Security

This chapter provides information to configure security parameters.

Authentication, authorization, and accounting

This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on 7210 SAS routers. Network security is based on a multi-step process. The first step, authentication, validates a username and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.

Another step, accounting, keeps track of the activity of a user who has accessed the network. The type of accounting information recorded can include a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. The accounting data can then be used to analyze trends, and also for billing and auditing purposes.

You can configure 7210 SAS routers to use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security to validate users who attempt to access the router by console, Telnet, or FTP. You can select the authentication order which determines the authentication method to try first, second, and third.

The 7210 SAS supports the following security features:

  • RADIUS can be used for authentication, authorization, and accounting.

  • TACACS+ can be used for authentication, authorization, and accounting.

  • Local security can be implemented for authentication and authorization.

The following figure shows how end user access-requests are sent to a RADIUS server. After validating the usernames and passwords, the RADIUS server returns an access-accept message to the users on ALA-1 and ALA-2. The username and password from ALA-3 could not be authenticated, therefore access was denied.

Figure 1. RADIUS requests and responses

Authentication

Authentication validates a username and password combination when a user attempts to log in.

When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the 7210 SAS client sends an access request to a RADIUS, TACACS+, or local database.

Transactions between the client and a RADIUS server are authenticated through the use of a shared secret. The secret is never transmitted over the network. User passwords are sent encrypted between the client and RADIUS server which prevents someone snooping on an insecure network to learn password information.

If the RADIUS server does not respond within a specified time, the router issues the access request to the next configured servers. Each RADIUS server must be configured identically to guarantee consistent results.

If any RADIUS server rejects the authentication request, it sends an access reject message to the router. In this case, no access request is issued to any other RADIUS servers. However, if other authentication methods such as TACACS+ and/or local are configured, then these methods are attempted. If no other authentication methods are configured, or all methods reject the authentication request, then access is denied.

For the RADIUS server selection, round-robin is used if multiple RADIUS servers are configured. Although, if the first alive server in the list cannot find a user-name, the router does not query the next server in the RADIUS server list and denies the access request. It may get authenticated on the next login attempt if the next selected RADIUS server has the appropriate user-name. Nokia recommends that the same user databases be maintained for RADIUS servers to avoid inconsistent behavior.

The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message.

Implementing authentication without authorization for the 7210 SAS-Series routers does not require the configuration of VSAs (Vendor Specific Attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.

Any combination of the following authentication methods can be configured to control network access from a 7210 SAS-Series router.

Local authentication

Local authentication uses usernames and passwords to authenticate login attempts. The usernames and passwords are local to each router not to user profiles.

By default, local authentication is enabled. When one or more of the other security methods are enabled, local authentication is disabled. Local authentication is restored when the other authentication methods are disabled. Local authentication is attempted if the other authentication methods fail and local is included in the authentication order password parameters.

Locally, you can configure usernames and password management information. This is referred to as local authentication. Remote security servers such as RADIUS or TACACS+, are not enabled.

RADIUS authentication

Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service.

RADIUS allows you to maintain user profiles in a shared central database and provides better security, allowing a company to set up a policy that can be applied at a single administered network point.

RADIUS server selection

The RADIUS server selection algorithm is used by different applications:

  • RADIUS operator management

  • RADIUS authentication for Enhanced Subscriber Management

  • RADIUS accounting for Enhanced Subscriber Management

  • RADIUS PE-discovery

In all these applications, up to 5 RADIUS servers pools (per RADIUS policy, if used) can be configured.

The RADIUS server selection algorithm can work in 2 modes, either Direct mode or Round-Robin mode.

Direct mode

The first server is used as the primary server. If this server is unreachable, the next server, based on the server index, of the server pool is used. This continues until either all servers in the pool have been tried or an answer is received.

If a server is unreachable, it will not be used again by the RADIUS application for the next 30 seconds to allow the server to recover from its unreachable state. After 30 seconds the unreachable server is available again for the RADIUS application. If in these 30 seconds the RADIUS application receives a valid response for a previously sent RADIUS packet on that unreachable server, the server will be available for the RADIUS application again, immediately after reception of that response.

Round-Robin mode

The RADIUS application sends the next RADIUS packet to the next server in the server pool. The same server non-reachability behavior is valid as in the Direct mode.

Server reachability detection

A server is reachable, when the operational state UP, when a valid response is received within a timeout period which is configurable by the retry parameter on the RADIUS policy level.

A server is treated as not-reachable, when the operational state down, when the following occurs:

  • a timeout

    If a number of consecutive timeouts are encountered for a specific server. This number is configurable by the retry parameter on RADIUS policy level.

  • a send failed

    If a packet cannot be sent to the RADIUS server because the forwarding path toward the RADIUS server is broken (for example, the route is not available, the is interface shutdown, and so on), no retry mechanism is invoked and immediately, the next server in line is used.

A server that is down can only be used again by the RADIUS algorithm after 30 seconds, unless, during these 30 seconds a valid RADIUS reply is received for that server. Then, the server is immediately marked UP again.

The operational state of a server can also be ‟unknown” if the RADIUS application is not aware of the state of the RADIUS server (for example, if the server was previously down but no requests had been sent to the server, therefore, it is not certain yet whether the server is actually reachable).

Application-specific behavior
  • Operator Management

    The server access mode is fixed to Round-Robin (Direct cannot be configured for operator management). A health-check function is available for operator management, which can optionally be disabled. The health-check polls the server once every 10 seconds with an improbable username. If the server does not respond to this health-check, it will be marked down.

    If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

  • RADIUS Authentication

    If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

  • RADIUS Accounting

    The RADIUS accounting application will try to send all the concerned packets of a subscriber host to the same server. If that server is down, then the packet is sent to the next server and, from that moment on, the RADIUS application uses that server to send its packets for that subscriber host.

  • RADIUS PE-Discovery

    If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

    The RADIUS PE-discovery application makes use of a 10 second time period instead of the generic 30 seconds and uses a fixed consecutive timeout value of 2 (see Server reachability detection).

    As long as the Session-Timeout (attribute in the RADIUS user file) is specified, it is used for the polling interval. Otherwise, the configured polling interval will be used (60 seconds by default).

TACACS+ authentication

Terminal Access Controller Access Control System, commonly referred to as TACACS is an authentication protocol that allows a remote access server to forward a user's log on password to an authentication server to determine whether access can be allowed to a specific system. TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.

TACACS+ and RADIUS have largely replaced earlier protocols in the newer or recently updated networks. TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations.

Password hashing

The 7210 SAS supports two algorithms for user password hashing: bcrypt, which is the default algorithm, and PBKDF2. The PBKDF2 algorithm can use SHA2 (SHA-256) for hashing.

The password hashing algorithm can be configured using the configure system security password hashing command. The configured algorithm hashes all user passwords.

When password hashing is configured, the following sequence of steps occurs at login:

  1. The node checks the stored password and notes its hash algorithm.

  2. The password entered by the user is hashed with the noted algorithm, and the node compares the hash with the stored user password hash.

  3. If the entered and stored passwords are the same, and if the hash algorithm of the stored user password is different than the hash algorithm of the system password, the user is prompted to enter a new password two times to ensure password match. The node stores this new password in the RAM (not in the system configuration file).

    To store the new password in the configuration file, an admin user must perform the admin save command. If the admin save command is not executed, on the next reboot the hash algorithm of the stored user password may be different than the system hash, and the user must go through this process again from step 2.

After an upgrade to a software load that supports PBKDF2, the default password continues to be stored using the bcrypt algorithm. The following example describes the procedure to change the algorithm. In this example, the algorithm is changed to PBKDF2, and ‟User_name” can be any user.

  1. User_name logs in and runs the hashing command to change the algorithm.

  2. To save the algorithm change, an admin user performs an admin save command.

  3. To store User_name’s password using PBKDF2, the admin user changes User_name’s password.

  4. From this point onward, any new user passwords or changes to existing user passwords are stored using PBKDF2.

Authorization

The OS support local, RADIUS, and TACACS+ authorization to control the actions of specific users by applying a profile based on username and password configurations when network access is granted. The profiles are configured locally as well as VSAs on the RADIUS server. See Vendor-specific attributes (VSAs).

When a user has been authenticated using RADIUS (or another method), the router can be configured to perform authorization. The RADIUS server can be used to:

  • download the user profile to the router

  • send the profile name that the node should apply to the router

Profiles consist of a suite of commands that the user is allowed or not allowed to execute. When a user issues a command, the authorization server looks at the command and the user information and compares it with the commands in the profile. If the user is authorized to issue the command, the command is executed. If the user is not authorized to issue the command, then the command is not executed.

Profiles must be created on each router and should be identical for consistent results. If the profile is not present, then access is denied.

Supported authorization configurations describes the following scenarios:

  • Remote (RADIUS) authorization cannot be performed if authentication is done locally (on the router).

  • The reverse scenario is supported if RADIUS authentication is successful and no authorization is configured for the user on the RADIUS server, then local (router) authorization is attempted, if configured in the authorization order.

When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates.

Table 1. Supported authorization configurations
User type RADIUS supplied profile

Configured user

Not Supported

RADIUS server configured user

Supported

TACACS+ server configured user

Not Supported

When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames are temporary and are not saved in the configuration when the user session terminates. Temporary user login names and their associated passwords are not saved as part of the configuration.

Local authorization

Local authorization uses user profiles and user access information after a user is authenticated. The profiles and user access information specifies the actions the user can and cannot perform.

By default, local authorization is enabled. Local authorization is disabled only when a different remote authorization method is configured (RADIUS authorization). Local authorization is restored when RADIUS authorization is disabled.

You must configure profile and user access information locally.

RADIUS authorization

RADIUS authorization grants or denies access permissions for a router. Permissions include the use of FTP, Telnet, SSH (SCP), and console access. When granting Telnet, SSH (SCP) and console access to the router, authorization can be used to limit what CLI commands the user is allowed to issue and which file systems the user is allowed or denied access.

TACACS+ authorization

Like RADIUS authorization, TACACS+ grants or denies access permissions for a router. The TACACS+ server sends a response based on the username and password.

TACACS+ separates the authentication, authorization, and accounting function. RADIUS combines the authentication and authorization functions.

Accounting

When enabled, RADIUS accounting sends command line accounting from the router to the RADIUS server. The router sends accounting records using UDP packets at port 1813 (decimal).

The router issues an accounting request packet for each event requiring the activity to be recorded by the RADIUS server. The RADIUS server acknowledges each accounting request by sending an accounting response after it has processed the accounting request. If no response is received in the time defined in the timeout parameter, the accounting request must be retransmitted until the configured retry count is exhausted. A trap is issued to alert the NMS (or trap receiver) that the server is unresponsive. The router issues the accounting request to the next configured RADIUS server (up to 5).

User passwords and authentication keys of any type are never transmitted as part of the accounting request.

RADIUS accounting

Accounting tracks user activity to a specified host. When RADIUS accounting is enabled, the server is responsible for receiving accounting requests and returning a response to the client indicating that it has successfully received the request. Each command issued on the router generates a record sent to the RADIUS server. The record identifies the user who issued the command and the timestamp.

Accounting can be configured independently from RADIUS authorization and RADIUS authentication.

TACACS+ accounting

The OS allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent. Start/stop messages are only sent for individual commands, not for the session.

When a user logs in to request access to the network using Telnet or SSH, or a user enters a command for which accounting parameters are configured, or a system event occurs, such as a reboot or a configuration file reload, the router checks the configuration to see if TACACS+ accounting is required for the particular event.

If TACACS+ accounting is required, then, depending on the accounting record type specified, sends a start packet to the TACACS+ accounting server which contains information about the event.

The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server.

Security controls

You can configure routers to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords can be specifically configured. That is, the authentication order can be configured to process authorization through TACACS+ first, then RADIUS for authentication and accounting. Local access can be specified next in the authentication order in the event that the RADIUS and TACACS+ servers are not operational.

The following table lists the types of security supported by each protocol.

Table 2. Security methods capabilities
Method Authentication Authorization Accounting 1

Local

Y

Y

N

TACACS+

Y

Y

Y

RADIUS

Y

Y

Y

When a server does not respond

A trap is issued if a RADIUS + server is unresponsive. An alarm is raised if RADIUS is enabled with at least one RADIUS server and no response is received to either accounting or user access requests from any server.

Periodic checks to determine whether the primary server is responsive again are not performed. If a server is down, it will not be contacted for 5 minutes. If a login is attempted after 5 minutes, then the server is contacted again. When a server does not respond with the health check feature enabled, the server status is checked every 30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Nokia Fault Manager or other third party fault management servers.

The servers are accessed in order from lowest to highest specified index (from 1 to 5) for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received, implying a lower indexed server is not available. If a response from the server is received, no other server is queried.

Access request flow

In Security flow, the authentication process is defined in the config>system>security> password context. The authentication order is determined by specifying the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. This example uses the authentication order of RADIUS, then TACACS+, and finally, local. An access request is sent to RADIUS server 1. One of two scenarios can occur. If there is no response from the server, the request is passed to the next RADIUS server with the next lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted (RADIUS server 5). If server 5 does not respond, the request is passed to the TACACS+ server 1. If there is no response from that server, the request is passed to the next TACACS+ server with the next lowest index (TACACS+ server 2) and so on.

If a request is sent to an active RADIUS server and the username and password is not recognized, access is denied and passed on to the next authentication option, in this case, the TACACS+ server. The process continues until the request is either accepted, denied, or each server is queried. Finally, if the request is denied by the active TACACS+ server, the local parameters are checked for username and password verification. This is the last chance for the access request to be accepted.

Figure 2. Security flow

Control and management traffic protection

7210 SAS platforms support an extensive set of configurable mechanisms to protect the CPU from being flooded with control or management traffic.

These protection mechanisms are a set of configurable hardware-based filters, classification, queuing, and rate-limiting functions that drop unwanted traffic before it reaches the control processor:

  • In-band traffic extracted from line cards to the control processing module (CPM) on chassis-based systems, or extracted from front-panel ports on fixed form-factor devices:

    • Line card or fixed form-factor platform features:

      • ACLs filters: IPv4, IPv6, and MAC

      • Distributed CPU protection (supported only on the 7210 SAS-R6 and 7210 SAS-R12)

    • CPM features:

      • Centralized CPU protection

  • Out-band and in-band traffic: management access filters

CPM Management Access Filters

CPM traffic is extracted from the data plane and sent to the CPM for processing. Packets from all network and access ports can be filtered using management access filters, which use CPU resources. Packets originating from a management Ethernet port can also be filtered using management access filters.

CPM protocols and ports

Nokia recommends using a strict CPM management access filter policy allowing traffic from trusted IP subnets for protocols and ports actively used in the router and to explicitly drop other traffic.

The following table identifies the protocols and TCP/UDP ports used per application on 7210 SAS platforms. The source port and destination port reflect the CPM management access filter entry configuration for traffic ingressing the router and sent to the CPM.

Table 3. Protocols and TCP/UDP ports used by applications on 7210 SAS platforms
TCP/UDP port number IP protocol Application description Protocols and ports available for in-band and out-of-band management on 7210 SAS platforms
Source Destination SAS-T (network mode) SAS-T (access-uplink mode) SAS-MXP SAS-R6 and SAS-R12 SAS-Sx/S 1/10GE SAS-Sx 10/100GE
In-band Out-of-band In-band Out-of-band In-band Out-of-band In-band Out-of-band In-band Out-of-band In-band Out-of-band
BFD application

3784

UDP

BFD control 1 hop BFD

3785

UDP

BFD echo

4784

UDP

BFD control multi-hop

6784

UDP

Micro-BFD

BGP application

179

TCP

BGP: server terminated TCP sessions

179

TCP

BGP: client responses for initiated TCP session

Cflowd application

1025 to 65535

UDP

DHCPv4 application

67

67

UDP

DHCPv4: relay agent to server; server to relay agent; relay agent to relay agent

68

67

UDP

DHCPv4: client to relay agent; client to server

67

68

UDP

DHCPv4: relay agent to server; relay agent to client

DHCPv6 application

546

547

UDP

DHCPv6: client to server; client to relay agent

547

546

UDP

DHCPv6: server to relay agent; relay agent to server; relay agent to relay agent

DNS application

53

UDP

DNS Client

FTP application

20

TCP

FTP server data and active FTP client

21

TCP

FTP server control

20

TCP

FTP client data

21

TCP

FTP client control

GRE application

N/A

N/A

GRE

GRE

ICMP application

N/A

N/A

ICMP

ICMP

IGMP application

N/A

N/A

IGMP

IGMP

LDP application

646

UDP

LDP hello adjacency

646

TCP

LDP/T-LDP: terminated TCP sessions

646

TCP

LDP/T-LDP: responses for initiated TCP sessions

MC-APS application

1025

UDP

Multi-chassis LAG

MCS application

45067

TCP

Multi-chassis synchronization: terminated TCP session

45067

TCP

Multi-chassis synchronization: responses for initiated TCP session

NETCONF application

830

TCP

NETCONF

NTP application

123

UDP

NTP server

123

UDP

NTP client

OAM application

3503

UDP

LSP ping

33408 to 33535

UDP

OAM traceroute

OSPF application

N/A

N/A

OSPF

OSPF

PCEP application

4189

TCP

Path Computation Element Protocol (PCEP)

PIM application

3232

UDP

PIM MDT

N/A

N/A

PIM

PIM

PTP application

319

UDP

1588 PTP event

320

UDP

1588 PTP general

RADIUS application

1812

UDP

Radius authentication

1813

UDP

Radius accounting

RIP application

520

UDP

RIP (only on SAS-Mxp)

RSVP application

N/A

N/A

RSVP

RSVP

SSH application

22

TCP

SSH server and terminated TCP session

22

TCP

SSH client and responses for initiated TCP sessions

SNMP application

161

UDP

SNMP server; SET and GET commands

TACACS application

49

TCP

TACACS client and responses for initiated TCP sessions

TELNET application

23

TCP

TELNET server

TWAMP application

862

TCP

TWAMP control: terminated TCP session

Any

UDP

TWAMP test

1 to 65535

UDP

TWAMP light (per router instance)

VRRP application

N/A

N/A

VRRP

VRRP

Management Access Filter

Management Access Filters (MAF) are software-based filters used to restrict traffic extracted from the data plane and restrict traffic from the management port to the CPU.

MAF packet match

Two different management-access-filter policies can be configured: ip-filter and ipv6-filter.

The following are the MAF packet match rules:

  • Each MAF policy is an ordered list of entries; therefore, entries must be sequenced correctly from the most to the least explicit.

  • If multiple match criteria are specified in a single MAF policy entry, all criteria must be met for the packet to be considered a match against that policy entry (logical AND).

  • Any match criteria not explicitly defined is ignored during a match.

  • A MAF filter policy entry defined without a match criteria is inactive.

  • A MAF filter policy entry with match criteria defined but no action configured inherits the default action defined at the management-access-filter level.

  • The management-access-filter default-action applies individually per IPv4 or IPv6 filter policies that are in a no shutdown state.

MAF IPv4/IPv6 filter entry match criteria

The following table lists the supported IPv4 and IPv6 match criteria.

Table 4. IPv4 and IPv6 match criteria

Criteria

Description

dst-port

Matches the specified port value against the destination port number of the UDP or TCP packet header.

flow-label

Matches the IPv6 flow label.

fragment

Matches fragmented or non-fragmented IP packet.

next-header

Matches the specified upper-layer protocol (such as TCP, UDP, or IGMPv6) against the next-header field of the IPv6 packet header. "*" can be used to specify a TCP or UDP upper-layer protocol match (logical OR). Next-header matching also allows matching on presence of a subset of IPv6 extension headers. See Management Access Filter commands for details about which extension header match is supported.

l4-source-port

Matches the specified port value against the L4 source port number of the UDP or TCP packet header.

protocol

Matches the specified protocol against the Protocol field in the IPv4 packet header (for example, TCP, UDP, or IGMP) of the outer IPv4. "*" can be used to specify TCP or UDP upper-layer protocol match (logical OR).

router

Matches the router instance that packets are ingressing from for this filter entry.

src-ip

Matches the specified source IPv4 or IPv6 address prefix and mask against the source IPv4 or IPv6 address field in the IP packet header.

src-port

Matches packets that are ingressing from this port.

MAF policy action

MAFs allow actions to permit or deny (or use the deny-host-unreachable response for IP filters) traffic.

MAF policy statistics and logging

The management access filter match count can be displayed using show commands. Logging is recorded in the system security logs.

CPU protection modes

The 7210 SAS provides several rate limiting mechanisms to protect the CPM/CFM processing resources of the router:

  • Centralized CPU Protection: a centralized rate-limiting function that operates on the CPM to limit traffic destined to the CPUs. The CPU protection mechanism is not user-configurable. It is supported on all 7210 SAS platforms.

    For historical reasons, the term ‟centralized CPU protection” is called ‟CPU protection” in this user guide.

  • Distributed CPU Protection (DCP): a control traffic rate-limiting protection mechanism for the CPM and CFM that operates on line cards. See DCP for more information about the DCP mechanism.

Centralized CPU protection

The CPU protection mechanism protects the CPU from a DoS attack by limiting the amount of ingress port traffic destined for the CPM to be processed by its CPU. On the 7210 SAS, a set of dedicated policers are used to limit the amount of traffic to the software-defined rate (the rate is not user-configurable) before the packets are queued to the CPU queues. A strict policy scheduler schedules packets from the CPU queues. A CPU queue traffic shaper, configured to a predefined rate by software, is used to limit the amount of traffic for a protocol or group of protocols using the CPU queue.

In most cases, access interfaces and network uplinks do not share the policers and CPU queues used to manage the amount of traffic sent to the CPM. Access interfaces (typically used to deliver customer services) use a dedicated set of policers and CPU queues; a separate set is used for network facing ports (that is, network ports, hybrid ports, and access-uplink ports). The policer rate and CPU queue rates used for CPU protection are not user-configurable.

DCP

DCP provides a powerful per-protocol-per-object rate-limiting function for control protocol traffic that is extracted from the datapath and sent to the CPM. See DCP applicability for a list of applicable objects. The DCP function is implemented on the router for granular control.

DCP provides the enforcement policers to configure policies that are applied to objects (for example, SAPs). An enforcement policer is an instance of a policer that is policing a flow of packets composed of a single protocol arriving on a single object (for example, SAP). Enforcement policers perform a configurable action, such as a discard, on packets that exceed the configured rate parameters. Static policers are the one type of enforcement policer supported on the 7210 SAS-R6 and 7210 SAS-R12, which are always instantiated if configured.

The following figure shows per-SAP per-protocol static rate limiting with DCP.

Figure 3. Per-SAP per-protocol static rate limiting with DCP
Note:

CPU policers and CPU queues on CPM and IMM are shown only for some protocols. on the 7210 SAS, all control traffic to the CPU is rate-limited using a policer per protocol or group of protocols. The CPU queues are further shaped to the system-defined rate. There are different policers and queues used for access ports and network ports to ensure that customer traffic does not affect critical network traffic. The rates for these CPU policers and queues are not configurable by the user.

DCP applicability

By default, the system does not associate a DCP policy with a SAP. The user must configure an explicit policy to enable DCP for a SAP for a supported protocol. Allocate resources for the DCP policy from the ingress internal TCAM resource pool by using the configure>system>resource-profile>ingress-internal-tcam>cpu-protection command. See the 7210  SAS-Mxp, R6, R12, S, Sx, T Basic System Configuration Guide for more information about this command.

The DCP functionality is not enabled on the service objects by default. Use the dist-cpu-protection command in the config>service context to enable the DCP functionality on service objects. The no form of the command disables the DCP functionality on service objects.

DCP policies can be applied to the following types of objects:

  • IES SAP

  • VPRN SAP

  • RVPLS SAP

For RVPLS, DCP rate-limits the packets arriving at the CPU, but for flooded traffic, ingress QoS or ACLs must be used.

Control packets that are extracted in an IES or a VPRN service, where the packets arrived into the node over a VPLS SAP (that is, R-VPLS scenario), will use the DCP policy and policer instances associated with the VPLS SAP. In this case, a DCP policy created for VPLS SAPs, for VPLSs that have a Layer 3 interface bound to them (R-VPLS), may have protocols such as ARP configured in the policy.

Log events, statistics, status and SNMP support

Log events are supported for DCP to warn against potential attacks or misconfigurations, and to tune DCP settings. DCP throttles the rate of DCP events to avoid event floods when multiple parallel attacks or problems occur in the system.

Most DCP log events can be enabled or disabled both individually at the DCP policy level (in the DCP policy configuration), and globally in the system (in log event control).

In the case where the DCP log event indicates a SAP that is an MSAP, the operator can identify the subscribers on a specific MSAP by using the show service active-subscriber command and filtering (‟| match”) on the MSAP string.

The DCP statistics and status is available via the following:

  • SNMP

    For detailed information, see the tables and NOTIFICATION-TYPE objects in the following MIBs where ‟Dcp” or ‟DCpuProt” occurs in the applicable object name:

    • TIMETRA-CHASSIS-MIB

    • TIMETRA-SAP-MIB

    • TIMETRA-VRTR-MIB

    • TIMETRA-SECURITY-MIB

  • CLI

    Use the show log event-control | match Dcp command to display the log events in the CLI.

    In the case where the DCP log event indicates a SAP that is an MSAP, the operator can identify the subscribers on a specific MSAP by using the show service active-subscriber command and filtering (‟| match”) on the MSAP string.

DCP policer resource management

CAM and meter resources from the CPU protection pool are allocated for the DCP policer by using the configure>system>resource-profile>ingress-internal-tcam>cpu-protection command. Resources from this pool (also called a slice) are also used to identify protocol packets that need to be rate-limited and have used a policer or meter to the configured rate before being queued to the CPU queues. Two CAM entries with a single policer is used for every protocol configured in the DCP policy. The 7210 SAS does not support sharing of a policer among protocols. All protocols configured to use a policer are allocated an independent instance of the policer and are policed to the configured rate. See the 7210  SAS-Mxp, R6, R12, S, Sx, T Basic System Configuration Guide for information about resource allocation using the cpu-protection CLI command.

Operational guidelines

This section describes the operational guidelines to leverage distributed CPU protection:

  • To completely block a set of specific protocols on a specific SAP, create a single static policer with a rate of 0 and map the protocols to that policer.

  • During normal operation, Nokia recommends that log events for state policers should be configured using the log-events command without the optional verbose keyword. Use the verbose keyword selectively during debugging, testing, tuning, and investigation.

  • Every protocol configured to use a policer is allocated an independent policer instance to rate-limit that protocol. A single policer cannot be shared across multiple protocols. For example, if a single policer is configured in the service and there are four protocols configured to use it, four policer instances are allocated (that is, eight CAM entries are used for identifying the protocol and four meters are allocated).

  • The rates enforced by centralized CPU protection are also enforced for protocols configured for DCP. That is, DCP allows users to enforce rates per service object to be below the system-defined rate of the centralized CPU protection. Therefore, it prevents customer traffic from affecting other customer traffic.

Vendor-specific attributes (VSAs)

The 7210 SAS supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are described in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.

The PE-record entry is required to support the RADIUS Discovery for Layer 2 VPN feature. A PE-record is only relevant if the RADIUS Discovery feature is used, not for the standard RADIUS setup.

The following RADIUS vendor-specific attributes (VSAs) are supported by Nokia:

  • timetra-access <ftp> <console> <both>

    This is a mandatory command that must be configured. This command specifies if the user has FTP and /or console (serial port, Telnet, and SSH) access.

  • timetra-profile <profile-name>

    When configuring this VSA for a user, it is assumed that the user profiles are configured on the local router and the following applies for local and remote authentication:

The authentication-order parameters configured on the router must include the local keyword.

The username may or may not be configured on the router.

The user must be authenticated by the RADIUS server

Up to 8 valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.

If all the preceding conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log:

  • timetra-default-action <permit-all|deny-all|none>

    This is a mandatory command that must be configured even if the timetra-cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the timetra-cmd VSA for the user resulted in a match condition.

  • timetra-cmd <match-string>

    Configures a command or command subtree as the scope for the match condition.

    The command and all subordinate commands in subordinate command levels are specified.

    Configure from most specific to least specific. The system exits on the first match; subordinate levels cannot be modified with subsequent action commands. Subordinate level VSAs must be entered before this entry to be effective.

    All commands at and below the hierarchy level of the matched command are subject to the timetra-action VSA.

    Multiple match-strings can be entered in a single timetra-cmd VSA. Match strings must be semicolon (;) separated (maximum string length is 254 characters).

One or more timetra-cmd VSAs can be entered followed by a single timetra-action VSA:

  • timetra-action <deny|permit>

    Causes the permit or deny action to be applied to all match strings specified since the last timetra-action VSA.

  • timetra-home-directory <home-directory string>

    Specifies the home directory that applies for the FTP and CLI user. If this VSA is not configured, the home directory is Compact Flash slot 1 (cf1:).

  • timetra-restrict-to-home-directory <true|false>

    Specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured the user is allowed to access the entire file system.

  • timetra-login-exec <login-exec-string>

    Specifies the login exec file that is executed when the user login is successful. If this VSA is not configured no login exec file is applied.

If no VSAs are configured for a user, then the following applies:

  • The password authentication-order command on the router must include local.

  • The username must be configured on the router.

  • The user must be successfully be authenticated by the RADIUS server

  • A valid profile must exist on the router for this user.

If all of the preceding conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log.

The complete list of TiMetra VSAs is available on a file included on the compact flash shipped with the image.

Sample user (VSA) configuration

The following example displays a user-specific VSA configuration. This configuration shows attributes for users named "ruser1" and "ruser2".

The following example shows that user "ruser1" is granted console access. The "ruser1" home directory is in compact flash slot 3 and is limited to the home directory. The default action permits all packets when matching conditions are not met. The timetra-cmd parameters allow or deny the user to use the tools;telnet;configure system security commands. Matching strings specified in the timetra-action command are denied for this user since the timetra-action is deny.

The user "ruser2" is granted FTP access.The default action denies all packets when matching conditions are not met. The timetra-cmd parameters allow the user to use the configure, show, and debug commands. Matching strings specified in the timetra-action command are permitted for this user.

users.timetra

ruser1 Auth-Type := System, Password == "ruser1"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = console,
Timetra-Home-Directory = cf1:
Timetra-Restrict-To-Home = true
Timetra-Default-Action = permit-all,
Timetra-Cmd  = "tools;telnet;configure system security",
Timetra-Action = deny

ruser2 Auth-Type := System, Password == "ruser2"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = ftp
Timetra-Default-Action = deny-all,
Timetra-Cmd  = "configure",
Timetra-Cmd  = "show",
Timetra-Action = permit,
Timetra-Cmd = "debug",
Timetra-Action = permit,

Other security features

This sections describes security features supported on the 7210 SAS.

Security algorithms

The following table lists the security algorithms supported per protocol.

Table 5. Security algorithm support per platform
Protocol Clear text MD5 HMAC-MD5 HMAC-SHA1-96 HMAC-SHA1 HMAC-SHA256 AES-128-CMAC-96

OSPF

IS-IS

RSVP

BGP

LDP

Secure Shell

Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes places by one of the configured authentication methods (local, RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure connection over an insecure network.

The 7210 SAS allows a user to configure Secure Shell (SSH) Version 2 (SSH2). SSH1 and SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses server as well as host keys to authenticate systems whereas SSH2 only uses host keys. SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure, efficient, and portable version of SSH.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and encryption capabilities. SSH supports remote login to another computer over a network, remote command execution, and file relocation from one host to another.

The 7210 SAS has a global SSH server process to support inbound SSH and SCP sessions initiated by external SSH or SCP client applications. The SSH server supports SSHv1. Note that this server process is separate from the SSH and SCP client commands on the routers which initiate outbound SSH and SCP sessions.

Inbound SSH sessions are counted as inbound Telnet sessions for the purposes of the maximum number of inbound sessions specified by Login Control. Inbound SCP sessions are counted as inbound FTP sessions by Login Control.

When SSH server is enabled, an SSH security key is generated. The key is only valid until either the node is restarted or the SSH server is stopped and restarted (unless the preserve-key option is configured for SSH). The key size is non-configurable and set at 1024 bits. When the server is enabled, both inbound SSH and SCP sessions will be accepted provided the session is properly authenticated.

When the global SSH server process is disabled, no inbound SSH or SCP sessions will be accepted.

When using SCP to copy files from an external device to the file system, the SCP server will accept either forward slash (‟/”) or backslash (‟\”) characters to delimit directory and/or filenames. Similarly, the SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems will often interpret the backslash character as an ‟escape” character, which is not transmitted to the SCP server. For example, a destination directory specified as ‟cf1:\dir1\file1” will be transmitted to the SCP server as ‟cf1:dir1file1” where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an ‟escape” character, a double backslash ‟\\” or the forward slash ‟/” can be used to properly delimit directories and the filename.

SSH PKI authentication

The SSH server supports a public key authentication provided that the server has been previously configured to know the client's public key.

Using public key authentication, also known as Public Key Infrastructure (PKI), can be more secure than the existing username and password method because of the following:

  • A user typically reuses the same password with multiple servers. If the password is compromised, the user must reconfigure the password on all affected servers.

  • A password is not transmitted between the client and server using PKI. Instead the sensitive information (the private key) is kept on the client. Consequently, the password is less likely to be compromised.

The 7210 SAS supports server-side SSHv2 public key authentication, but does not include a key-generation utility.

PKI should be configured in the system-level configuration where one or more public keys may be bound to a username. This configuration does not affect any other system security or login functions.

PKI has preference over password or keyboard authentication. PKI is supported using only local authentication. PKI authentication is not supported on TACACS+ or RADIUS.

User public key generation

Before SSH can be used with PKI, the client must generate a public/private key pair. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYGen that generates key pairs.

The 7210 SAS currently supports only Rivest, Shamir, and Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) user public keys.

If the SSH client software uses PuTTY, it must first generate a key pair using PuTTYGen. The client sets the key type to SSH-2 RSA and configures the number of bits to be used for the key. The client can also configure a passphrase to store the key locally in encrypted form. If the passphrase is configured, it acts as a password that the client must enter to use the private key. If a passphrase is not configured, the private key is stored in plain text locally.

Next, use the config>system>security>user>public-keys command to configure the public key for the client (the public key is obtained as part of the key pair). On the 7210 SAS, the user can program the public key using CLI commands (accessed through Telnet/SSH) or SNMP.

Note:

The preceding process to generate a key pair is an example only. This process is not executed on a 7210 SAS node, but on a third-party node acting as the SSH client or any other node.

MAC client and server list

The 7210 SAS supports a configurable client and server MAC list for SSHv2, which allows the user to add or remove Message Authentication Code (MAC) algorithms from the list. The user can program the strong Hashed Message Authentication Code (HMAC) algorithms on top of the configurable MAC list (for example, lowest index in the list) to be negotiated first between the client and server. The first algorithm in the list that is supported by both the client and the server is the one that is agreed upon.

There are two configurable MAC lists:

  • client list

  • server list

The default client and server MAC list includes all supported algorithms in the following preference order:

  1. mac 200 name hmac-sha2-512

  2. mac 210 name hmac-sha2-256

  3. mac 215 name hmac-sha1

  4. mac 220 name hmac-sha1-96

  5. mac 225 name hmac-md5

  6. mac 230 name hmac-ripemd160

  7. mac 235 name hmac-ripemd160-openssh-com

  8. mac 240 name hmac-md5-96

Note:

The configurable MAC list is only supported for SSHv2 and not for SSHv1. SSHv1 only supports 32-bit CRC.

Cipher client and server list

The 7210 SAS supports cipher client and server lists. The user can add or remove the desired SSH cipher client and server algorithms to be negotiated. The list is an index list with the lower index having higher preference in the SSH negotiation. The lowest index algorithm in the list is negotiated first in SSH connections and is on top of the negotiation list to the peer.

There is a separate cipher list for SSHv1 and SSHv2 for both client and server.

The default client cipher list for SSHv1 includes all supported algorithms in the following preference order:

  1. cipher 200 name 3des

  2. cipher 205 name blowfish

  3. cipher 210 name des

The default server cipher list for SSHv1 includes algorithms in the following preference order:

  1. cipher 200 name 3des

  2. cipher 205 name blowfish

The default server and client lists for SSHv2 include all supported algorithms in the following preference order:

  1. cipher 190 name aes256-ctr

  2. cipher 192 name aes192-ctr

  3. cipher 194 name aes128-ctr

  4. cipher 200 name aes128-cbc

  5. cipher 205 name 3des-cbc

  6. cipher 210 name blowfish-cbc

  7. cipher 215 name cast128-cbc

  8. cipher 220 name arcfour

  9. cipher 225 name aes192-cbc

  10. cipher 230 name aes256-cbc

  11. cipher 235 name rijndael-cbc

Use the following CLI syntax to configure the client and server cipher list.

configure system security ssh client-cipher-list  
  client-cipher-list protocol-version <version>
 <version>            : [1..2]
configure system security ssh client-cipher-list cipher  
  cipher <index> name <cipher-name>
  no cipher <index>
 <index>              : [1..255]
 <cipher-name>        : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
                        3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
                        aes192-cbc|aes256-cbc|rijndael-cbc
configure system security ssh server-cipher-list
  server-cipher-list protocol-version <version>
 <version>            : [1..2]
configure system security ssh server-cipher-list cipher
  no cipher <index>
  cipher <index> name <cipher-name>
 <index>              : [1..255]
 <cipher-name>        : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
                        3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
                        aes192-cbc|aes256-cbc|rijndael-cbc

KEX client and server list

The 7210 SAS supports key exchange (KEX) client and server lists. The user can add or remove the KEX client or server algorithms that the SSH application negotiates using an SSHv2 phase one handshake. The KEX list is an index list with the lower index having higher preference in the SSH negotiation. The lowest indexed algorithm in the list is negotiated first in SSH and is at the top of the negotiation list to the peer.

By default, the KEX list is empty and a hard-coded list that includes all supported algorithms in the following preference order is used:

  1. kex 200 name diffie-hellman-group16-sha512

  2. kex 210 name diffie-hellman-group14-sha256

  3. kex 215 name diffie-hellman-group14-sha1

  4. kex 220 name diffie-hellman-group-exchange-sha1

  5. kex 225 name diffie-hellman-group1-sha1

As soon as the user configures the KEX list, the 7210 SAS starts using the algorithms from the user-defined KEX list instead of the hard-coded list. To revert to the hard-coded list, the user must remove all configured KEX indexes until the list is empty.

Use the following CLI to configure the cipher or MAC server and client lists.

configure system security ssh server-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

configure system security ssh client-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

<index>              : [1..255]
<kex-name>           : diffie-hellman-group14-sha1| diffie-hellman-group14-sha256|
                       diffie-hellman-group16-sha512|diffie-hellman-group-exchange-
                       sha1| diffie-hellman-group1-sha1

Exponential login backoff

A malicious user may attempt to gain CLI access by means of a dictionary attack, in which a script is used to attempt automatic logins as an ‟admin” user and a dictionary list is used to test all possible passwords. By using the exponential-backoff feature in the config>system>login-control context, the 7210 SAS increases the delay between login attempts exponentially to mitigate attacks.

When a user attempts to log into a router using a Telnet or an SSH session, the system allows a limited number of attempts to enter the correct password. The interval between the unsuccessful attempts change after each try (1, 2, and 4 seconds). If user lockout is configured on the system, the user will be locked out when the number of unsuccessful attempts is exceeded.

However, if lockout is not configured, three password entry attempts are allowed in the first session after the first failure, at fixed 1, 2 and 4 second intervals, and then the session terminates. Users do not have an unlimited number of login attempts per session. After each failed password attempt, the wait period becomes longer until the maximum number of attempts is reached.

The 7210 SAS terminates after four unsuccessful attempts. A wait period is never longer than 4 seconds. The periods are fixed and restart in subsequent sessions.

The config system login-control [no] exponential-backoff command works in conjunction with the config system security password attempts command, which is also a system wide configuration.

*A:ALA-48>config>system# security password attempts
  - attempts <count> [time <minutes1>] [lockout <minutes2>]
  - no attempts

 <count>              : [1..64]
 <minutes1>           : [0..60]
 <minutes2>           : [0..1440]

Exponential backoff applies to any user and by any login method such as console, SSH and Telnet.

See Configuring login controls. The commands are described in Login, Telnet, SSH and FTP commands.

User lockout

When a user exceeds the maximum number of attempts allowed (the default is 3 attempts) during a specific period of time (the default is 5 minutes) the account used during those attempts will be locked out for a preconfigured lock-out period (the default is 10 minutes).

An security event log will be generated as soon as a user account has exceeded the number of allowed attempts and the show>system>security>user command can be used to display the total number of failed attempts per user.

The account will be automatically re-enabled as soon as the lock-out period has expired.

Encryption

Data Encryption Standard (DES) and Triple DES (3DES) are supported for encryption:

  • DES is a widely-used method of data encryption using a private (secret) key. Both the sender and the receiver must know and use the same private key.

  • 3DES is a more secure version of the DES protocol.

802.1x network access control

The 7210 SAS supports network access control of client devices (PCs, STBs, and so on) on an Ethernet network using the IEEE. 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.

TCP Enhanced Authentication Option

The TCP Enhanced Authentication Option, currently covered in draft-bonica-tcp-auth-05.txt, Authentication for TCP-based Routing and Management Protocols, extends the previous MD5 authentication option to include the ability to change keys without tearing down the session, and allows for stronger authentication algorithms to be used.

The TCP Enhanced Authentication Option is a TCP extension that enhances security for BGP, LDP and other TCP-based protocols. This includes the ability to change keys in a BGP or LDP session seamlessly without tearing down the session. It is intended for applications where secure administrative access to both the end-points of the TCP connection is available.

TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon current practice, which is described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP peers can update authentication keys during the lifetime of a TCP connection. TCP peers can also use stronger authentication algorithms to authenticate routing messages.

Packet formats

The following figure shows the packet format for the Enhanced Authentication Option.

Figure 4. Packet formats

Option Syntax:

  • Kind: 8 bits

    The Kind field identifies the TCP Enhanced Authentication Option. This value will be assigned by IANA.

  • Length: 8 bits

    The Length field specifies the length of the TCP Enhanced Authentication Option, in octets. This count includes two octets representing the Kind and Length fields.

    The valid range for this field is from 4 to 40 octets, inclusive.

    For all algorithms specified in this memo the value will be 16 octets.

  • T-Bit: 1 bit

    The T-bit specifies whether TCP Options were omitted from the TCP header for the purpose of MAC calculation. A value of 1 indicates that all TCP options other than the Extended Authentication Option were omitted. A value of 0 indicates that TCP options were included.

    The default value is 0.

  • K-Bit: 1 bit

    This bit is reserved for future enhancement. Its value MUST be equal to zero.

  • Alg ID: 6 bits

    The Alg ID field identifies the MAC algorithm.

  • Res: 2 bits

    These bits are reserved. They MUST be set to zero.

  • Key ID: 6 bits

    The Key ID field identifies the key that was used to generate the message digest.

  • Authentication Data: Variable length

    The Authentication Data field contains data that is used to authenticate the TCP segment. This data includes, but need not be restricted to, a MAC. The length and format of the Authentication Data Field can be derived from the Alg ID.

    The Authentication for TCP-based Routing and Management Protocols draft provides and overview of the TCP Enhanced Authentication Option. The details of this feature are described in draft-bonica-tcp-auth-04.txt.

Keychain

A keychain is a set of up to 64 keys, where each key is {A[i], K[i], V[i], S[i], T[i], S'[i], T'[i]} as described in draft-bonica-tcp-auth-05.txt, Authentication for TCP-based Routing and Management Protocols. They keys can be assigned to both sides of a LDP peer.The individual keys in a keychain have a begin- and end-time indicating when to use this key.

These fields map to the CLI tree as described in the following table.

Table 6. Keychain mapping
Field Definition CLI

i

The key identifier expressed as an integer (0...63)

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive> entry

config>system>security>keychain>direction>uni>send>entry

A[i]

Authentication algorithm to use with key[i]

config>system>security>keychain>direction>bi>entry with algorithm algorithm parameter.

config>system>security>keychain>direction>uni>receive> entry with algorithm algorithm parameter.

config>system>security>keychain>direction>uni>send>entry with algorithm algorithm parameter.

K[i]

Shared secret to use with key[i].

config>system>security>keychain>direction>uni>receive> entry with shared secret parameter

config>system>security>keychain>direction>uni>send>entry with shared secret parameter

config>system>security>keychain>direction>bi>entry with shared secret parameter

V[i]

A vector that determines whether the key[i] is to be used to generate MACs for inbound segments, outbound segments, or both.

config>system>security>keychain>direction

S[i]

Start time from which key[i] can be used by sending TCPs.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>uni>send>entry >begin-time

T[i]

End time after which key[i] cannot be used by sending TCPs.

Inferred by the begin-time of the next key (youngest key rule).

S'[i]

Start time from which key[i] can be used by receiving TCPs.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>bi>entry> tolerance

config>system>security>keychain>direction>uni>receive> entry>begin-time

config>system>security>keychain>direction>uni>receive> entry>tolerance

T'[i]

End time after which key[i] cannot be used by receiving TCPs

config>system>security>keychain>direction>uni>receive> entry>end-time

Configuration notes

This section describes security configuration guidelines and caveats.

General

  • If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain.

  • If a RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server.

Configuring security with CLI

This section provides information to configure security using the command line interface.

Setting up security attributes

This section provides a brief overview of the tasks that must be performed to configure security and provides the CLI commands. The following table describes the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 7. Security configuration requirements
Authentication Authorization Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local

TACACS+

Configuring authentication

See the following sections to configure authentication:

Configuring authorization

See the following sections to configure authorization:

Configuring accounting

The following sections provide information about configuring accounting.

Security configurations

This section provides information to configure security and configuration examples of configuration tasks.

To implement security features, configure the following components:

  • management access filters

  • profiles

  • user access parameters

  • password management parameters

  • enable RADIUS and/or TACACS+:

    • one to five RADIUS and/or TACACS+ servers

    • RADIUS and/or TACACS+ parameters

The following are sample default values for security parameters.

A:ALA-1>config>system>security# info detail
----------------------------------------------
no hash-control
telnet-server
no telnet6-server
no ftp-server
management-access-filter
exit
profile "default"
default-action none
no li
entry 10
no description
match ‟exec”
action permit
...
password
authentication-order radius tacplus local
no aging
minimum-length 6
attempts 3 time 5 lockout 10
complexity
exit
user "admin"
password "./3kQWERTYn0Q6w" hash
access console
no home-directory
no restricted-to-home
console
no login-exec
no cannot-change-password
no new-password-at-login
member "administrative"
exit
exit
snmp
view iso subtree 1
mask ff type included
exit
...
access group snmp-ro security-model snmpv1 security-level no-auth-no
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
attempts 20 time 5 lockout 10
exit
no ssh

Security configuration procedures

The following sections provide information about configuring security components.

Configuring Management Access Filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CPM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7210 SAS router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router. These filters also apply to the management Ethernet port.

The 7210 SAS implementation exits the filter when the first match is found and execute the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword CPM to be considered complete. Entries without the action keyword are considered incomplete and will be rendered inactive.

Use the following syntax to configure a management access filter. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

config>system
        security
            management-access-filter
                ip-filter
                ipv6-filter
                    default-action {permit|deny|deny-host-unreachable}
                    renum old-entry-number new-entry-number
                    no shutdown
                    entry entry-id
                        description description-string
                        src-port {port-id cpm|laglag-id}
                        src-ip {ip-prefix/mask | ip-prefix netmask}
                        protocol protocol-id
                        dst-port port [mask]
                        action {permit|deny|deny-host-unreachable}
                        log

Configuring password management parameters

Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can enter a password.

Depending on the your authentication requirements, password parameters are configured locally.

Use the following syntax to configure password support.

config>system>security
        password
            admin-password password [hash|hash2]
            aging days
            attempts count [time minutes1] [lockout minutes2]
            authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
            complexity-rules 
                allow-user-name
                credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
                minimum-classes minimum
                minimum-length length
                repeated-characters count
                required [lowercase count] [uppercase count] [numeric count] [special-character count]
            hashing {bcrypt|sha2-pbkdf2}
            health-check [interval interval]
            history-size size
            minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
            minimum-change distance
Password configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
password
authentication-order radius tacplus local
aging 365
minimum-length 8
attempts 5 time 5 lockout 20
exit
----------------------------------------------
A:ALA-1>config>system>security#

Configuring profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of sixteen user profiles can be defined. A user can participate in up to sixteen profiles. Depending on the the authorization requirements, passwords are configured locally or on the RADIUS server.

Use the following syntax to configure user profiles.

config>system>security
        profile user-profile-name 
            default-action {deny-all|permit-all|none}
            renum old-entry-number new-entry-number
            entry entry-id
                description description-string
                match command-string
                action {permit|deny}
User profile configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring users

Configure access parameters for individual users. For user, define the login name for the user and, optionally, information that identifies the user. Use the following syntax to configure RADIUS support.

config>system>security
        user-template template-name
        user user-name
        access [ftp] [snmp] [console]
        console
        cannot-change-password
        login-exec url-prefix:source-url
        member user-profile-name [user-profile-name...(up to 8 max)]
        new-password-at-login
        home-directory url-prefix [directory][directory/directory ..]
        password [password] [hash|hash2]
        restricted-to-home
        snmp
        authentication {[none]|[[hash] {md5 key-1|sha key-1} privacy {none|des-key key-2}]}
        group group-name
User configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            user "49ers"
                password "qQbnuzLd7H/VxGdUqdh7bE" hash2
                access console ftp snmp
                restricted-to-home
                console
                    member "default"
                    member "ghost"
                exit
            exit
...
--------------------------------------------
A:ALA-1>config>system>security#

Configuring keychains

Keychain configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            keychain "abc"
                direction
                    bi
                        entry 1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg
orithm aes-128-cmac-96
                            begin-time 2006/12/18 22:55:20
                        exit
                    exit
                exit
            exit
            keychain "basasd"
                direction
                    uni
                        receive
                            entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2
 algorithm aes-128-cmac-96
                                tolerance forever
                            exit
                        exit
                    exit
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Copying and overwriting users and profiles

You can copy a profile or user. You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified or an error occurs if the destination profile or username already exists.

User

Use the following CLI syntax to copy a user.

config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Command usage
  config>system>security# copy user testuser to testuserA
	MINOR: CLI User "testuserA" already exists - use overwrite flag.
	config>system>security#
	config>system>security# copy user testuser to testuserA overwrite
	config>system>security#
Copied user configuration output
A:ALA-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "F6XjryaATzM" hash
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "" hash2
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
A:ALA-12>config>system>security# info

The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.

A:ALA-12>config>system>security>user# info
----------------------------------------------
password "F6XjryaATzM" hash
access snmp
console
cannot-change-password 
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user# exit
A:ALA-12>config>system>security# user testuserA
A:ALA-12>config>system>security>user# info
----------------------------------------------
password "" hash2
access snmp
console
new-password-at-login
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user#
Profile

Use the following CLI syntax to copy a profile.

config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Command usage
config>system>security# copy profile default to testuser
Copied profiles configuration output
A:ALA-49>config>system>security# info
----------------------------------------------
...
A:ALA-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...
----------------------------------------------
A:ALA-12>config>system>security#

Enabling SSH

Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2 (SSH version 2). This command should only be enabled or disabled when the SSH server is disabled. This setting should not be changed while the SSH server is running since the actual change only takes place after SSH is disabled or enabled.

config>system>security
        ssh
            preserve-key
            no server-shutdown
            version ssh-version

The following is a sample SSH server configuration output as both SSH and SSH2 using a host-key.

A:sim1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
                version 1-2
----------------------------------------------
A:sim1>config>system>security>ssh# 

RADIUS configurations

The following sections provide information about configuring RADIUS functionality.

Configuring RADIUS authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key.

The system IP address must be configured in order for the RADIUS client to work.

The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

On the local router, use the following syntax to configure RADIUS authentication.

config>system>security
    radius
    port port
    retry count
    server server-index address ip-address secret key
    timeout seconds
    no shutdown 
RADIUS authentication configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
A:ALA-1>config>system>security#

Configuring RADIUS authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS authentication.

In addition to the local configuration requirements, VSAs must be configured on the RADIUS server. See Vendor-specific attributes (VSAs).

On the local router, use the following syntax to configure RADIUS authorization.

config>system>security
    radius
    authorization
RADIUS authorization configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring RADIUS accounting

Use the following syntax to configure RADIUS accounting on a local router.

config>system>security
        radius
            accounting
RADIUS accounting configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring 802.1x RADIUS policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. See the 7210 SAS-Mxp, R6, R12, S, Sx, T Interface Configuration Guide.

To configure generic parameters for 802.1x authentication, enter the following CLI syntax.

config>system>security
        dot1x
            radius-plcy policy-name 
                server server-index address ip-address secret key [port port]
                source-address ip-address
                no shutdown
802.1x configuration output

A:ALA-1>config>system>security# info
----------------------------------------------
            dot1x
                radius-plcy "dot1x_plcy" create
                   server 1 address 10.1.1.1 port 65535 secret "a"
                   server 2 address 10.1.1.2 port 6555 secret "a"
                   source-address 10.1.1.255
                no shutdown
...
----------------------------------------------
A:ALA-1>config>system#

TACACS+ configurations

Enabling TACACS+ authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following syntax to configure profiles.

config>system>security
    tacplus
        server server-index address ip-address secret key
        timeout seconds
        no shutdown 
TACACS+ authentication configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

Configuring TACACS+ authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ authentication.

Use the following syntax to configure RADIUS authorization on the local router.

config>system>security
        tacplus
            authorization
            no shutdown
TACACS+ authorization configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus# 

Configuring TACACS+ accounting

Use the following syntax to configure TACACS+ accounting on a local router.

config>system>security
        tacplus
            accounting
TACACS+ accounting configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

Configuring login controls

Configure login control parameters for console, Telnet, and FTP sessions.

Use the following syntax to configure login controls.

config>system 
        login-control
            exponential-backoff
            ftp
                inbound-max-sessions value
            telnet
                inbound-max-sessions value
                outbound-max-sessions value
            idle-timeout {minutes |disable}
            pre-login-message login-text-string [name]
            login-banner
            motd {url url-prefix: source-url|text motd-text-string}

Login control configuration output

A:ALA-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           telnet
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login-
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
 no exponential-backoff
...
----------------------------------------------
A:ALA-1>config>system#

Security command reference

Command hierarchies

Configuration commands

Security commands
config
    - system 
        - security
            - copy {user source-user | profile source-profile} to destination [overwrite] 
            - dot1x
            - [no] ftp-server
            - hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]
            - no hash-control
            - [no] keychain keychain-name
            - management-access-filter
            - password
            - [no] profile user-profile-name
            - [no] radius
            - snmp
            - source-address 
                - application app [ip-int-name|ip-address]
                - no application app
                - application6 app [ipv6-address]
                - no application6 app
            - [no] telnet-server
            - ssh
            - [no] tacplus
            - [no] users user-name
            - user-template {tacplus_default | radius_default}
Management Access Filter commands
config
    - system 
        - security
            - [no] management-access-filter
                - [no] ip-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - fragment {true | false}
                        - no fragment
                        - l4-src-port port [mask]
                        - no l4-src-port
                        - [no] log
                        - protocol protocol-id
                        - no protocol
                        - router router-instance
                        - no router
                        - src-ip {ip-prefix/mask | ip-prefix netmask}
                        - no src-ip
                        - src-port {port-id | lag lag-id}
                        - no src-port
                - [no]ipv6-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - flow-label value
                        - no flow-label
                        - l4-src-port port [mask]
                        - no l4-src-port
                        - [no] log
                        - next-header next-header
                        - no next-header
                        - router router-instance
                        - no router
                        - src-ip {ip-prefix/prefix-length | ip-prefix netmask}
                        - no src-ip
                        - src-port {port-id | lag lag-id}
                        - no src-port
                - renum old-entry-number new-entry-number
                - [no] shutdown
Distributed CPU protection commands
config
    - system 
        - security
            - dist-cpu-protection
                - policy policy-name [create]
                - no policy policy-name
                    - description description-string
                    - no description
                    - protocol name [create]
                    - no protocol name
                        - enforcement {static policer-name}
                    - static-policer policer-name [create]
                    - no static-policer policer-name
                        - description description-string
                        - no description
                        - exceed-action {discard | none} 
                        - log-events [verbose]
                        - no log-events
                        - rate {kbps {kilobits-per-second | max} {[mbs size] [bytes | kilobytes]}
                        - no rate
Security password commands
config
    - system 
        - security
            - password
                - admin-password password [hash | hash2]
                - no admin-password
                - aging days
                - no aging
                - attempts count [time minutes1] [lockout minutes2]
                - no attempts
                - authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
                - no authentication-order
                - complexity-rules 
                    - [no] allow-user-name
                    - credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
                    - no credits
                    - minimum-classes minimum
                    - no minimum-classes
                    - minimum-length length
                    - no minimum-length
                    - repeated-characters count
                    - no repeated-characters 
                    - required [lowercase count] [uppercase count] [numeric count] [special-character count]
                    - no required
                - hashing {bcrypt | sha2-pbkdf2}
                - [no] health-check [interval interval]
                - history size
                - no history
                - minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
                - no minimum-age
                - minimum-change distance
                - no minimum-change
SSH commands
config
    - system 
        - security
            - ssh
                - client-cipher-list protocol-version version
                    - cipher index name cipher-name
                    - no cipher index
                - client-mac-list 
                    - mac index name mac-name
                    - no mac index
                - client-kex-list 
                    - kex index name kex-name
                    - no kex index 
                - [no] preserve-key
                - server-cipher-list protocol-version version
                    - cipher index name cipher-name
                    - no cipher index
                - server-mac-list 
                    - mac index name mac-name
                    - no mac index
                - server-kex-list 
                    - kex index name kex-name 
                    - no kex index 
                - [no] server-shutdown
                - [no] version ssh-version
User commands
config
    - system 
        - security
            - [no] user user-name
                - [no] access [ftp] [snmp] [console] 
                - console
                    - [no] cannot-change-password
                    - login-exec url-prefix:source-url
                    - no login-exec
                    - [no] member user-profile-name [user-profile-name…(up to 8 max)]
                    - [no] new-password-at-login 
                - home-directory url-prefix [directory] [directory/directory…]
                - no home-directory 
                - password [password] [hash | hash2] 
                - public-keys
                    - ecdsa
                        - ecdsa-key ecdsa-public-key-id [create] 
                        - no ecdsa-key ecdsa-public-key-id
                            - description description-string
                            - no description
                            - key-value ecdsa-public-key-value
                            - no key-value 
                    - rsa
                        - rsa-key rsa-public-key-id [create] 
                        - no rsa-key rsa-public-key-id
                            - description description-string
                            - no description
                            - key-value rsa-public-key-value
                            - no key-value 
                - [no] restricted-to-home
                - snmp 
                    - authentication none
                    - authentication authentication authentication-protocol key-1 [privacy none] [hash | hash2]
                    - authentication authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]
                    - no authentication
                    - group group-name
                    - no group
Keychain commands
config
    - system 
        - security
            - [no] keychain keychain-name
                - description description-string
                - no description
                - direction {uni | bi}
                    - bi
                        - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                        - no entry entry-id
                            - begin-time date hours-minutes [UTC]
                            - begin-time {now| forever}
                            - no begin-time 
                            - [no] shutdown
                            - tolerance [seconds | forever]
                    - uni
                        - receive
                            - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                            - no entry entry-id
                                - begin-time date hours-minutes [UTC] 
                                - begin-time {now| forever}
                                - no begin-time
                                - end-time date hours-minutes [UTC] 
                                - end-time {now| forever}
                                - no end-time
                                - [no] shutdown
                                - tolerance [seconds | forever]
                        - send
                            - entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm]
                            - no entry entry-id 
                                - begin-time date hours-minutes [UTC] 
                                - begin-time {now| forever}
                                - no begin-time
                                - [no] shutdown
                - [no] shutdown
                - tcp-option-number
                    - receive option-number
                    - send option-number
Login control commands
config
    - system 
        - login-control
            - [no] exponential-backoff
            - ftp
                - inbound-max-sessions value
                - no inbound-max-sessions
            - idle-timeout {minutes | disable}
            - no idle-timeout
            - [no] login-banner
            - motd {url url-prefix: source-url | text motd-text-string}
            - no motd
            - pre-login-message login-text-string [name]
            - no pre-login-message
            - ssh
                - disable-graceful-shutdown
                - inbound-max-sessions
                - outbound-max-sessions
            - telnet
                - enable-graceful-shutdown
                - inbound-max-sessions value
                - no inbound-max-sessions
                - outbound-max-sessions value
                - no outbound-max-sessions

Debug commands

debug
    - router
        - radius
        - no radius
            - detail-level {low | medium | high}
            - no detail-level
            - packet-type [authentication] [accounting] [coa]
            - no packet-type
            - radius-attr type attribute-type [transaction]
            - radius-attr type attribute-type [transaction] {address | hex | integer | string} value attribute-value
            - radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type]
            - radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type] {address | hex | integer | string} value attribute-value
            - no radius-attr type attribute-type
            - no radius-attr type attribute-type {address | hex | integer | string} value attribute-value
            - no radius-attr vendor vendor-id type attribute-type
            - no radius-attr vendor vendor-id type attribute-type {address | hex | integer | string} value attribute-value
            - server-address ip-address
            - no server-address ip-address

Command descriptions

Configuration commands

General security commands
description
Syntax

description description-string

no description

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

config>sys>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

config>system>security>user>public-keys>ecdsa>ecdsa-key

config>system>security>user>public-keys>rsa>rsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode

Description

This command creates a text description stored in the configuration file for a configuration context.

This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string.

Parameters
string

The description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

shutdown
Syntax

[no] shutdown

Context

config>system>security>mgmt-access-filter

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command puts an entity into the administratively enabled state.

Default

no shutdown

security
Syntax

security

Context

config>system

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

ftp-server
Syntax

[no] ftp-server

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH server are enabled.

The no form of this command disables FTP servers running on the system.

Default

no ftp-server

hash-control
Syntax

hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]

no hash-control

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the system to encrypt all passwords, MD5 keys, and so on using specific algorithms.

Whenever the user executes a save or info command, the system will encrypt all passwords, MD5 keys, and so on for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user needs to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version will be different.

Default

all

Parameters
read-version {1 | 2 | all}

Both versions 1 and 2 will be accepted by the system. Otherwise, only the selected version will be accepted when reading configuration or exec files. The presence of incorrect hash versions will abort the script/startup.

write-version {1 | 2}

Select the hash version that will be used the next time the configuration file is saved (or an info command is executed). Be careful to save the read and write version correctly, so that the file can be properly processed after the next reboot or exec.

source-address
Syntax

source-address

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context specify the source address that should be used in all unsolicited packets sent by the application.

This feature only applies on in-band interfaces and does not apply on the out-band management interface. Packets going out the management interface will keep using that as the source IP address. That is, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite whatever is configured under the source-address statement.

application
Syntax

application app [ip-int-name | ip-address]

no application app

Context

config>system>security>source-address

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the application to use the source IPv4 address specified by the source-address command.

Parameters
app

Specifies the application name.

Values

telnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp, ptp

Note:

PTP is supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-S 1/10GE. Only applications supported on a platform can be used as a value with this command. Using an unsupported application value will not have the desired effect.

ip-int-name | ip-address

Specifies the name of the IP interface and IP address. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

application6
Syntax

application6 app [ipv6-address]

no application6 app

Context

config>system>security>source-address

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the application to use the source IPv6 address specified by the source address.

Parameters
app

Specifies the application name.

Values

dns | ftp | ping | radius | snmptrap | syslog | tacplus | telnet | traceroute

ipv6-address

Specifies the name of the IPv6 address.

Values

x:x:x:x:x:x:x:x (eight 16-bit pieces)

telnet-server
Syntax

[no] telnet-server

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in networks limit a Telnet client to three login attempts. The Telnet server disconnects the Telnet client session after the third attempt.

The no form of this command disables Telnet servers running on the system.

Login, Telnet, SSH and FTP commands
exponential-backoff
Syntax

[no] exponential-backoff

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of this command disables exponential backoff.

Default

no exponential-backoff

ftp
Syntax

ftp

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure FTP login control parameters.

idle-timeout
Syntax

idle-timeout {minutes | disable}

no idle-timeout

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.

By default, an idle FTP, console, SSH, or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.

The no form of this command reverts to the default value.

Default

idle-timeout 30

Parameters
minutes

Specifies the idle timeout in minutes. Allowed values are 1 to 1440. A value of 0 implies that the sessions never timeout.

Values

1 to 1440

disable

Keyword to specify that a session will never timeout. To re-enable idle timeout, enter the command without the disable option.

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>ftp

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of this command reverts to the default value.

Default

3

Parameters
value

Specifies the maximum number of concurrent FTP sessions on the node.

Values

0 to 5

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>telnet

config>system>login-control>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This parameter limits the number of inbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established to the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

Default

5

Parameters
value

Specifies the maximum number of concurrent inbound Telnet sessions, expressed as an integer.

Values

0 to 7

login-banner
Syntax

[no] login-banner

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables or disables the display of a login banner. The login banner contains the 7210 SAS copyright and build date information for a console login attempt.

The no form of this command causes only the configured pre-login message and a generic login prompt to display.

login-control
Syntax

login-control

Context

config>system

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure the session control for the console, Telnet, and FTP.

motd
Syntax

motd {url url-prefix: source-url | text motd-text-string}

no motd

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates the message of the day displayed after a successful console login. Only one message can be configured.

The no form of this command removes the message.

Parameters
url url-prefix: source-url

When the message of the day is present as a text file, provide both url-prefix and the source-url of the file containing the message of the day. The URL prefix can be local or remote.

text motd-text-string

Specifies the text of the message of the day. The motd-text-string must be enclosed in double quotes. Multiple text strings are not appended to one another.

Some special characters can be used to format the message text. The ‟\n” character creates multi-line MOTDs and the ‟\r” character restarts at the beginning of the new line. For example, entering ‟\n\r” will start the string at the beginning of the new line, while entering ‟\n” will start the second line below the last character from the first line.

outbound-max-sessions
Syntax

outbound-max-sessions value

no outbound-max-sessions

Context

config>system>login-control>telnet

config>system>login-control>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This parameter limits the number of outbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established from the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

Default

outbound-max-sessions 5

Parameters
value

Specifies the maximum number of concurrent outbound Telnet sessions, expressed as an integer.

Values

0 to 7

pre-login-message
Syntax

pre-login-message login-text-string [name]

no pre-login-message

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates a message displayed before console login attempts on the console via Telnet.

Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.

It is possible to add the name parameter to an existing message without affecting the current pre-login-message.

The no form of this command removes the message.

Parameters
login-text-string

The string can be up to 900 characters. Any printable, 7-bit ASCII characters can be used. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

name

Keyword to always display the configured system name first in the login message. To remove the name from the login message, the message must be cleared and a new message entered without the name.

ssh
Syntax

ssh

Context

config>system>security

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure the SSH parameters.

disable-graceful-shutdown
Syntax

[no] disable-graceful-shutdown

Context

config>system>login-control>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables graceful shutdown of SSH sessions.

The no form of this command disables graceful shutdown of SSH sessions.

client-cipher-list
Syntax

client-cipher-list protocol-version version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of a list of allowed ciphers by the SSH client.

Parameters
version

Specifies the SSH version.

Values

1 — Specifies that the SSH server will only accept connections from clients that support SSH protocol version 1.

2 — Specifies that the SSH server will accept connections from clients that support SSH protocol version 2.

cipher
Syntax

cipher index name cipher-name

no cipher index

Context

config>system>security>ssh>client-cipher-list

config>system>security>ssh>server-cipher-list

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of a cipher. Client-ciphers are used when the 7210 SAS is acting as an SSH client. Server ciphers are used when the 7210 SAS is acting as an SSH server.

The no form of this command removes the index and cipher name from the configuration.

Default

no cipher index

Parameters
index

Specifies the index of the cipher in the list.

Values

1 to 255

cipher-name

Specifies the algorithm used when performing encryption or decryption.

Values

The following table lists the default ciphers used for SSHv1.

Table 8. SSHv1 default ciphers
Cipher index value Cipher name Cipher
Client Server

200

3des

205

blowfish

210

des

Values

The following table lists the default ciphers used for SSHv2.

Table 9. SSHv2 default ciphers
Cipher index value Cipher name Cipher
Client Server

190

aes256-ctr

192

aes192-ctr

194

aes128-ctr

200

aes128-cbc

205

3des-cbc

210

blowfish-cbc

215

cast128-cbc

220

arcfour

225

aes192-cbc

230

aes256-cbc

235

rijndael-cbc

client-mac-list
Syntax

client-mac-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SSH MAC algorithms for the 7210 SAS acting as a client.

mac
Syntax

mac index name mac-name

no mac index

Context

config>system>security>ssh>client-mac-list

config>system>security>ssh>server-mac-list

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server or an SSH client.

The no form of this command removes the specified mac index.

Default

no mac index

Parameters
index

Specifies the index of the algorithm in the list.

Values

1 to 255

mac-name

Specifies the algorithm for calculating the message authentication code.

Values

The following table lists the default client and server algorithms used for SSHv2.

Table 10. SSHv2 default client and server algorithms
Cipher index value MAC name

200

hmac-sha2-512

210

hmac-sha2-256

215

hmac-sha1

220

hmac-sha1-96

225

hmac-md5

230

hmac-ripemd160

235

hmac-ripemd160-openssh-com

240

hmac-md5-96

client-kex-list
Syntax

client-kex-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the client role.

By default, the SSH advertises a KEX list that contains the following algorithms:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group-exchange-sha1

  • diffie-hellman-group1-sha1

kex
Syntax

kex index name kex-name

no kex index

Context

config>system>security>ssh>client-kex-list

config>system>security>ssh>server-kex-list

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures phase 1 SSHv2 KEX algorithms for the 7210 SAS in the SSH server or client role.

The no form of this command removes the specified KEX index. If all KEX indexes are removed, the default list is used.

Parameters
index

Specifies the index of the algorithm in the list. The lowest KEX index is negotiated first and the highest index, which is at the bottom of the KEX list, is negotiated last in the SSH negotiation.

Values

1 to 255

kex-name

Specifies the KEX algorithm for computing the shared secret key.

Values

diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

preserve-key
Syntax

[no] preserve-key

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the server to save private keys, public keys, and host key files. It is restored following a system reboot or an SSH server restart.

The no form of this command specifies that the keys will be held in memory by the SSH server and is not restored following a system reboot.

Default

no preserve-key

server-cipher-list
Syntax

server-cipher-list protocol-version version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of the list of allowed ciphers by the SSH server.

Parameters
version

Specifies the SSH version.

Values

1 — Specifies that the SSH server only accepts connections from clients that support SSH protocol version 1

2 — Specifies that the SSH server accepts connections from clients supporting either SSH protocol version 2

server-kex-list
Syntax

server-kex-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the SSH server role.

By default, the SSH advertises a KEX list that contains the following algorithms:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group-exchange-sha1

  • diffie-hellman-group1-sha1

server-mac-list
Syntax

server-mac-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server.

server-shutdown
Syntax

[no] server-shutdown

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the SSH servers running on the system. At system startup, only the SSH server is enabled.

version
Syntax

version ssh-version

no version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the SSH protocol version that will be supported by the SSH server.

Default

version 2

Parameters
ssh-version

Specifies the SSH version.

Values

1 — Specifies that the SSH server will only accept connections from clients that support SSH protocol version 1.

2 — Specifies that the SSH server will accept connections from clients supporting either SSH protocol version 2.

1-2 — Specifies that the SSH server will accept connections from clients supporting either SSH protocol version 1, or SSH protocol version 2 or both.

telnet
Syntax

telnet

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure the Telnet login control parameters.

enable-graceful-shutdown
Syntax

[no] enable-graceful-shutdown

Context

config>system>login-control>telnet

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables graceful shutdown of Telnet sessions.

The no form of this command disables graceful shutdown of Telnet sessions.

Management Access Filter commands
management-access-filter
Syntax

[no] management-access-filter

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context edit management access filters and to reset match criteria.

Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific networks or subnetworks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of this command removes management access filters from the configuration.

ip-filter
Syntax

[no] ip-filter

Context

config>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure management access IP filter parameters.

ipv6-filter
Syntax

[no] ipv6-filter

Context

config>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure management access IPv6 filter parameters.

default-action
Syntax

default-action {permit | deny | deny-host-unreachable}

Context

config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

Parameters
permit

Specifies that packets not matching the configured selection criteria in any of the filter entries will be permitted.

deny

Specifies that packets not matching the selection criteria be denied and that an ICMP host unreachable message will not be issued. .

deny-host-unreachable

Specifies that packets not matching the selection criteria be denied and a host unreachable message will be issued.

entry
Syntax

[no] entry entry-id

Context

config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS OS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The no form of this command removes the specified entry from the management access filter.

Parameters
entry-id

An entry ID uniquely identifies a match criteria and the corresponding action. Nokia recommends that entries be numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Values

1 to 9999

action
Syntax

action {permit | deny | deny-host-unreachable}

no action

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the action associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

If the packet does not meet any of the match criteria the configured default action is applied.

Parameters
permit

Specifies that packets matching the configured criteria will be permitted.

deny

Specifies that packets matching the configured selection criteria will be denied and that a ICMP host unreachable message will not be issued.

deny-host-unreachable

Specifies that packets matching the configured selection criteria will be denied and that a host unreachable message will not be issued.

dst-port
Syntax

[no] dst-port port [mask]

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a source TCP or UDP port number or port range for a management access filter match criterion.

The no form of this command removes the source port match criterion.

Parameters
port

Specifies the source TCP or UDP port number as match criteria.

Values

1 to 65535 (decimal)

mask

Specifies mask used to specify a range of source port numbers as the match criterion.

This 16-bit mask can be configured using the formats listed in the following table.

Table 11. 16-bit mask configurations
Format style Format syntax Example

Decimal

DDDDD

63488

Hexadecimal

0xHHHH

0xF800

Binary

0bBBBBBBBBBBBBBBBB

0b1111100000000000

To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.

Default

65535 (exact match)

Values

1 to 65535 (decimal)

fragment
Syntax

[no] fragment {true | false}

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.

Note:

An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the Layer 4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters
true

Specifies to match on all fragmented IP packets. A match will occur for all packets that have either the MF (more fragment) bit set or have the Fragment Offset field of the IP header set to a non-zero value.

false

Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and have the Fragment Offset field also set to zero.

l4-src-port
Syntax

[no] l4-src-port port [mask]

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a source TCP or UDP port number for an IP filter match criterion.

Note:

an entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the source port match criterion.

Default

no l4-src-port

Parameters
port

Specifies the source port number to be used as a match criteria expressed as a decimal integer.

Values

1 to 65535

mask

Specifies the mask in dotted-decimal notation

Values

1 to 65535 decimal hex or binary

flow-label
Syntax

flow-label value

no flow-label

Context

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.

Parameters
value

Specifies the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows, in accordance with RFC 3595, Textual Conventions for IPv6 Flow Label.

Values

0 to 1048575

log
Syntax

[no] log

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables match logging. When enabled, matches on this entry will cause the security event mafEntryMatch to be raised.

Default

no log

next-header
Syntax

next-header next-header

no next-header

Context

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the next header to match. The protocol type, such as TCP, UDP, or OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), and UDP(17).

Parameters
next-header

Specifies the IP protocol field for IPv4 Management Access Filter (MAF), and the next header type to be used in the match criteria for this MAF entry for IPv6.

Values

next-header: 0 to 255, protocol numbers accepted in DHB keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

protocol
Syntax

[no] protocol protocol-id

Context

config>system>security>mgmt-access-filter>ip-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type, such as TCP, UDP, and OSPF, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).

The no form this command removes the protocol from the match criteria.

Parameters
protocol

Specifies the protocol number for the match criterion.

Values

1 to 255 (decimal)

router
Syntax

router {router-instance}

no router

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a router name or service ID to be used as a management access filter match criterion.

The no form of this command removes the router name or service ID from the match criteria.

Default

base

Parameters
router-instance

Specifies the router name.

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command renumbers existing management access filter entries to re-sequence filter entries.

The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered differently from most to least explicit.

Parameters
old-entry-number

Specifies the entry number of the existing entry.

Values

1 to 9999

new-entry-number

Specifies the new entry number that will replace the old entry number.

Values

1 to 9999

src-port
Syntax

src-port {port-id | lag lag-id}

no src-port

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfy the match criteria.

The no form of this command reverts to the default value.

Default

any interface

Parameters
port-id

Specifies the port ID in the following format: slot[/mda]/port.

Syntax: port-id: slot/mda/port

src-ip
Syntax

[no] src-ip {ip-prefix/prefix-length | ip-prefix> netmask}

Context

config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a source IP address range to be used as a management access filter match criterion.

To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The no form of this command removes the source IP address match criterion.

Parameters
ip-prefix/prefix-length

Specifies the IP prefix used for IP match criteria in dotted-decimal notation. It can be IPv4 or an IPv6 prefix.

Values

ipv4-prefix: a.b.c.d

ipv4-prefix-length: 0 to 32 ipv6-prefix: x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0..FFFF]H d: [0..255]D ipv6-prefix-length: 0 to 128

netmask

Specifies the subnet mask in dotted-decimal notation.

Values

a.b.c.d (network bits all 1 and host bits all 0)

Distributed CPU protection commands
dist-cpu-protection
Syntax

dist-cpu-protection

Context

config>system>security

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

Commands in this context configure distributed CPU protection.

policy
Syntax

policy policy-name [create]

no policy policy-name

Context

config>sys>security>dist-cpu-protection

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures one of the maximum 16 distributed CPU protection policies. These policies can be applied to objects such as SAPs.

Parameters
policy-name

Specifies the policy name, up to 32 characters.

create

Creates a new policy instance.

description
Syntax

description description-string

no description

Context

config>system>security>dist-cpu-protection>policy

config>system>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command creates a text description stored in the configuration file for a configuration context.

This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string.

Default

no description

Parameters
string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

protocol
Syntax

protocol name [create]

no protocol name

Context

config>sys>security>dist-cpu-protection>policy

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command creates the protocol for control in the policy.

For RVPLS, DCP rate-limits the packets arriving at the CPU, but for flooded traffic, ingress QoS or ACLs must be used.

When the no form of this command is used, the packets of the specified protocol are not enforced on the objects to which this DCP policy is assigned.

Parameters
names

Specifies the protocol name.

Values

arp, icmp, igmp, vrrp, ntp

create

Creates a new protocol instance.

enforcement
Syntax

enforcement {static policer-name}

Context

config>sys>security>dist-cpu-protection>policy>protocol

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures the enforcement method for the protocol. When the static keyword is used, the protocol is always enforced using a static policer. Multiple protocols can reference the same static policer. When multiple protocols are configured to reference the same policer, each protocol is assigned an independent instance of the policer. The policer is not shared among the multiple protocols that are referencing it.

Default

enforcement dynamic local-mon-bypass

Parameters
static

Specifies that the protocol is always enforced using a static policer.

policer-name

Specifies the name of the static policer, up to 32 characters.

static-policer
Syntax

static-policer policer-name [create]

static-policer policer-name

Context

config>sys>security>dist-cpu-protection>policy

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures a static enforcement policer that can be referenced by one or more protocols in the policy. When the policer name is referenced by a protocol, this policer is instantiated for each protocol and each object (for example, SAP) that is created and references this policy. If there is no policer resource available, the object is blocked from being created. Multiple protocols can use the same static policer. When multiple protocols reference the same policer, each protocol gets an independent instance of the policer. The policer is not shared among the multiple protocols that are referencing it.

Parameters
policer-name

Specifies the name of the policer, up to 32 characters.

create

Keyword to create a new static-policer instance.

exceed-action
Syntax

exceed-action {discard | none}

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command controls the action performed upon the extracted control packets when the configured policer rates are exceeded.

Default

exceed-action none

Parameters
discard

Keyword to discards packets that are non-conformant.

none

Keyword to send packets to the CPU instead of discarding them.

log-events
Syntax

log-events [verbose]

no log-events

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command controls the creation of log events related to static policer status and activity.

Default

log-events

Parameters
verbose

Keyword to send the same events as just log events. The optional keyword verbose includes events used during debugging, tuning, and investigation.

rate
Syntax

rate {kbps kilobits-per-second | max} {[mbs size] [bytes | kilobytes]}

no rate

Context

config>sys>security>dist-cpu-protection>policy>static-policer

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command configures the rate and burst tolerance for the policer in either a packet rate or a bit rate.

The hardware may not be able to rate limit to the exact configured parameters. In this case, the configured parameters are adapted to the closest supported rate. The actual (operational) parameters can be seen in CLI, for example, show service id 33 sap 1/1/3:33 dist-cpu-protection detail.

Default

rate kbps max mbs default

Parameters
kilobits-per-second

Specifies the kilobits per second.

Values

1 to 204800 | max (the max keyword disables the policer (always conformant))

size

Specifies the tolerance for the kbps rate.

Values

size-in-bytes: [512 to 65536]

size-in-kbytes: [1 to 64]

bytes | kilobytes

Specifies that the units of the mbs size parameter are either in bytes or kilobytes.

Password commands
admin-password
Syntax

admin-password password [hash | hash2]

no admin-password

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the context (with administrative permissions) to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an administrative user.

This functionality can be enabled in two contexts:

config>system>security>password>admin-password

<global> enable-admin

Note:

See the description for the enable-admin command. If the admin-password command is configured in the config>system>security>password context, any user can enter the special administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users are given access to this command.

When the enable-admin command is entered, the user is prompted for a password. If the password is correct, the user is given unrestricted access to all commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for this password are determined by the configuration in the complexity-rules context.

The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.

Usernames and passwords in the FTP and TFTP URLs will not be sent to the authorization or accounting servers when the file>copy source-url dest-url command is executed.

For example:

file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' will not be sent to the AAA servers (or to any logs). They will be replaced with '****'.

Note:

The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.

The no form of this command removes the administrative password from the configuration.

Default

no admin-password

Parameters
password

Specifies the password, which enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 32 characters if the hash keyword is specified, and 54 characters if the hash2 keyword is specified, 60 characters if hashed with bcrypt, or 87 to 92 characters if hashed with sha2-pbkdf2.

hash

Specifies that the key is entered in an encrypted form. If the hash keyword is not configured, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

enable-admin
Syntax

enable-admin

Context

<global>

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command is in the default profile. By default, all users are given access to this command.

Note:

See the description for the admin-password command. If the admin-password command is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.

When the enable-admin command is entered, the user is prompted for a password. If the password is correct, the user is given unrestricted access to all commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.

There are two ways to verify that a user is in the enable-admin mode.

  • An administrator can enter the show users command know which users are in this mode.

  • Enter the enable-admin command again at the root prompt and an error message will be returned.

Output

The following output shows an example of an error message when the enable-admin command is entered at the prompt again and the user is already in the enable-admin mode.

Sample output

A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
aging
Syntax

aging days

no aging

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.

The no form of this command reverts to the default value.

Parameters
days

Specifies the maximum number of days the password is valid.

Values

1 to 500

attempts
Syntax

attempts count [time minutes1 [lockout minutes2]

no attempts

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame. The threshold for the number of login attempts can be configured by using the CLI parameter count. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command.

By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap will not be sent for every failed attempt.

If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no form of this command reverts to the default values.

Default

attempts 3 time 5 lockout 10

Parameters
count

Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

Default

3

time minutes

Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.

Values

0 to 60

Default

5

lockout minutes

Specifies the lockout period, in minutes, where the user is not allowed to login. Allowed values are decimal integers.

Values

0 to 1440

Default

10

authentication-order
Syntax

authentication-order [method-1] [method-2] [method-3] [exit-on-reject]

no authentication-order

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.

The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. The attempted login identification and originating IP address are logged with the a timestamp.

The no form of this command reverts to the default authentication sequence.

Default

authentication-order radius tacplus local

Parameters
method-1

Specifies the first password authentication method to attempt.

Values

radius, tacplus, local

Default

radius

method-2

Specifies the second password authentication method to attempt.

Values

radius, tacplus, local

Default

tacplus

method-3

Specifies the third password authentication method to attempt.

Values

radius, tacplus, local

Default

local

radius

Specifies the RADIUS authentication.

tacplus

Specifies the TACACS+ authentication.

local

Specifies the password authentication based on the local password database.

exit-on-reject

When enabled and if one of the AAA methods configured in the authentication order sends a reject, the next method in the order will not be tried. If the exit-on-reject keyword is not specified and one AAA method sends a reject, the next AAA method will be attempted. If in this process, all the AAA methods are exhausted, it will be considered as a reject.

A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting will only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration will other configured methods be attempted. If the local keyword is the first authentication, exit-on-reject is configured, and the user does not exist, the user will not be authenticated.

The user is authenticated locally, then other methods, if configured, will be used for authorization and accounting.

If the user is configured locally but without console access, login will be denied.

complexity-rules
Syntax

complexity-rules

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context define a list of rules for configurable password options.

allow-user-name
Syntax

[no] allow-user-name

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the username to be used as part of the password.

The no form of this command does not allow the username to be used as part of the password.

credits
Syntax

credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]

no credits

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

The maximum credits given for usage of the different character classes in the local passwords.

The no form of this command reverts to the default value.

Default

no credits

Parameters
credits

Specifies the number of credits that can be used for each characters class.

Values

0 to 10

minimum-classes
Syntax

minimum-classes minimum

no minimum-classes

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command forces the use of at least the specified number of different character classes.

The no form of this command reverts to the default value.

Default

no minimum-classes

Parameters
minmum

Specifies the minimum number of classes to be configured.

Values

2 to 4

health-check
Syntax

[no] health-check [interval interval]

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies that RADIUS, TACACS+, and LDAP servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the server type.

The no form of this command disables the periodic monitoring of the RADIUS, TACACS+, and LDAP servers. In this case, the operational status for the active server will be up if the last access was successful.

Parameters
interval

Specifies the polling interval for RADIUS, TACACS+, and LDAP servers.

Values

6 to 1500

Default

30

history
Syntax

history size

no history

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures how many previous passwords a new password is matched against.

Default

no history

Parameters
size

Specifies how many previous passwords a new password is matched against.

Values

1 to 20

minimum-age
Syntax

minimum-age [days days] [hrs hours] [min minutes] [sec seconds]

no minimum-age

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the minimum required age of a password before it can be changed again.

The no form of this command removes the minimum password age requirement.

Default

no minimum-age

Parameters
days

Specifies the minimum number of days before a password can be changed again.

Values

0 to 1

hours

Specifies the minimum number of hours before a password can be changed again.

Values

0 to 23

minutes

Specifies the minimum number of minutes before a password can be changed again.

Values

0 to 59

seconds

Specifies the minimum number of seconds before a password can be changed again.

Values

0 to 59

minimum-change
Syntax

minimum-change length

no minimum-change

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the minimum number of characters required to be different in the new password from a previous password.

The no form of this command removes the unique character requirement.

Default

no min-change

Parameters
length

Specifies how many characters must be different in the new password from the old password.

Values

2 to 20

minimum-length
Syntax

minimum-length length

no minimum-length

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.

If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.

The no form of this command reverts to default value.

Default

minimum-length 6

Parameters
value

Specifies the minimum number of characters required for a locally administered password.

Values

6 to 50

repeated-characters
Syntax

repeated-characters count

no repeated-characters

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of times a character can be repeated consecutively.

The no form of this command reverts to the default value.

Default

no repeated-characters

Parameters
count

Specifies the minimum count of consecutively repeated characters.

Values

2 to 8

required
Syntax

required [lowercase count] [uppercase count] [numeric count] [special-character count]

no required

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the minimum number of different character classes required.

The no form of this command reverts to the default value.

Default

no required

Parameters
count

Specifies the minimum count of characters classes.

Values

0 to 10

hashing
Syntax

hashing {bcrypt | sha2-pbkdf2}

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the password hashing algorithm.

Parameters
bcrypt

Keyword to configure the bcrypt algorithm.

sha2-pbkdf2

Keyword to configure the PBKDF2 algorithm.

health-check
Syntax

[no] health-check [interval interval]

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, a trap will be sent based on the type of the server.

The no form of this command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server will be up if the last access was successful.

Default

health-check

Parameters
interval

Specifies the interval of the health check, in seconds.

Values

6 to 1500

password
Syntax

password

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure password management parameters.

public-keys
Syntax

public-keys

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure public keys for SSH.

ecdsa
Syntax

ecdsa

Context

config>system>security>user>public-keys

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure ECDSA public keys.

ecdsa-key
Syntax

ecdsa-key ecdsa-public-key-id [create]

no ecdsa-key ecdsa-public-key-id

Context

config>system>security>user>public-keys>ecdsa

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured ECDSA public keys.

Default

no ecdsa-key

Parameters
create

Keyword to create an ECDSA key. The create keyword requirement can be enabled or disabled in the environment>create context.

key-id

Specifies the key identifier.

Values

1 to 32

key-value
Syntax

key-value public-key-value

no key-value

Context

config>system>security>user>public-keys>ecdsa>ecdsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.

The no form of this command removes the configured ECDSA public key value.

Default

no key-value

Parameters
ecdsa-public-key-value

Specifies the public key value, up to 255 characters.

rsa
Syntax

rsa

Context

config>system>security>user>public-keys

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure RSA public keys.

rsa-key
Syntax

rsa-key rsa-public-key-id [create]

no rsa-key rsa-public-key-id

Context

config>system>security>user>public-keys>rsa

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured RSA public keys.

Default

no rsa-key

Parameters
create

Keyword to create the RSA key. The create keyword requirement can be enabled or disabled in the environment>create context.

key-id

Specifies the key identifier.

Values

1 to 32

key-value
Syntax

key-value rsa-public-key-value

no key-value

Context

config>system>security>user>public-keys>rsa>rsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.

The no form of this command removes the configured public key value.

Default

no key-value

Parameters
public-key-value

Specifies the public key value, up to 800 characters.

Profile management commands
action
Syntax

action {deny | permit}

Context

config>system>security>profile>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the action associated with the profile entry.

Parameters
deny

Specifies that commands matching the entry command match criteria are denied.

permit

Specifies that commands matching the entry command match criteria are permitted.

match
Syntax

match command-string

no match

Context

config>system>security>profile>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a command or command subtree.

Because the system exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated before this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

Parameters
command-string

Specifies the CLI command or CLI tree level that is the scope of the profile entry.

copy
Syntax

copy {user source-user | profile source-profile} to destination [overwrite]

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command copies a profile or user from a source profile to a destination profile.

Parameters
source-user

Specifies the user, up to 32 characters, to copy from. The user must already exist.

source-profile

Specifies the profile, up to 32 characters, to copy from. The profile must already exist.

destination

Specifies the destination profile, up to 32 characters, to which the profile is copied.

overwrite

Specifies that the destination profile configuration will be overwritten with the copied source profile configuration. A profile will not be overwritten if the overwrite command is not specified.

default-action
Syntax

default-action {deny-all | permit-all | none}

Context

config>system>security>profile

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the default action to be applied when no match conditions are met.

Parameters
deny-all

Sets the default of the profile to deny access to all commands.

permit-all

Sets the default of the profile to permit access to all commands.

Note:

The permit-all keyword does not change access to security commands. Security commands are only and always available to members of the super-user profile.

none

Sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user.

For example, if a user is a member of two profiles and the default action of the first profile is permit-all, the second profile will never be evaluated because the permit-all is executed first. Set the first profile default action to none and if no match conditions are met in the first profile, the second profile will be evaluated. If the default action of the last profile is none and no explicit match is found, the default deny-all takes effect.

description
Syntax

description description-string

no description

Context

config>system>security>profile>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates a text description stored in the configuration file for a configuration context.

The description command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string from the context.

Parameters
description-string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

entry
Syntax

[no] entry entry-id

Context

config>system>security>profile

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command is used to create a user profile entry.

More than one entry can be created with unique entry-id numbers. The 7210 SAS exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of this command removes the specified entry from the user profile.

Parameters
entry-id

Specifies the entry ID. An entry ID uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry IDs should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.

Values

1 to 9999

profile
Syntax

[no] profile user-profile-name

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates user profiles for CLI command tree permissions.

Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.

When the profiles are created, the users command assigns users to one or more profiles. You can define up to 16 user profiles but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.

The no form of this command deletes a user profile.

Default

user-profile default

Parameters
user-profile-name

Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>profile

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command renumbers profile entries to resequence the entries.

Because the 7210 SAS exits when the first match is found and executes the actions according to the accompanying action command, renumbering is useful to rearrange the entries from most explicit to least explicit.

Parameters
old-entry-number

Specifies the entry number of an existing entry.

Values

1 to 9999

new-entry-number

Specifies the new entry number.

Values

1 to 9999

User management commands
access
Syntax

[no] access [ftp] [snmp] [console]

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command grants user permission for FTP, SNMP, console, or lawful intercept (LI) access.

If a user requires access to more than one application, multiple applications can be specified in a single command. Multiple commands are treated additively.

The no form of this command removes access for a specific application. The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access ftp denies FTP access.

Parameters
ftp

Specifies FTP permission.

snmp

Specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.

console

Specifies console access (serial port or Telnet) permission.

authentication
Syntax

authentication none

authentication authentication-protocol key-1 [privacy none] [hash | hash2]

authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]

no authentication

Context

config>system>security>user>snmp

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the authentication and encryption method that the device uses to validate the user. The SNMP authentication allows the device to validate the managing node that issues the SNMP message and detect message tampering.

The no form of this command reverts to the default value.

Default

authentication none

Parameters
authentication-protocol

Specifies the SNMP authentication protocol.

Values

hmac-md5-96 — Specifies the use of the HMAC-MD5-96 authentication protocol.

hmac-sha1-96 — Specifies the use of the HMAC-SHA-96 authentication protocol.

hmac-sha2-224 — Specifies the use of the HMAC-SHA-224 authentication protocol.

hmac-sha2-256 — Specifies the use of the HMAC-SHA-256 authentication protocol.

hmac-sha2-384 — Specifies the use of the HMAC-SHA-384 authentication protocol.

hmac-sha-512 — Specifies the use of the HMAC-SHA-512 authentication protocol.

privacy-protocol

Specifies the SNMP privacy protocol.

Values

none — Specifies that encryption should not be used.

cbc-des — Specifies the use of the CBC-DES privacy protocol.

cfb128-aes-128 — Specifies the use of the CFB128-AES-128 privacy protocol.

cfb128-aes-192 — Specifies the use of the CFB128-AES-192 privacy protocol.

cfb128-aes-256 — Specifies the use of the CFB128-AES-256 privacy protocol.

hash

Keyword to indicate the encryption mechanism used to store the authentication and privacy keys in an encrypted format in the configuration file. When hash is not specified, non-encrypted characters can be entered. When hash is specified, the key is expected to be decrypted using the hash mechanism. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.

hash2

Keyword to indicate the encryption mechanism used to store all specified keys in an encrypted format in the configuration file. For example, the hash2 encrypted variable cannot be copied and pasted to a different node. If the hash2 keyword is not specified, the key is assumed to be unencrypted in cleartext form. The hash2 keyword is the default mechanism used if hash is not specified. Therefore, the user does not need to specify hash2 explicitly while entering the key. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.

key-1

Specifies the key-1 value for SNMP packet encryption.

Values

localized-privacy-key — Key value generated by using the tools>perform>system>management-interface>snmp>generate-key command. When this key is stored in the configuration, it is stored in encrypted form using one of the mechanisms available (for example, hash or hash2) along with the keyword to indicate the mechanism used (for example, config>system>security>user “User1" snmp>privacy cbc-des e8482d1f66e057450afa6e hash).

hash-key — Key value obtained by using the hash mechanism to store the key in encrypted format in the configuration file. Initially the key value is generated by using the tools>perform>system>management-interface>snmp>generate-key command and further stored in the configuration using the hash mechanism.

hash2-key — Key value obtained by using the hash2 mechanism for encrypting the key. This value cannot be entered by the user. It is automatically generated using the hash2 mechanism, when the user does not explicitly specify the hash mechanism for encrypting the key, and stored in the configuration file.

key-2

Specifies the key-2 value for SNMP packet encryption.

Values

localized-privacy-key — Key value generated by using the tools>perform>system>management-interface>snmp>generate-key command. When this key is stored in the configuration, it is stored in encrypted form using one of the mechanisms available (for example, hash or hash2) along with the keyword to indicate the mechanism used (for example, config>system>security>user “User1" snmp>authentication hmac-md5-96 e8482d1f66e057a0be0e50afa6e hash).

hash-key — Key value obtained by using the hash mechanism to store the key in encrypted format in the configuration file. Initially, the key value is generated by using the tools>perform>system>management-interface>snmp>generate-key command and further stored in the configuration using the hash mechanism.

hash2-key — Key value obtained by using the hash2 mechanism for encrypting the key. This value cannot be entered by the user. It is automatically generated using the hash2 mechanism, when the user does not explicitly specify the hash mechanism for encrypting the key, and stored in the configuration file.

group
Syntax

group group-name

no group

Context

config>system>security>user>snmp

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user>snmp>group command. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions

Parameters
group-name

Specifies the group name, up to 32 alphanumeric characters, that is associated with this user. A user can be associated with one group name per security model.

cannot-change-password
Syntax

[no] cannot-change-password

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command allows a user to change their password for FTP and console login.

To disable a user password change privilege, use the cannot-change-password form of this command.

Note:

The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

Default

no cannot-change-password

console
Syntax

console

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure user profile membership for the console (either Telnet or serial port user).

copy
Syntax

copy {user source-user | profile source-profile} to destination [overwrite]

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command copies a specific user configuration parameter to another (destination) user.

The password is set to a carriage return and a new password at login must be selected.

Parameters
source-user

Specifies the user, up to 32 characters, to copy. The user must already exist.

destination

Specifies the destination user or profile, up to 32 characters.

overwrite

Specifies that the destination user configuration will be overwritten with the copied source user configuration. A configuration will not be overwritten if the overwrite command is not specified.

home-directory
Syntax

home-directory url-prefix [directory] [directory/directory…]

no home-directory

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the local home directory for the user for both console and FTP access.

If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.

The no form of this command removes the configured home directory.

Note:

If restricted-to-home has been configured, no file access is granted and no home directory is created. If restricted-to-home is not applied, the root becomes the user home directory.

Default

no home-directory

Parameters
local-url-prefix [directory] [directory/directory…]

Specifies the user local home directory URL prefix and directory structure, up to 190 characters.

profile
Syntax

profile user-profile-name

no profile

Context

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the profile for the user based on this template.

Parameters
user-profile-name

Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

login-exec
Syntax

[no] login-exec url-prefix: source-url

Context

config>system>security>user>console

config>system>security>user-template>console

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a user login exec file, which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of this command disables the login exec file for the user.

Parameters
url-prefix:source-url

Specifies either a local or remote URL, up to 200 characters, that identifies the exec file that will be executed after the user successfully logs in.

member
Syntax

member user-profile-name [user-profile-name…up to 8max]

no member user-profile-name

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command gives the user access to a profile.

A user can participate in up to eight profiles.

The no form of this command deletes user access to a profile.

Default

default

Parameters
user-profile-name

Specifies the user profile name, up to 32 characters.

new-password-at-login
Syntax

[no] new-password-at-login

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.

The no form of this command does not force the user to change passwords.

Default

no new-password-at-login

password
Syntax

password [password] [hash | hash2]

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the user password for console and FTP access.

The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the specific password was hashed using hashing algorithm version 1.

The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (" ") at the time of the password creation. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.

The use of the hash2 keyword specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.

For example:

config>system>security# user testuser1
config>system>security>user$ password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
config>system>security>user# exit

config>system>security# info
-------------------------------------
...
            user "testuser1"
                password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
            exit
...
-------------------------------------
config>system>security# 
Parameters
password

This is the password for the user that must be entered by this user during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length is up to 20 characters if unhashed, 32 characters if hashed.

All password special characters (#, $, spaces, and so on) must be enclosed within double quotes.

For example:
config>system>security>user# password ‟south#bay?”

The question mark character (?) cannot be directly inserted as input during a telnet connection because the character is bound to the help command during a normal Telnet/console connection.

To insert a # or ? character, enter them inside a notepad or clipboard program, and cut and pasted them into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.

If a password is entered without any parameters, a password length of zero is implied: (carriage return).

hash

Specifies that the specific password is already hashed using hashing algorithm version 1. A semantic check is performed on the specific password field to verify if it is a valid hash 1 key to store in the database.

hash2

Specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.

restricted-to-home
Syntax

[no] restricted-to-home

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.

If a home-directory is not configured or the home directory is not available, the user has no file access.

The no form of this command allows the user access to navigate to directories above their home directory.

Default

no restricted-to-home

snmp
Syntax

snmp

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters.

All SNMPv3 users must be configured with the commands available in this CLI node.

The 7210 SAS always uses the configured SNMPv3 username as the security username.

user-template
Syntax

user-template {tacplus_default | radius_default}

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures default security user template parameters.

Parameters
tacplus_default

Specifies that the default TACACS+ user template is actively applied to the TACACS+ user.

radius_default

Specifies that the default RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server.

users
Syntax

users

Context

show

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the context to edit the user configuration.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can login to the system and <ENTER> at the password prompt; the user will be logged in.

Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.

user
Syntax

user user-name

Context

admin

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context edit the user configuration.

If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, there will be no password required. The user can login to the system and <ENTER> at the password prompt; the user will be logged in.

Unless an administrator explicitly changes the password, it will be null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value will change.

The no form of this command deletes the user and all configuration data. Users cannot delete themselves.

Parameters
user-name

Specifies the name of the user, up to 16 characters.

RADIUS client commands
accounting
Syntax

[no] accounting

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

accounting-port
Syntax

accounting-port port

no accounting-port

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

The no form of this command reverts to the default value.

Parameters
port

Specifies the UDP port number.

Values

1 to 65535

Default

1813

authorization
Syntax

[no] authorization

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures RADIUS authorization parameters for the system.

Default

no authorization

port
Syntax

port port

no port

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the TCP port number to contact the RADIUS server.

The no form of this command reverts to the default value.

Default

port 1812

Parameters
port

The TCP port number to contact the RADIUS server.

Values

1 to 65535

radius
Syntax

[no] radius

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure RADIUS authentication on the router.

Implement redundancy by configuring multiple server addresses for each router.

The no form of this command removes the RADIUS configuration.

retry
Syntax

retry count

no retry

Context

config>system>security>radius

config>system>security>dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

Default

retry 3

Parameters
count

Specifies the retry count.

Values

1 to 10

server
Syntax

server index address ip-address secret key [hash|hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]

no server index

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures a RADIUS server and its IP address, index, and key values.

Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of this command removes the server from the configuration.

Parameters
index

Specifies the index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address: a.b.c.d (host bits must be 0) ipv6-address : x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0..FFFF]H d: [0..255]D

secret key

Specifies the secret key to access the RADIUS server. This secret key must match the password on the RADIUS server.

Values

20 characters maximum

hash

Specifies that the key is entered in an encrypted form. If the hash keyword is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

shutdown
Syntax

[no] shutdown

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol, which is the default state.

Default

no shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of this command reverts to the default value.

Default

3 seconds

Parameters
seconds

Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.

Values

1 to 90

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies whether the RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server.

The no form of this command disables the command.

TACACS+ client commands
server
Syntax

server index address ip-address secret key [hash | hash2] [port port]

no server index

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.

The no form of this command removes the server from the configuration.

Parameters
index

Specifies the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address : a.b.c.d (host bits must be 0)

ipv6-address: x:x:x:x:x:x:x:x (eight 16-bit pieces)
  • x:x:x:x:x:x:d.d.d.d
  • x: [0..FFFF]H
  • d: [0..255]D
secret key

Specifies the secret key to access the RADIUS server, up to 128 characters. This secret key must match the password on the RADIUS server.

hash

Specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

tacplus
Syntax

[no] tacplus

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates the context to configure TACACS+ authentication on the router.

Configure multiple server addresses for each router for redundancy.

The no form of this command removes the TACACS+ configuration.

accounting
Syntax

accounting [record-type {start-stop | stop-only}]

no accounting

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the type of accounting record packet to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

record-type stop-only

Parameters
record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command.

record-type stop-only

Specifies that a stop packet is sent whenever the command execution is complete.

authorization
Syntax

[no] authorization

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures TACACS+ authorization parameters for the system.

Default

no authorization

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of this command reverts to the default value.

Default

timeout 3

Parameters
seconds

Specifies the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer.

Values

1 to 90

shutdown
Syntax

[no] shutdown

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol which is the default state.

Default

no shutdown

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies whether or not the user template defined by this entry is to be actively applied to the TACACS+ user.

Generic 802.1x commands
dot1x
Syntax

[no] dot1x

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command creates the context to configure 802.1x network access control on the 7210 SAS.

The no form of this command removes the 802.1x configuration.

radius-plcy
Syntax

[no] radius-plcy name [create]

Context

config>system>security> dot1x

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure RADIUS server parameters for 802.1x network access control on the 7210 SAS.

Note:

The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7210 SAS as opposed to the RADIUS server configured under the config>system>radius context, which authenticates CLI login users who get access to the management plane of the 7210 SAS.

The no form of this command removes the RADIUS server configuration for 802.1x.

Parameters
name

Specifies the name of the RADIUS policy, up to 32 characters.

create

This keyword is mandatory to create a RADIUS policy.

retry
Syntax

retry count

no retry

Context

config>system>security> dot1x

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

Default

retry 3

Parameters
count

Specifies the retry count.

Values

1 to 10

server
Syntax

server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]

no server index

Context

config>system>security> dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command adds a Dot1x server and configures the Dot1x server IP address, index, and key values.

Up to five Dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other Dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The no form of this command removes the server from the configuration.

Parameters
server-index

Specifies the index for the Dot1x server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the Dot1x server. Two Dot1x servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

secret key

Specifies the secret key to access the Dot1x server. This secret key must match the password on the Dot1x server.

Values

secret-key - 20 characters maximum

Values

hash-key - 33 characters maximum

Values

hash2-key - 55 characters maximum

hash

Specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

acct-port acct-port

Specifies the UDP port number on which to contact the RADIUS server for accounting requests.

Values

1 to 65535

auth-port auth-port

Specifies a UDP port number to be used as a match criteria.

Values

1 to 65535

type server-type

Specifies the server type.

Values

authorization, accounting, combined

source-address
Syntax

source-address ip-address

no source-address

Context

config>system>security> dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the NAS IP address to be sent in the RADIUS packet.

The no form of this command reverts to the default value.

Default

By default the system IP address is used in the NAS field.

Parameters
ip-address

Specifies the IP prefix for the IP match criterion in dotted-decimal notation.

Values

a.b.c.d

shutdown
Syntax

[no] shutdown

Context

config>system>security>dot1x

config>system>security>dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within.

The no form of this command administratively enables the protocol, which is the default state.

Default

shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security> dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of this command reverts to the default value.

Default

timeout 3

Parameters
seconds

Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.

Values

1 to 90

TCP Enhanced Authentication commands
keychain
Syntax

[no] keychain keychain-name

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.

The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command will not be accepted and an error indicating that the keychain is in use will be printed.

Parameters
keychain-name

Specifies a keychain name, up to 32 characters, which identifies this particular keychain entry.

direction
Syntax

direction

Context

config>system>security>keychain

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the context to specify the data type that indicates the TCP stream direction to apply the keychain.

bi
Syntax

bi

Context

config>system>security>keychain>direction

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures keys for both send and receive stream directions.

uni
Syntax

uni

Context

config>system>security>keychain>direction

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures keys for send or receive stream directions.

receive
Syntax

receive

Context

config>system>security>keychain>direction>uni

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.

send
Syntax

send

Context

config>system>security>keychain>direction>uni

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.

entry
Syntax

entry entry-id [key authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm

no entry entry-id

Context

config>system>security>keychain>direction>bi

config>system>security>keychain>direction>uni>receive

config>system>security>keychain>direction>uni>send

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP Enhanced Authentication mechanism to work.

The no form of this command removes the entry from the keychain. If the entry is the active entry for sending, this will cause a new active key to be selected (if one is available using the youngest key rule). If it is the only possible send key, the system will reject the command with an error indicating that the configured key is the only available send key.

If the key is one of the eligible keys for receiving, it will be removed. If the key is the only possible eligible key, the command will not be accepted, and an error message indicating that this is the only eligible key will be generated.

The no form of this command deletes the entry.

Parameters
entry-id

Specifies an entry that represents a key configuration to be applied to a keychain.

Values

0 to 63

key

Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.

authentication-key

Specifies the authentication-key that will be used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.

The authentication-key can be any combination of letters or numbers.

Values

A key must be 160 bits for algorithm hmac-sha-1-96 and must be 128 bits for algorithm aes-128-cmac-96. If the key given with the entry command amounts to less than this number of bits, then it is padded internally with zero bits up to the correct length.

algorithm algorithm

Specifies an enumerated integer that indicates the encryption algorithm to be used by the key defined in the keychain.

Values

aes-128-cmac-96 — Specifies an algorithm based on the AES standard hmac-sha-1-96 — Specifies an algorithm based on SHA-1.

hash-key | hash2-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and 96 characters for the hash2-key in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (‟ ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies that the key is entered in a more complex encrypted form.

begin-time
Syntax

begin-time [date] [hours-minutes] [UTC] [now] [forever]

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and authenticate the protocol stream.

If no date and time is set, the begin-time is represented by a date and time string with all nulls and the key is not valid by default.

Parameters
date hours-minutes

Specifies the date and time for the key to become active.

Values

date: YYYY/MM/DD hours-minutes: hh:mm[:ss]

UTC

Specifies that the date and time should be in UTC time rather than local time.

now

Specifies that the key should become active immediately.

forever

Specifies that the key should always be active.

end-time
Syntax

end-time [date] [hours-minutes] [UTC] [now] [forever]

Context

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream.

Default

forever

Parameters
date

Specifies the calendar date after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream in the YYYY/MM/DD format. When no year is specified the system assumes the current year.

hours-minutes

Specifies the time after which the key specified by the authentication key is no longer eligible to sign and/or authenticate the protocol stream in the hh:mm[:ss] format. Seconds are optional, and if not included, assumed to be 0.

UTC

Indicates that time is given with reference to Coordinated Universal Time in the input.

now

Specifies a time equal to the current system time.

forever

Specifies a time beyond the current epoch.

tolerance
Syntax

tolerance [seconds | forever]

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.

Parameters
seconds

Specifies the duration that an eligible receive key overlaps with the active send key, in seconds.

Values

0 to 4294967294

forever

Specifies that an eligible receive key overlaps with the active send key forever.

tcp-option-number
Syntax

tcp-option-number

Context

config>system>security>keychain

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

Commands in this context configure the TCP option number to be placed in the TCP packet header.

receive
Syntax

receive option-number

Context

config>system>security>keychain>tcp-option-number

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the TCP option number accepted in received TCP packets.

Default

receive 254

Parameters
option-number

Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.

Values

253 | 254 | 253 and 254

send
Syntax

send option-number

Context

config>system>security>keychain>tcp-option-number

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command configures the TCP option number accepted in TCP packets sent.

Default

send 254

Parameters
option-number

Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.

Values

253 | 254

dst-port
Syntax

dst-port [tcp/udp port-number] [mask]

no dst-port

Context

config>sys>sec>cpm>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command specifies the TCP/UDP port to match the destination port of the packet. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet since only the first fragment contains the L4 information.

The no form of this command removes the destination port match criterion.

Parameters
dst-port-number

Specifies the destination port number to be used as a match criteria expressed as a decimal integer.

Values

0 to 65535 (accepted in decimal hex or binary)

mask

Specifies the 16 bit mask to be applied when matching the destination port.

lockout
Syntax

lockout all

lockout user user-name

Context

admin>clear

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command is used to clear a lockout for a specific user.

Parameters
user-name

Specifies the locked user name, up to 32 characters.

all

Clears lockouts for all users.

IPsec commands
ipsec
Syntax

ipsec

Context

config

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

Commands in this context configure Internet Protocol security (IPsec) parameters. IPsec is a structure of open standards that uses cryptographic security services to ensure private, secure communications over IP networks.

static-sa
Syntax

static-sa sa-name [create]

no static-sa

Context

config>ipsec

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command configures an IPsec static security association (SA).

The no form of this command removes the configuration.

Parameters
sa-name

Specifies the SA name, up to 32 characters.

create

Mandatory keyword to create an SA instance.

authentication
Syntax

authentication auth-algorithm ascii-key ascii-string

authentication auth-algorithm hex-key hex-string [hash | hash2]

no authentication

Context

config>ipsec>static-sa

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command configures the authentication algorithm to use for an IPsec manual SA.

The no form of this command removes the configuration.

Default

no authentication

Parameters
auth-algorithm

Specifies the authentication algorithm.

Values

sha1 — The authentication protocol can be either HMAC-MD5-96 or HMAC-SHA-96.

md5 — The authentication protocol can either be HMAC-MD5-96 or HMAC-SHA-96.

ascii-string

Specifies the ASCII key, up to 16 characters for md5 and 20 characters for sha1.

The authentication key is stored an encrypted format. The minimum key length is configured using the config>system>security>password>minimum-length command.

The complexity of the key is configured using the commands in the config>system>security>password>complexity-rules context.

hex-string

Specifies the hexadecimal key, up to 32 hexadecimal nibbles for md5 and up to 40 hexadecimal nibbles for sha1.

hash

Keyword that stores all specified keys in encrypted format in the configuration file. The password must be entered in encrypted form when this keyword is configured. If this keyword is not configured, the key is assumed to be in a non-encrypted form.

hash2

Keyword to store the key in a more complex encrypted form. If this keyword is not used, the less encrypted hash form is assumed.

description
Syntax

description description-string

no description

Context

config>ipsec>static-sa

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command creates a text description, which is stored in the configuration file, to help identify the content of the entity.

The no form of this command removes the string from the configuration.

Parameters
description-string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. It the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed in double quotes.

direction
Syntax

direction ipsec-direction

no direction

Context

config>ipsec>static-sa

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command configures the direction for an IPsec manual SA.

The no form of this command reverts to the default value.

Default

direction bidirectional

Parameters
ipsec-direction

Specifies the direction.

Values

inbound, outbound, bidirectional

protocol
Syntax

protocol ipsec-protocol

no protocol

Context

config>ipsec>static-sa

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command configures the security protocol to use for an IPsec manual SA.

The no form of this command reverts to the default value.

Default

protocol esp

Parameters
ipsec-protocol

Specifies the security protocol.

Values

ah — Configures to Authentication Header Protocol.

esp — Configures the Encapsulation Security Payload Protocol.

spi
Syntax

spi spi

no spi

Context

config>ipsec>static-sa

Platforms

Supported on all 7210 SAS platforms as described in this document, except those operating in access-uplink mode

Description

This command configures the security parameter index (SPI) key value for an IPsec manual SA.

The no form of this command removes the configured SPI key value.

Parameters
spi

Specifies the SPI value.

Values

256 to 16383

Show commands

Security commands
access-group
Syntax

access-group [group-name]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays SNMP access group information.

Parameters
group-name

Displays information for the specified access group name, up to 32 characters.

Output

The following output is an example of SNMP access group information, and Output fields: access group describes the output fields.

Sample output
A:ALA-4# show system security access-group
===============================================================================
Access Groups                                                                  
===============================================================================
group name        security  security  read          write         notify       
                  model     level     view          view          view         
-------------------------------------------------------------------------------
snmp-ro           snmpv1    none      no-security                 no-security  
snmp-ro           snmpv2c   none      no-security                 no-security  
snmp-rw           snmpv1    none      no-security   no-security   no-security  
snmp-rw           snmpv2c   none      no-security   no-security   no-security  
snmp-rwa          snmpv1    none      iso           iso           iso          
snmp-rwa          snmpv2c   none      iso           iso           iso          
snmp-trap         snmpv1    none                                  iso          
snmp-trap         snmpv2c   none                                  iso          
===============================================================================
A:ALA-7#
Table 12. Output fields: access group
Label Description

Group name

Displays the access group name

Security model

Displays the security model required to access the views configured in this node

Security level

Specifies the required authentication and privacy levels to access the views configured in this node

Read view

Specifies the variable of the view to read the MIB objects

Write view

Specifies the variable of the view to configure the contents of the agent

Notify view

Specifies the variable of the view to send a trap about MIB objects

authentication
Syntax

authentication [statistics]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays system login authentication configuration and statistics.

Parameters
statistics

Appends login and accounting statistics to the display.

Output

The following output is an example of system login authentication information, and Output fields: security authentication describes the output fields.

Sample output
A:ALA-4# show system security authentication
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
server address   status  type    timeout(secs)  single connection  retry count
-------------------------------------------------------------------------------
10.10.10.103     up      radius  5              n/a                5
10.10.0.1        up      radius  5              n/a                5
10.10.0.2        up      radius  5              n/a                5
10.10.0.3        up      radius  5              n/a                5
-------------------------------------------------------------------------------
radius admin status  : down
tacplus admin status : up
health check         : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALA-4#


A:ALA-7>show>system>security# authentication statistics
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
server address   status  type    timeout(secs)  single connection  retry count
-------------------------------------------------------------------------------
10.10.10.103     up      radius  5              n/a                5
10.10.0.1        up      radius  5              n/a                5
10.10.0.2        up      radius  5              n/a                5
10.10.0.3        up      radius  5              n/a                5
-------------------------------------------------------------------------------
radius admin status  : down
tacplus admin status : up
health check         : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address      connection errors   accepted logins     rejected logins
-------------------------------------------------------------------------------
10.10.10.103        0                   0                   0
10.10.0.1           0                   0                   0
10.10.0.2           0                   0                   0
10.10.0.3           0                   0                   0
local               n/a                 1                   0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address      connection errors   sent packets        rejected packets
-------------------------------------------------------------------------------
===============================================================================
Accounting Statistics
===============================================================================
server address      connection errors   sent packets        rejected packets
-------------------------------------------------------------------------------
10.10.10.103        0                   0                   0
10.10.0.1           0                   0                   0
10.10.0.2           0                   0                   0
10.10.0.3           0                   0                   0
===============================================================================
A:ALA-7#
Table 13. Output fields: security authentication
Label Description

Sequence

Displays the sequence in which authentication is processed

Server address

Displays the IP address of the RADIUS server

Status

Displays the current status of the RADIUS server

Type

Displays the authentication type

Timeout (secs)

Displays the number of seconds the router waits for a response from a RADIUS server

Single connection

Enabled — Specifies a single connection to the TACACS+ server and validates everything via that connection

Disabled — The TACACS+ protocol operation is disabled

Retry count

Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server

Connection errors

Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed

Accepted logins

Displays the number of times the user has successfully logged in

Rejected logins

Displays the number of unsuccessful login attempts

Sent packets

Displays the number of packets sent

Rejected packets

Displays the number of packets rejected

dist-cpu-protection
Syntax

cpu-protection

Context

show>system>security

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

Commands in this context display distributed CPU protection information.

policy
Syntax

policy [name] [association | detail]

Context

show>system>security>dist-cpu-protection

Platforms

7210 SAS-R6 and 7210 SAS-R12

Description

This command displays distributed CPU protection policy information.

Parameters
name

Displays distributed CPU protection policy information for the specified policy name, up to 32 characters.

association

Displays associations for the specified policy name.

detail

Displays detailed information for the specified policy name.

keychain
Syntax

keychain [key-chain] [detail]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays keychain information.

Parameters
key-chain

Specifies the keychain name to display.

detail

Displays detailed keychain information.

Output

The following output is an example of keychain information, and Output fields: keychain describes the output fields.

Sample output
*A:ALA-A# show system security keychain test
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send     : 254                    Admin state   : Up
TCP-Option number receive  : 254                    Oper state    : Up
===============================================================================
*A:ALA-A# 


*A:ALA-A#  show system security keychain test detail
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send     : 254                    Admin state   : Up
TCP-Option number receive  : 254                    Oper state    : Up
===============================================================================
Key entries for key chain: test
===============================================================================
Id               : 0
Direction        : send-receive         Algorithm        : hmac-sha-1-96
Admin State      : Up                   Valid            : Yes
Active           : Yes                  Tolerance        : 300
Begin Time       : 2007/02/15 18:28:37  Begin Time (UTC) : 2007/02/15 17:28:37
End Time         : N/A                  End Time (UTC)   : N/A
===============================================================================
Id               : 1
Direction        : send-receive         Algorithm        : aes-128-cmac-96
Admin State      : Up                   Valid            : Yes
Active           : No                   Tolerance        : 300
Begin Time       : 2007/02/15 18:27:57  Begin Time (UTC) : 2007/02/15 17:27:57
End Time         : 2007/02/15 18:28:13  End Time (UTC)   : 2007/02/15 17:28:13
===============================================================================
Id               : 2
Direction        : send-receive         Algorithm        : aes-128-cmac-96
Admin State      : Up                   Valid            : Yes
Active           : No                   Tolerance        : 500
Begin Time       : 2007/02/15 18:28:13  Begin Time (UTC) : 2007/02/15 17:28:13
End Time         : 2007/02/15 18:28:37  End Time (UTC)   : 2007/02/15 17:28:37
===============================================================================
*A:ALA-A# 
Table 14. Output fields: keychain
Label Description

TCP-Option number send

Displays the TCP option number to be inserted in the header of sent TCP packets

Admin state

Displays the administrative state of the keychain: up or down

TCP-Option number receive

Displays the TCP option number that will be accepted in the header of received TCP packets

Oper state

Displays the operational state of the keychain: up or down

Key entries for key chain: test

Id

Displays the ID of the key entry

Direction

Displays the stream direction on which keys will be applied for this entry: send, receive, or send-receive

Algorithm

Displays the encryption algorithm to be used by this key entry

Option

Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS)

Admin State

Displays the administrative state of the key entry: up or down

Valid

Indicates if the receive key is valid

Active

Indicates if the transmit (sent) key is active

Tolerance

Displays the tolerance time configured for support of both currently active and new keys

Begin Time

Displays the time at which the new key is used to sign and/or authenticate protocol packets

Begin Time (UTC)

Displays the begin time in UTC time

End Time

Displays the time at which the key is no longer eligible to authenticate protocol packets

End Time (UTC)

Displays the end time in UTC time

management-access-filter
Syntax

management-access-filter

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays management access filter information for IP filters.

ip-filter
Syntax

ip-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays management access IP filters.

Parameters
entry-id

Displays information for the specified entry.

Values

1 to 9999

Output

The following output is an example of management access IP filter information, and Output fields: IP filter describes the output fields.

Sample output
*7210-SAS>show>system>security>management-access-filter# ip-filter entry 1

===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type   : ip
Def. Action   : permit
Admin Status  : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry         : 1
Description   : (Not Specified)
Src IP        : undefined
Src interface : undefined
Dest port     : undefined
L4 Src port   : undefined
Fragment      : off
Protocol      : undefined
Router        : undefined
Action        : none
Log           : disabled
Matches       : 0
===============================================================================
*7210-SAS>show>system>security>management-access-filter# 

Table 15. Output fields: IP filter
Label Description

Def. action

Permit — Specifies that packets not matching the configured

selection criteria in any of the filter entries are permitted

Deny — Specifies that packets not matching the configured selection

criteria in any of the filter entries are denied and that a ICMP host

unreachable message will be issued

Deny-host-unreachble — Specifies that packets not matching

the configured selection criteria in the filter entries are denied.

Entry

Displays the entry ID in a policy or filter table

Description

Displays a text string describing the filter

Src IP

Displays the source IP address used for management access filter match criteria

Src Interface

Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry

Dest port

Displays the destination port

Match

Displays the number of times a management packet has matched this filter entry

Protocol

Displays the IP protocol to match

Action

Displays the action to take for packets that match this filter entry

Flow label

Displays the flow label value to match

Next-header

Displays the IPv6 next header value to match

L4 Src port

Displays the TCP/UDP source port number to match

Fragment

Indicates if the entry should match a fragment or not

Router

Displays the router Instance ID to match

Log

Indicates if packet matching this entry must be logged or not

On 7210 SAS platforms, logging is not supported

ipv6-filter
Syntax

ipv6-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays management access IPv6 filters.

Parameters
entry-id

Displays information for the specified entry.

Values

1 to 9999

Output

The following output is an example of management access IPv6 filter information, and Output fields: IPv6 filter describes the output fields.

Sample output
A:7210SAS# show system security management-access-filter ipv6-filter 

===============================================================================
IPv6 Management Access Filter
===============================================================================
filter type : ipv6
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Flow label : undefined
Src interface : 1/1/1
Dest port : undefined
L4 Src port : undefined
Next-header : undefined
Router : undefined
Action : permit
Log : disabled
Matches : 0
===============================================================================
*A:7210SAS# 
Table 16. Output fields: IPv6 filter
Label Description

Def. action

Permit — Specifies that packets not matching the configured

selection criteria in any of the filter entries are permitted

Deny — Specifies that packets not matching the configured selection

criteria in any of the filter entries are denied and that a ICMP host

unreachable message will be issued

Deny-host-unreachble — Specifies that packets not matching

the configured selection criteria in the filter entries are denied

Entry

Displays the entry ID in a policy or filter table

Description

Displays a text string describing the filter

Src IP

Displays the source IPv6 address used for management access filter match criteria

Src Interface

Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry

Dest port

Displays the destination port

Flow label

Displays the flow label value to match

Protocol

Displays the IPv6 protocol to match

Action

Displays the action to take for packets that match this filter entry

Next-header

Displays the IPv6 next header value to match

L4 Src port

Displays the TCP/UDP source port number to match

Router

Displays the router Instance ID to match

Log

Indicates if packet matching this entry must be logged or not

On 7210 SAS platforms, logging is not supported

password-options
Syntax

password-options

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays configured password options.

Output

The following output is an example of password option information, and Output fields: password options describes the output fields.

Sample output
A:ALA-7# show system security password-options
===============================================================================
Password Options                                                               
===============================================================================
Password aging in days                           : none                        
Number of invalid attempts permitted per login   : 3                           
Time in minutes per login attempt                : 5                           
Lockout period (when threshold breached)         : 10                          
Authentication order                             : radius tacplus local        
Configured complexity options                    :                             
Minimum password length                          : 6                           
===============================================================================
A:ALA-7#
Table 17. Output fields: password options
Label Description

Password aging in days

Displays the number of days a user password is valid before the user must change their password

Number of invalid attempts permitted per login

Displays the number of unsuccessful login attempts allowed for the specified time

Time in minutes per login attempt

Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out

Lockout period (when threshold breached)

Displays the lockout period in minutes where the user is not allowed to login

Authentication order

Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords

Configured complexity options

Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section

Minimum password length

Displays the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the system security section

profile
Syntax

profile [user-profile-name]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document, including those configured in the access-uplink operating mode.

Description

This command displays user profile information.

If the user-profile-name is not specified, information for all profiles are displayed.

Parameters
user-profile-name

Displays information for the specified user profile name, up to 32 characters.

Output

The following output is an example of user profile information, and Output fields: profile describes the output fields.

Sample output
A:ALA-7# show system security profile administrative
=============================================================================== 
User Profile                                                                    
===========================================================================