------------------
admin                                              FTP
    192.168.192.29
    management
    18                                             28SEP2023 21:46:59
        22                     --                      0d 00:00:04  --
-------------------------------------------------------------------------------
Number of users: 5
Number of sessions: 7
'#' indicates the current active session
===============================================================================
*A:7705:Dut-C#
Table 26. Users field descriptions

Label

Description

Username

The name of the user

Type

The type of connection: console, Telnet, FTP, SFTP, SSH, or MCT

The console session is always displayed but does not count against the number of sessions unless a user is logged in at the console. If no one is logged in at the console, the Username field is blank.

From

The originating IP address

Router instance The routing instance used to establish the connection, either management or base
Connection ID The identifier for the connection

Login time

The time the user logged in

Session ID The identifier for the session
SSH Channel ID The SSH channel identifier

Idle time

The amount of idle time for a specific login

Number of users

The total number of users logged in

Number of sessions The total number of sessions across all FTP, SFTP, SSH, Telnet, and MCT connections

Clear commands

lockout
Syntax

lockout all

lockout user user-name

Context

admin>clear

Description

This command clears a security lockout for a specific user, or for all users, after they have been locked out for failing too many login attempts.

Parameters
all

clears lockouts for all users

name

specifies a username

password-history
Syntax

password-history all

password-history user user-name

Context

admin>clear

Description

This command clears old passwords for a specific user or for all users.

Parameters
all

clears password history for all users

name

specifies a username

statistics
Syntax

statistics [interface ip-int-name | ip-address]

Context

clear>router>authentication

Description

This command clears authentication statistics.

Parameters
ip-int-name

clears the authentication statistics for the specified interface name. If the string contains special characters (such as #, $, or spaces), the entire string must be enclosed within double quotes.

ip-address

clears the authentication statistics for the specified IP address

Monitor commands

cpm-filter
Syntax

cpm-filter

Context

monitor

Description

This command displays monitor command output for CPM filters.

management-access-filter
Syntax

management-access-filter

Context

monitor

Description

This command enables the context to monitor management access filters.

ip
Syntax

ip entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>cpm-filter

monitor>management-access-filter

Description

This command enables IP filter monitoring. The statistical information for the specified IP filter entry is displayed at the configured interval until the configured count is reached.

The first screen displays the current statistics related to the specified IP filter. The subsequent statistical information listed for each interval is displayed as a delta to the previous screen output.

When the keyword rate is specified, the rate per second for each statistic is displayed instead of the delta.

Monitor commands are similar to show commands, but only statistical information is displayed. Monitor commands display the selected statistics according to the configured number of times at the interval specified.

Parameters
entry-id

displays information for the specified filter entry ID

Values

1 to 120 (CPM filter)

1 to 9999 (management access filter)

seconds

configures the interval for each display in seconds

Values

3 to 60

Default

10

repeat

configures how many times the command is repeated

Values

1 to 999

Default

10

absolute

displays raw statistics, without processing. No calculations are performed on the delta or rate statistics.

rate

displays the rate per second for each statistic instead of the delta

ipv6
Syntax

ipv6 entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>cpm-filter

monitor>management-access-filter

Description

This command enables IPv6 filter monitoring. The statistical information for the specified IPv6 filter entry is displayed at the configured interval until the configured count is reached.

The first screen displays the current statistics related to the specified IPv6 filter. The subsequent statistical information listed for each interval is displayed as a delta to the previous screen output.

When the keyword rate is specified, the rate per second for each statistic is displayed instead of the delta.

Monitor commands are similar to show commands, but only statistical information is displayed. Monitor commands display the selected statistics according to the configured number of times at the interval specified.

Parameters
entry-id

displays information for the specified filter entry ID

Values

1 to 120 (CPM filter)

1 to 9999 (management access filter)

seconds

configures the interval for each display in seconds

Values

3 to 60

Default

10

repeat

configures how many times the command is repeated

Values

1 to 999

Default

10

absolute

displays raw statistics, without processing. No calculations are performed on the delta or rate statistics.

rate

displays the rate per second for each statistic instead of the delta

mac
Syntax

mac entry entry-id [interval seconds] [repeat repeat] [absolute | rate]

Context

monitor>cpm-filter

monitor>management-access-filter

Description

This command enables MAC filter monitoring. The statistical information for the specified MAC filter entry is displayed at the configured interval until the configured count is reached.

The first screen displays the current statistics related to the specified MAC filter. The subsequent statistical information listed for each interval is displayed as a delta to the previous screen output.

When the keyword rate is specified, the rate per second for each statistic is displayed instead of the delta.

Monitor commands are similar to show commands, but only statistical information is displayed. Monitor commands display the selected statistics according to the configured number of times at the interval specified.

Parameters
entry-id

displays information for the specified filter entry ID

Values

1 to 120 (CPM filter)

1 to 9999 (management access filter)

seconds

configures the interval for each display in seconds

Values

3 to 60

Default

10

repeat

configures how many times the command is repeated

Values

1 to 999

Default

10

absolute

displays raw statistics, without processing. No calculations are performed on the delta or rate statistics.

rate

displays the rate per second for each statistic instead of the delta

Debug commands

radius
Syntax

radius [detail] [hex]

no radius

Context

debug

Description

This command enables debugging for RADIUS connections.

The no form of the command disables the debugging.

Parameters
detail

displays detailed output

hex

displays the packet dump in hexadecimal format