Security
This chapter provides information to configure security parameters.
Authentication, authorization, and accounting
This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on 7210 SAS routers. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.
Another step, accounting, keeps track of the activity of a user who has accessed the network. The type of accounting information recorded can include a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. The accounting data can then be used to analyze trends, and also for billing and auditing purposes.
You can configure 7210 SAS routers to use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security to validate users who attempt to access the router by console, Telnet, or FTP. You can select the authentication order which determines the authentication method to try first, second, and third.
7210 SAS supports the following security features:
RADIUS can be used for authentication, authorization, and accounting.
TACACS+ can be used for authentication, authorization, and accounting.
Local security can be implemented for authentication and authorization.
The following figure shows end-user access requests sent to a RADIUS server. After validating the usernames and passwords, the RADIUS server returns an access-accept message to the users on ALA-1 and ALA-2. The username and password from ALA-3 could not be authenticated, therefore access is denied.
Authentication
Authentication validates a username and password combination when a user attempts to log in.
When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the 7210 SAS client sends an access request to a RADIUS, TACACS+, or local database.
Transactions between the client and a RADIUS server are authenticated through the use of a shared secret. The secret is never transmitted over the network. User passwords are sent encrypted between the client and RADIUS server, which prevents someone snooping on an insecure network to learn password information.
If the RADIUS server does not respond within a specified time, the router issues the access request to the next configured servers. Each RADIUS server must be configured identically to guarantee consistent results.
If any RADIUS server rejects the authentication request, it sends an access reject message to the router. In this case, no access request is issued to any other RADIUS servers. However, if other authentication methods such as TACACS+ or local are configured, these methods are attempted. If no other authentication methods are configured, or all methods reject the authentication request, then access is denied.
For the RADIUS server selection, round-robin is used if multiple RADIUS servers are configured. Although, if the first alive server in the list cannot find a username, the router does not query the next server in the RADIUS server list and denies the access request. It may get authenticated on the next login attempt if the next selected RADIUS server has the appropriate username. It is recommended that the same user databases be maintained for RADIUS servers to avoid inconsistent behavior.
The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message.
Implementing authentication without authorization for the 7210 SAS routers does not require the configuration of VSAS (Vendor Specific Attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.
Any combination of the following authentication methods can be configured to control network access from a 7210 SAS router.
Local authentication
Local authentication uses usernames and passwords to authenticate login attempts. The usernames and passwords are local to each router not to user profiles.
By default, local authentication is enabled. When one or more of the other security methods are enabled, local authentication is disabled. Local authentication is restored when the other authentication methods are disabled. Local authentication is attempted if the other authentication methods fail and local is included in the authentication order password parameters.
Locally, you can configure usernames and password management information. This is referred to as local authentication. Remote security servers such as RADIUS or TACACS+ are not enabled.
RADIUS authentication
Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service.
RADIUS allows you to maintain user profiles in a shared central database and provides better security, allowing a company to set up a policy that can be applied at a single administered network point.
RADIUS server selection
The RADIUS server selection algorithm is used by different applications:
RADIUS operator management
RADIUS authentication for Enhanced Subscriber Management
RADIUS accounting for Enhanced Subscriber Management
RADIUS PE-discovery
In all these applications, up to five RADIUS servers pools (per RADIUS policy, if used) can be configured.
The RADIUS server selection algorithm can work in two modes, either Direct mode or Round-robin mode.
Direct mode
The first server is used as the primary server. If this server is unreachable, the next server, based on the server index, of the server pool is used. This continues until either all servers in the pool have been tried or an answer is received.
If a server is unreachable, it is not used again by the RADIUS application for the next 30 seconds to allow the server to recover from its unreachable state. After 30 seconds, the unreachable server is available again for the RADIUS application. If, in these 30 seconds, the RADIUS application receives a valid response for a previously sent RADIUS packet on that unreachable server, the server is available for the RADIUS application again, immediately after reception of that response.
Round-robin mode
The RADIUS application sends the next RADIUS packet to the next server in the server pool. The same server non-reachability behavior is valid as in the Direct mode.
Server reachability detection
A server is reachable when the operational state is Up and a valid response is received within a timeout period that is configurable by the retry parameter on the RADIUS policy level.
A server is treated as not-reachable when the operational state is Down and the following occurs:
a timeout
If a number of consecutive timeouts are encountered for a specific server. This number is configurable by the retry parameter at the RADIUS policy level.
a send failed
If a packet cannot be sent to the RADIUS server because the forwarding path toward the RADIUS server is broken (for example, the route is not available or the interface is shut down), no retry mechanism is invoked and the next server in line is immediately used.
A server that is down can only be used again by the RADIUS algorithm after 30 seconds, unless during these 30 seconds, a valid RADIUS reply is received for that server. Then, the server is immediately marked Up again.
The operational state of a server can also be ‟unknown” if the RADIUS application is not aware of the state of the RADIUS server (for example, if the server was previously down but no requests have been sent to the server, it is not known yet whether the server is actually reachable).
Application-specific behavior
Operator management
The server access mode is fixed to Round-Robin (Direct cannot be configured for operator management). A health-check function is available for operator management, which can optionally be disabled. The health-check polls the server once every 10 seconds with an improbable user name. If the server does not respond to this health-check, it will be marked down.
If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.
RADIUS authentication
If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.
RADIUS accounting
The RADIUS accounting application tries to send all the concerned packets of a subscriber host to the same server. If that server is down, the packet is sent to the next server and, from that moment on, the RADIUS application uses that server to send its packets for that subscriber host.
RADIUS PE-discovery
If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.
The RADIUS PE-discovery application makes use of a 10 second time period instead of the generic 30 seconds and uses a fixed consecutive timeout value of 2 (see Server reachability detection).
As long as the Session-Timeout (attribute in the RADIUS user file) is specified, it is used for the polling interval. Otherwise, the configured polling interval is used (60 seconds by default).
TACACS+ authentication
Terminal Access Controller Access Control System, commonly referred to as TACACS is an authentication protocol that allows a remote access server to forward a user's log in password to an authentication server to determine whether access can be allowed to a specific system. TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.
TACACS+ and RADIUS have largely replaced earlier protocols in the newer or recently updated networks. TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations.
Password hashing
This feature is supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D.
The 7210 SAS supports two algorithms for user password hashing: bcrypt, which is the default algorithm, and PBKDF2. The PBKDF2 algorithm can use SHA2 (SHA-256) for hashing.
The password hashing algorithm can be configured using the configure system security password hashing command. The configured algorithm hashes all user passwords.
When password hashing is configured, the following sequence of steps occurs at login:
The node checks the stored password and notes its hash algorithm.
The password entered by the user is hashed with the noted algorithm, and the node compares the hash with the stored user password hash.
If the entered and stored passwords are the same, and if the hash algorithm of the stored user password is different from the hash algorithm of the system password, the user is prompted to enter a new password two times to ensure password match. The node stores this new password in the RAM (not in the system configuration file).
To store the new password in the configuration file, an admin user must perform the admin save command. If the admin save command is not executed, on the next reboot the hash algorithm of the stored user password may be different from the system hash, and the user must go through this process again from step 2.
After an upgrade to a software load that supports PBKDF2, the default password continues to be stored using the bcrypt algorithm. The following example describes the procedure to change the algorithm. In this example, the algorithm is changed to PBKDF2, and ‟User_name” can be any user:
User_name logs in and runs the hashing command to change the algorithm.
To save the algorithm change, an admin user performs an admin save command.
To store User_name’s password using PBKDF2, the admin user changes User_name’s password.
From this point onward, any new user passwords or changes to existing user passwords are stored using PBKDF2.
Authorization
The 7210 SAS supports local, RADIUS, and TACACS+ authorization to control the actions of specific users by applying a profile based on username and password configurations when network access is granted. The profiles are configured locally as well as VSAS on the RADIUS server. See Vendor-specific attributes (VSAS).
After a user is authenticated using RADIUS (or another method), the router can be configured to perform authorization. The RADIUS server can be used to:
download the user profile to the router
send the profile name that the node should apply to the router
Profiles consist of a suite of commands that the user is allowed or not allowed to execute. When a user issues a command, the authorization server looks at the command and the user information and compares it with the commands in the profile. If the user is authorized to issue the command, the command is executed. If the user is not authorized to issue the command, then the command is not executed.
Profiles must be created on each router and should be identical for consistent results. If the profile is not present, then access is denied.
Supported authorization configurations lists the following scenarios:
Remote (RADIUS) authorization cannot be performed if authentication is done locally (on the router).
The reverse scenario is supported if RADIUS authentication is successful and no authorization is configured for the user on the RADIUS server, then local (router) authorization is attempted, if configured in the authorization order.
When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates.
User type |
RADIUS supplied profile |
---|---|
Configured user |
Not Supported |
RADIUS server configured user |
Supported |
TACACS+ server configured user |
Not Supported |
When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames are temporary and are not saved in the configuration when the user session terminates. Temporary user login names and their associated passwords are not saved as part of the configuration.
Local authorization
Local authorization uses user profiles and user access information after a user is authenticated. The profiles and user access information specifies the actions the user can and cannot perform.
By default, local authorization is enabled. Local authorization is disabled only when a different remote authorization method is configured (RADIUS authorization). Local authorization is restored when RADIUS authorization is disabled.
You must configure profile and user access information locally.
RADIUS authorization
RADIUS authorization grants or denies access permissions for a router. Permissions include the use of FTP, Telnet, SSH (SCP), and console access. When granting Telnet, SSH (SCP) and console access to the router, authorization can be used to limit what CLI commands the user is allowed to issue and which file systems the user is allowed or denied access.
TACACS+ authorization
Like RADIUS authorization, TACACS+ grants or denies access permissions for a router. The TACACS+ server sends a response based on the username and password.
TACACS+ separates the authentication, authorization, and accounting function. RADIUS combines the authentication and authorization functions.
Accounting
When enabled, RADIUS accounting sends command line accounting from the router to the RADIUS server. The router sends accounting records using UDP packets at port 1813 (decimal).
The router issues an accounting request packet for each event requiring the activity to be recorded by the RADIUS server. The RADIUS server acknowledges each accounting request by sending an accounting response after it has processed the accounting request. If no response is received in the time defined in the timeout parameter, the accounting request must be retransmitted until the configured retry count is exhausted. A trap is issued to alert the NMS (or trap receiver) that the server is unresponsive. The router issues the accounting request to the next configured RADIUS server (up to five).
User passwords and authentication keys of any type are never transmitted as part of the accounting request.
RADIUS accounting
Accounting tracks user activity to a specified host. When RADIUS accounting is enabled, the server is responsible for receiving accounting requests and returning a response to the client indicating that it has successfully received the request. Each command issued on the router generates a record sent to the RADIUS server. The record identifies the user who issued the command and the time-stamp.
Accounting can be configured independently from RADIUS authorization and RADIUS authentication.
TACACS+ accounting
The 7210 SAS allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent. Start/stop messages are only sent for individual commands, not for the session.
When a user logs in to request access to the network using Telnet or SSH, or a user enters a command for which accounting parameters are configured, or a system event occurs, such as a reboot or a configuration file reload, the router checks the configuration to see if TACACS+ accounting is required for the particular event.
If TACACS+ accounting is required, then, depending on the accounting record type specified, sends a start packet to the TACACS+ accounting server which contains information about the event.
The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server.
Security controls
You can configure routers to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords can be specifically configured. For example, the authentication order can be configured to process authorization through TACACS+ first, then RADIUS for authentication and accounting. Local access can be specified next in the authentication order if that the RADIUS and TACACS+ servers are not operational.
The following table lists the types of security supported by each protocol.
Method |
Authentication |
Authorization |
Accounting 1 |
---|---|---|---|
Local |
Y |
Y |
N |
TACACS+ |
Y |
Y |
Y |
RADIUS |
Y |
Y |
Y |
When a server does not respond
A trap is issued if a RADIUS server is unresponsive. An alarm is raised if RADIUS is enabled with at least one RADIUS server and no response is received to either accounting or user access requests from any server.
Periodic checks to determine if the primary server is responsive again are not performed. If a server is down, it is not contacted for 5 minutes. If a login is attempted after 5 minutes, the server is contacted again. When a server does not respond with the health check feature enabled, the server’s status is checked every 30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Nokia Fault Manager or other third party fault management servers.
The servers are accessed in order from lowest to highest specified index (from 1 to 5) for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received, implying a lower indexed server is not available. If a response from the server is received, no other server is queried.
Access request flow
In Security flow, the authentication process is defined in the config>system>security> password context. The authentication order is determined by specifying the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. This example uses the authentication order of RADIUS, then TACACS+, and finally, local. An access request is sent to RADIUS server 1. One of two scenarios can occur. If there is no response from the server, the request is passed to the next RADIUS server with the next lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted (RADIUS server 5). If server 5 does not respond, the request is passed to the TACACS+ server 1. If there is no response from that server, the request is passed to the next TACACS+ server with the next lowest index (TACACS+ server 2) and so on.
If a request is sent to an active RADIUS server and the username and password is not recognized, access is denied and passed on to the next authentication option, in this case, the TACACS+ server. The process continues until the request is either accepted, denied, or each server is queried. Finally, if the request is denied by the active TACACS+ server, the local parameters are checked for username and password verification. This is the last chance for the access request to be accepted.
Control and management traffic protection
7210 SAS platforms support an extensive set of configurable mechanisms to protect the CPU from being flooded with control or management traffic.
The protection mechanisms are a set of configurable hardware-based filters, classification, queuing, and rate-limiting functions that drop unwanted traffic before it reaches the control processor.
In-band traffic extracted from the line cards to the control processing module (CPM) on chassis-based systems, or extracted from front-panel ports on fixed form-factor devices:
line card or fixed form-factor platform features:
ACLs filters - IPv4, IPv6, and MAC
anti-spoofing, uRPF (supported only on the 7210 SAS-K 3SFP+ 8C)
CPM features:
centralized CPU protection
out-of-band and in-band traffic:
management access filters
CPM management access filters
CPM traffic is extracted from the data plane and sent to the CPM for processing. Packets from all network and access ports can be filtered using management access filters, which use CPU resources. Packets originating from a management Ethernet port can also be filtered using management access filters.
CPM protocols and ports
Nokia recommends using a strict CPM management access filter that allows traffic from trusted IP subnets for protocols and ports actively used in the router and explicitly drops other traffic.
The following table identifies the protocols and TCP/UDP ports used per application on 7210 SAS platforms. The source port and destination port reflect the CPM management access filter entry configuration for traffic that is ingressing the router and is sent to the CPM.
Out-of-band management ports are not supported on the 7210 SAS platforms as described in this guide.
TCP/UDP port number |
IP protocol |
Application description |
Protocols and ports available for in-band and out-of-band management on 7210 SAS platforms |
|||||
---|---|---|---|---|---|---|---|---|
Source |
Destination |
SAS-D |
SAS-Dxp |
SAS-K 2F2C2T |
SAS-K 2F6C4T |
SAS-K 3SFP+ 8C |
||
In-band |
In-band |
In-band |
In-band |
In-band |
||||
BFD application |
||||||||
3784 |
UDP |
BFD control 1 hop BFD |
✓ |
✓ |
||||
3785 |
UDP |
BFD echo |
✓ |
✓ |
||||
4784 |
UDP |
BFD control multi-hop |
✓ |
✓ |
||||
BGP application |
||||||||
179 |
TCP |
BGP: server terminated TCP sessions |
✓ |
✓ |
||||
179 |
TCP |
BGP: client responses for initiated TCP session |
✓ |
✓ |
||||
DHCPv4 application |
||||||||
67 |
67 |
UDP |
DHCPv4: relay agent to server; server to relay agent; relay agent to relay agent |
✓ |
✓ |
✓ |
✓ |
✓ |
68 |
67 |
UDP |
DHCPv4: client to relay agent; client to server |
✓ |
✓ |
✓ |
✓ |
✓ |
67 |
68 |
UDP |
DHCPv4: relay agent to server; relay agent to client |
✓ |
✓ |
✓ |
✓ |
✓ |
DHCPv6 application |
||||||||
546 |
547 |
UDP |
DHCPv6: client to server; client to relay agent |
✓ |
✓ |
|||
547 |
546 |
UDP |
DHCPv6: server to relay agent; relay agent to server; relay agent to relay agent |
✓ |
✓ |
|||
DNS application |
||||||||
53 |
UDP |
DNS Client |
✓ |
✓ |
✓ |
✓ |
✓ |
|
FTP application |
||||||||
20 |
TCP |
FTP server data and active FTP client |
✓ |
✓ |
✓ |
✓ |
✓ |
|
21 |
TCP |
FTP server control |
✓ |
✓ |
✓ |
✓ |
✓ |
|
20 |
TCP |
FTP client data |
✓ |
✓ |
✓ |
v |
✓ |
|
21 |
TCP |
FTP client control |
✓ |
✓ |
✓ |
✓ |
✓ |
|
GRE application |
||||||||
N/A |
N/A |
GRE |
GRE |
✓ |
✓ |
|||
ICMP application |
||||||||
N/A |
N/A |
ICMP |
ICMP |
✓ |
✓ |
✓ |
✓ |
✓ |
IGMP application |
||||||||
N/A |
N/A |
IGMP |
IGMP |
✓ |
✓ |
✓ |
✓ |
✓ |
LDP application |
||||||||
646 |
UDP |
LDP hello adjacency |
✓ |
✓ |
||||
646 |
TCP |
LDP/T-LDP: terminated TCP sessions |
✓ |
✓ |
||||
646 |
TCP |
LDP/T-LDP: responses for initiated TCP sessions |
✓ |
✓ |
||||
MC-APS application |
||||||||
1025 |
UDP |
Multi-chassis LAG |
✓ |
✓ |
||||
MCS application |
||||||||
45067 |
TCP |
Multi-chassis synchronization: terminated TCP session |
✓ |
✓ |
||||
45067 |
TCP |
Multi-chassis synchronization: responses for initiated TCP session |
✓ |
✓ |
||||
NETCONF application |
||||||||
830 |
TCP |
NETCONF |
✓ |
✓ |
||||
NTP application |
||||||||
123 |
UDP |
NTP server |
✓ |
✓ |
✓ |
✓ |
✓ |
|
123 |
UDP |
NTP client |
✓ |
✓ |
✓ |
✓ |
✓ |
|
OAM application |
||||||||
3503 |
UDP |
LSP ping |
✓ |
✓ |
||||
33408 to 33535 |
UDP |
OAM traceroute |
✓ |
✓ |
||||
OSPF application |
||||||||
N/A |
N/A |
OSPF |
OSPF |
✓ |
✓ |
|||
PCEP application |
||||||||
4189 |
TCP |
Path Computation Element Protocol (PCEP) |
✓ |
✓ |
||||
PIM application |
||||||||
3232 |
UDP |
PIM MDT |
✓ |
✓ |
||||
N/A |
N/A |
PIM |
PIM |
✓ |
✓ |
|||
PTP application |
||||||||
319 |
UDP |
1588 PTP event |
✓ |
✓ |
✓ |
✓ |
✓ |
|
320 |
UDP |
1588 PTP general |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RADIUS application |
||||||||
1812 |
UDP |
Radius authentication |
✓ |
✓ |
✓ |
✓ |
✓ |
|
1813 |
UDP |
Radius accounting |
✓ |
✓ |
✓ |
✓ |
✓ |
|
RSVP application |
||||||||
N/A |
N/A |
RSVP |
RSVP |
✓ |
✓ |
|||
SNMP application |
||||||||
161 |
UDP |
SNMP server; SET and GET commands |
✓ |
✓ |
✓ |
✓ |
✓ |
|
SSH application |
||||||||
22 |
TCP |
SSH server and terminated TCP session |
✓ |
✓ |
✓ |
✓ |
✓ |
|
22 |
TCP |
SSH client and responses for initiated TCP sessions |
✓ |
✓ |
✓ |
✓ |
✓ |
|
TACACS application |
||||||||
49 |
TCP |
TACACS client and responses for initiated TCP sessions |
✓ |
✓ |
✓ |
✓ |
✓ |
|
TELNET application |
||||||||
23 |
TCP |
TELNET server |
✓ |
✓ |
✓ |
✓ |
✓ |
|
TWAMP application |
||||||||
862 |
TCP |
TWAMP control: terminated TCP session |
✓ |
✓ |
✓ |
✓ |
✓ |
|
Any |
UDP |
TWAMP test |
✓ |
✓ |
✓ |
✓ |
✓ |
|
1 to 65535 |
UDP |
TWAMP light (per router instance) |
✓ |
✓ |
✓ |
✓ |
||
VRRP application |
||||||||
N/A |
N/A |
VRRP |
VRRP |
✓ |
✓ |
Management Access Filter
IPv6 Management Access Filters (MAFs) are not supported on the 7210 SAS-K 2F1C2T.
MAFs are software-based filters used to restrict traffic extracted from the data plane and restrict traffic from the management port to the CPU.
MAF packet match
Two different management-access-filter policies can be configured: ip-filter and ipv6-filter.
The following are the MAF packet match rules:
Each MAF policy is an ordered list of entries; therefore, entries must be sequenced correctly from the most to the least explicit.
If multiple match criteria are specified in a single MAF policy entry, all criteria must be met for the packet to be considered a match against that policy entry (logical AND).
Any match criteria not explicitly defined is ignored during a match.
A MAF filter policy entry defined without a match criteria is inactive.
A MAF filter policy entry with match criteria defined but no action configured inherits the default action defined at the management-access-filter level.
The management-access-filter default-action applies individually per IPv4 or IPv6 filter policies that are in a no shutdown state.
MAF IPv4/IPv6 filter entry match criteria
The following table lists the supported IPv4 and IPv6 match criteria.
Criteria |
Description |
---|---|
dst-port |
Matches the specified port value against the destination port number of the UDP or TCP packet header. |
flow-label |
Matches the IPv6 flow label. |
fragment |
Matches fragmented or non-fragmented IP packets. |
next-header |
Matches the specified upper-layer protocol (such as TCP, UDP, or IGMPv6) against the next-header field of the IPv6 packet header. "*" can be used to specify a TCP or UDP upper-layer protocol match (logical OR). Next-header matching also allows matching on presence of a subset of IPv6 extension headers. See Management Access Filter commands for details about which extension header match is supported. |
l4-source-port |
Matches the specified port value against the L4 source port number of the UDP or TCP packet header. |
protocol |
Matches the specified protocol against the Protocol field in the IPv4 packet header (for example, TCP, UDP, or IGMP) of the outer IPv4. "*" can be used to specify TCP or UDP upper-layer protocol match (logical OR). |
router |
Matches the router instance that packets are ingressing from for this filter entry. |
src-ip |
Matches the specified source IPv4 or IPv6 address prefix and mask against the source IPv4 or IPv6 address field in the IP packet header. |
src-port |
Matches the packets that are ingressing from this port. |
MAF policy action
MAFs allow actions to permit or deny (or use the deny-host-unreachable response for IP filters) traffic.
MAF policy statistics and logging
The management access filter match count can be displayed using show commands. Logging is recorded in the system security logs.
Centralized CPU protection
The 7210 SAS provides rate limiting mechanisms to protect the CPM/CFM processing resources of the router. Centralized CPU protection is a centralized rate-limiting function that operates on the CPM to limit traffic destined for the CPUs. The CPU protection mechanism is not user-configurable. It is supported on all 7210 SAS platforms. For historical reasons, the term ‟centralized CPU protection” is called ‟CPU protection” in this user guide.
When it is configured on a node, the CPU protection mechanism protects the CPU from a DoS attack by limiting the amount of ingress port traffic destined for the CPM to be processed by its CPU. On the 7210 SAS, a set of dedicated policers are used to limit the amount of traffic to the software-defined rate (the rate is not user-configurable) before the packets are queued to the CPU queues. A strict policy scheduler schedules packets from the CPU queues. A CPU queue traffic shaper, configured to a pre-defined rate by software, is used to limit the amount of traffic for a protocol or group of protocols using the CPU queue. In most cases, access interfaces and network uplinks do not share the policers and CPU queues used to manage the amount of traffic sent to the CPM. Access interfaces (typically used to deliver customer services) use a dedicated set of policers and CPU queues; a separate set is used for network facing ports (that is, network ports, hybrid ports, and access-uplink ports).
ETH-CFM ingress squelching
The 7210 SAS implements a mechanism to protect the CPU on extraction when a management port (MP) is configured. It is also important to protect the ETH-CFM architecture deployed in the service provider network. This protection mechanism varies from CPU protection. This model prevents the ETH-CFM frames at the service provider MD-levels from gaining access to the network even when extraction is not in place. ETH-CFM squelching drops all ETH-CFM packets at or below the configured MD-level. The ETH-CFM squelch feature is supported at ingress only.
ETH-CFM hierarchical model shows a typical ETH-CFM hierarchical model with a subscriber ME (6), test ME (5), EVC ME (4), and an operator ME (2). This model provides the necessary transparency at each level of the architecture. For security reasons, it may be necessary to prevent errant levels from entering the service provider network at the UNI or other untrusted interconnection points. Configuring squelching at level four on both UNI-N interconnection ensures that ETH-CFM packets matching the SAP delimited configuration silently discards ETH-CFM packets at ingress.
Squelching configuration uses a single MD-level (0 to 7) to silently drop all ETH-CFM packets matching the SAP delimited configuration at the specified MD-level. For example, if a squelch level is configured at MD-level 4, the configuration silently discards MD-levels 4, assuming there is a SAP match.
The operator can configure down MEPs and ingress MIPs that conflict with the squelched levels. This means that any existing MEP or MIP that is processing ingress CFM packets on a SAP is interrupted as soon as squelching is enabled. These MPs are unable to receive any ingress ETH-CFM frames because squelching is processed before ETH-CFM extraction.
CPU protection for ETH-CFM is still required in ETH-CFM hierarchical model because the subscriber ME (6) and the test ME (5) enter the network across an untrusted connection, the UNI. Squelching is processed first, followed by the CPU protection for ETH-CFM.
CPU protection is used to control access to the CPU resources when processing is required. Squelching is required when the operator is protecting the ETH-CFM architecture from external sources. The difference between the two protection mechanisms is described in the following table.
Description | CPU protection for ETH-CFM | ETH-CFM squelching |
---|---|---|
Ingress filtering |
Yes |
Yes |
Egress filtering |
Yes |
— |
Granularity |
All MPs configured on this node |
Level |
Rate |
System-defined rate (not user configurable) |
Silent drop |
Primary VLAN support |
Rate shared with all MPs |
Exposed to squelch |
Extraction |
Requires MEP or MIP to extract |
No MEP or MIP required |
show service service-id all
show service sap-using eth-cfm squelch-ingress-levels
show service sap-using squelch-ingress-levels
=========================================================================
ETH-CFM Squelching
=========================================================================
PortId SvcId Squelch Level
-------------------------------------------------------------------------
6/1/1:100.* 1 0 1 2 3 4 5 6 7
lag-1:100.* 1 0 1 2 3 4
6/1/1:200.* 2 0 1 2
lag-1:200.* 2 0 1 2 3 4 5
-------------------------------------------------------------------------
Number of SAPs: 4
-------------------------------------------------------------------------
Vendor-specific attributes (VSAS)
The 7210 SAS supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAS) and are discussed in RFC 2138. VSAS must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.
The PE-record entry is required to support the RADIUS Discovery for Layer 2 VPN feature. A PE-record is only relevant if the RADIUS Discovery feature is used, not for the standard RADIUS setup.
The following RADIUS vendor-specific attributes (VSAS) are supported by Nokia:
timetra-access ftp console both
This is a mandatory command that must be configured. This command specifies if the user has FTP and /or console (serial port, Telnet, and SSH) access.
timetra-profile profile-name
When configuring this VSA for a user, it is assumed that the user profiles are configured on the local router and the following applies for local and remote authentication:
The authentication-order parameters configured on the router must include the local keyword.
The username may or may not be configured on the router.
The user must be authenticated by the RADIUS server
Up to eight valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.
If all the above mentioned conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log.
timetra-default-action permit-all | deny-all | none
This is a mandatory command that must be configured even if the timetra-cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the timetra-cmd VSA for the user resulted in a match condition.
timetra-cmd match-string
Configures a command or command subtree as the scope for the match condition.
The command and all subordinate commands in subordinate command levels are specified.
Configure from most specific to least specific. The 7210 SAS implementation exits on the first match, subordinate levels cannot be modified with subsequent action commands. Subordinate level VSAS must be entered before this entry is effective.
All commands at and below the hierarchy level of the matched command are subject to the timetra-action VSA.
Multiple match-strings can be entered in a single timetra-cmd VSA. Match strings must be semicolon (;) separated (maximum string length is 254 characters).
One or more timetra-cmd VSAS can be entered followed by a single timetra-action VSA:
timetra-action deny | permit
Causes the permit or deny action to be applied to all match strings specified since the last timetra-action VSA.
timetra-home-directory home-directory string
Specifies the home directory that applies for the FTP and CLI user. If this VSA is not configured, the home directory is Compact Flash slot 1 (cf1:).
timetra-restrict-to-home-directory true | false
Specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured the user is allowed to access the entire file system.
timetra-login-exec login-exec-string
Specifies the login exec file that is executed when the user login is successful. If this VSA is not configured no login exec file is applied.
If no VSAS are configured for a user, the following applies:
The password authentication-order command on the router must include local.
The username must be configured on the router.
The user must be successfully be authenticated by the RADIUS server
A valid profile must exist on the router for this user.
If all conditions listed above are not met, then access to the router is denied and a failed login event/trap is written to the security log.
The complete list of TiMetra VSAS is available on a file included on the compact flash shipped with the image.
User (VSA) configuration example
The following example displays a user-specific VSA configuration. This configuration shows attributes for users named ruser1 and ruser2.
The following example shows that user ruser1 is granted console access. ruser1’s home directory is in compact flash slot 3 and is limited to the home directory. The default action allows all packets when matching conditions are not met. The timetra-cmd parameters allow or deny the user to use the tools>telnet>configure system security commands. Matching strings specified in the timetra-action command are denied for this user because the timetra-action is deny.
The user ruser2 is granted FTP access.The default action denies all packets when matching conditions are not met. The timetra-cmd parameters allow the user to use the configure, show, and debug commands. Matching strings specified in the timetra-action command are permitted for this user.
users.timetra
ruser1 Auth-Type := System, Password == "ruser1"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = console,
Timetra-Home-Directory = cf1:
Timetra-Restrict-To-Home = true
Timetra-Default-Action = permit-all,
Timetra-Cmd = "tools;telnet;configure system security",
Timetra-Action = deny
ruser2 Auth-Type := System, Password == "ruser2"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = ftp
Timetra-Default-Action = deny-all,
Timetra-Cmd = "configure",
Timetra-Cmd = "show",
Timetra-Action = permit,
Timetra-Cmd = "debug",
Timetra-Action = permit,
Other security features
This sections describes security features supported on the 7210 SAS.
Security algorithms
This section applies only to the 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.
The following table lists the security algorithms supported per protocol.
Protocol |
Clear text |
MD5 |
HMAC- MD5 |
HMAC- SHA1-96 |
HMAC- SHA1 |
HMAC- SHA256 |
AES-128- CMAC-96 |
---|---|---|---|---|---|---|---|
OSPF |
✓ |
✓ |
✓ |
✓ |
✓ |
||
IS-IS |
✓ |
✓ |
✓ |
✓ |
|||
RSVP |
✓ |
✓ |
✓ |
||||
BGP |
✓ |
✓ |
|||||
LDP |
✓ |
✓ |
✓ |
Secure Shell (SSH)
Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes places by one of the configured authentication methods (local, RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure connection over an insecure network.
The 7210 SAS supports Secure Shell (SSH) Version 2 (SSH2). SSH1 and SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses a server as well as host keys to authenticate systems whereas SSH2 only uses host keys. SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure, efficient, and portable version of SSH.
SSH for IPv4 is supported on all platforms as described in this document.
SSH for IPv6 is supported on all platforms as described in this document, except the 7210 SAS-K 2F1C2T.
SSH runs on top of a transport layer (like TCP or IP), and provides authentication and encryption capabilities. SSH supports remote login to another computer over a network, remote command execution, and file relocation from one host to another.
The 7210 SAS has a global SSH server process to support inbound SSH and SCP sessions initiated by external SSH or SCP client applications. The SSH server supports SSHv1. Note that this server process is separate from the SSH and SCP client commands on the routers which initiate outbound SSH and SCP sessions.
Inbound SSH sessions are counted as inbound Telnet sessions for the purposes of the maximum number of inbound sessions specified by Login Control. Inbound SCP sessions are counted as inbound FTP sessions by Login Control.
When the SSH server is enabled, an SSH security key is generated. Unless the perserve-key command option is configured for SSH, the security key is only valid until the node is restarted or the SSH server is stopped and restarted. The key size is non-configurable and set to 2048 for SSHv2 RSA, and to 1024 for SSHv2 DSA and SSHv1 RSA. When the server is enabled, both inbound SSH and SCP sessions are accepted, as long as the session is properly authenticated.
When the global SSH server process is disabled, no inbound SSH or SCP sessions are accepted.
When using SCP to copy files from an external device to the file system, the SCP server accepts either forward slash (‟/”) or backslash (‟\”) characters to delimit directory and filenames. Similarly, the SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems often interpret the backslash character as an ‟escape” character which does not get transmitted to the SCP server. For example, a destination directory specified as ‟cf1:\dir1\file1” will be transmitted to the SCP server as ‟cf1:dir1file1” where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an ‟escape” character, a double backslash ‟\\” or the forward slash ‟/” can typically be used to properly delimit directories and the filename.
SSH PKI authentication
This feature is supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D.
The SSH server supports a public key authentication provided that the server has been previously configured to know the client's public key.
Using public key authentication, also known as Public Key Infrastructure (PKI), can be more secure than the existing username and password method because of the following:
A user typically reuses the same password with multiple servers. If the password is compromised, the user must reconfigure the password on all affected servers.
A password is not transmitted between the client and server using PKI. Instead the sensitive information (the private key) is kept on the client. Consequently, the password is less likely to be compromised.
The 7210 SAS supports server-side SSHv2 public key authentication, but does not include a key-generation utility.
PKI should be configured in the system-level configuration where one or more public keys may be bound to a username. This configuration does not affect any other system security or login functions.
PKI has preference over password or keyboard authentication. PKI is supported using only local authentication. PKI authentication is not supported on TACACS+ or RADIUS.
User public key generation
Before SSH can be used with PKI, the client must generate a public/private key pair. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYGen that generates key pairs.
The 7210 SAS currently supports only Rivest, Shamir, and Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) user public keys.
If the SSH client software uses PuTTY, it must first generate a key pair using PuTTYGen. The client sets the key type to SSH-2 RSA and configures the number of bits to be used for the key. The client can also configure a passphrase to store the key locally in encrypted form. If the passphrase is configured, it acts as a password that the client must enter to use the private key. If a passphrase is not configured, the private key is stored in plain text locally.
Next, use the config>system>security>user>public-keys command to configure the public key for the client (the public key is obtained as part of the key pair). On the 7210 SAS, the user can program the public key using CLI commands (accessed through Telnet/SSH) or SNMP.
The preceding process to generate a key pair is an example only. This process is not executed on a 7210 SAS node, but on a third-party node acting as the SSH client or any other node.
MAC client and server list
The 7210 SAS supports a configurable client and server MAC list for SSHv2, which allows the user to add or remove Message Authentication Code (MAC) algorithms from the list. The user can program the strong Hashed Message Authentication Code (HMAC) algorithms on top of the configurable MAC list (for example, lowest index in the list) to be negotiated first between the client and server. The first algorithm in the list that is supported by both the client and the server is the one that is agreed upon.
There are two configurable MAC lists:
client list
server list
The default client and server MAC list includes all supported algorithms in the following preference order:
mac 200 name hmac-sha2-512
mac 210 name hmac-sha2-256
mac 215 name hmac-sha1
mac 220 name hmac-sha1-96
mac 225 name hmac-md5
mac 230 name hmac-ripemd160
mac 235 name hmac-ripemd160-openssh-com
mac 240 name hmac-md5-96
The configurable MAC list is only supported for SSHv2 and not for SSHv1. SSHv1 only supports 32-bit CRC.
Cipher client and server list
The 7210 SAS supports cipher client and server lists. The user can add or remove the required SSH cipher client and server algorithms to be negotiated. The list is an index list with the lower index having higher preference in the SSH negotiation. The lowest index algorithm in the list is negotiated first in SSH connections and is on top of the negotiation list to the peer.
There is a separate cipher list for SSHv1 and SSHv2 for both client and server.
The default client cipher list for SSHv1 includes all supported algorithms in the following preference order:
cipher 200 name 3des
cipher 205 name blowfish
cipher 210 name des
The default server cipher list for SSHv1 includes algorithms in the following preference order:
cipher 200 name 3des
cipher 205 name blowfish
The default server and client lists for SSHv2 include all supported algorithms in the following preference order:
cipher 190 name aes256-ctr
cipher 192 name aes192-ctr
cipher 194 name aes128-ctr
cipher 200 name aes128-cbc
cipher 205 name 3des-cbc
cipher 210 name blowfish-cbc
cipher 215 name cast128-cbc
cipher 220 name arcfour
cipher 225 name aes192-cbc
cipher 230 name aes256-cbc
cipher 235 name rijndael-cbc
Use the following CLI to configure the client and server cipher list.
configure system security ssh client-cipher-list
client-cipher-list protocol-version <version>
<version> : [1..2]
configure system security ssh client-cipher-list cipher
cipher <index> name <cipher-name>
no cipher <index>
<index> : [1..255]
<cipher-name> : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
aes192-cbc|aes256-cbc|rijndael-cbc
configure system security ssh server-cipher-list
server-cipher-list protocol-version <version>
<version> : [1..2]
configure system security ssh server-cipher-list cipher
no cipher <index>
cipher <index> name <cipher-name>
<index> : [1..255]
<cipher-name> : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
aes192-cbc|aes256-cbc|rijndael-cbc
KEX client and server list
This feature is supported on all 7210 SAS as described in this document, except the 7210 SAS-D.
The 7210 SAS supports key exchange (KEX) client and server lists. The user can add or remove the KEX client or server algorithms that the SSH application negotiates using an SSHv2 phase one handshake. The KEX list is an index list with the lower index having higher preference in the SSH negotiation. The lowest indexed algorithm in the list is negotiated first in SSH and is at the top of the negotiation list to the peer.
By default, the KEX list is empty and a hard-coded list that includes all supported algorithms in the following preference order is used:
kex 200 name diffie-hellman-group16-sha512
kex 210 name diffie-hellman-group14-sha256
kex 215 name diffie-hellman-group14-sha1
kex 220 name diffie-hellman-group-exchange-sha1
kex 225 name diffie-hellman-group1-sha1
As soon as the user configures the KEX list, the 7210 SAS starts using the algorithms from the user-defined KEX list instead of the hard-coded list. To revert to the hard-coded list, the user must remove all configured KEX indexes until the list is empty.
Use the following CLI to configure the cipher or MAC server and client lists.
configure system security ssh server-kex-list kex
kex <index> name <kex-name>
no kex <index>
configure system security ssh client-kex-list kex
kex <index> name <kex-name>
no kex <index>
<index> : [1..255]
<kex-name> : diffie-hellman-group14-sha1| diffie-hellman-group14-sha256|
diffie-hellman-group16-sha512|diffie-hellman-group-exchange-
sha1| diffie-hellman-group1-sha1
Exponential login back-off
A malicious user may attempt to gain CLI access by means of a dictionary attack, in which a script is used to attempt automatic logins as an ‟admin” user and a dictionary list is used to test all possible passwords. By using the exponential-backoff feature in the config>system>login-control context, the 7210 SAS increases the delay between login attempts exponentially to mitigate attacks.
When a user attempts to log into a router using a Telnet or an SSH session, the system allows a limited number of attempts to enter the correct password. The interval between the unsuccessful attempts change after each try (1, 2, and 4 seconds). If user lockout is configured on the system, the user is locked out when the number of unsuccessful attempts is exceeded.
However, if lockout is not configured, three password entry attempts are allowed in the first session after the first failure, at fixed 1, 2 and 4 second intervals, and then the session terminates. Users do not have an unlimited number of login attempts per session. After each failed password attempt, the wait period becomes longer until the maximum number of attempts is reached.
The 7210 SAS terminates after four unsuccessful attempts. A wait period is never longer than 4 seconds. The periods are fixed and restart in subsequent sessions.
The config system login-control [no] exponential-backoff command works in conjunction with the config system security password attempts command, which is also a system-wide configuration.
*A:ALA-48>config>system# security password attempts
- attempts <count> [time <minutes1>] [lockout <minutes2>]
- no attempts
<count> : [1..64]
<minutes1> : [0..60]
<minutes2> : [0..1440]
Exponential backoff applies to any user and by any login method, such as console, SSH, and Telnet.
See Configuring login controls for more information. The related commands are described in Login, Telnet, SSH and FTP commands.
User lockout
When a user exceeds the maximum number of attempts allowed (the default is three attempts) during a specific period of time (the default is 5 minutes) the account used during those attempts is locked out for a preconfigured lock-out period (the default is 10 minutes).
A security event log is generated as soon as a user account has exceeded the number of allowed attempts and the show>system>security>user command can be used to display the total number of failed attempts per user.
The account is automatically re-enabled as soon as the lock-out period has expired.
Encryption
Data Encryption Standard (DES) and Triple DES (3DES) are supported for encryption:
DES is a widely-used method of data encryption using a private (secret) key. Both the sender and the receiver must know and use the same private key.
3DES is a more secure version of the DES protocol.
802.1x network access control
The 7210 SAS supports network access control of client devices (PCs, STBs, and so on.) on an Ethernet network using the IEEE. 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.
TCP Enhanced Authentication Option
The TCP Enhanced Authentication Option, currently covered in draft-bonica-tcp-auth-05.txt, "Authentication for TCP-based Routing and Management Protocols", extends the previous MD5 authentication option to include the ability to change keys without tearing down the session, and allows for stronger authentication algorithms to be used.
The TCP Enhanced Authentication Option is a TCP extension that enhances security for BGP, LDP and other TCP-based protocols. This includes the ability to change keys in a BGP or LDP session seamlessly without tearing down the session. It is intended for applications where secure administrative access to both the end-points of the TCP connection is normally available.
TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon current practice, which is described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP peers can update authentication keys during the lifetime of a TCP connection. TCP peers can also use stronger authentication algorithms to authenticate routing messages.
Packet formats
The following figure shows the TCP Enhanced Authentication Option packet format.
Option Syntax
Kind: 8 bits
The Kind field identifies the TCP Enhanced Authentication Option. This value is assigned by IANA.
Length: 8 bits
The Length field specifies the length of the TCP Enhanced Authentication Option, in octets. This count includes two octets representing the Kind and Length fields.
The valid range for this field is from 4 to 40 octets, inclusive.
For all algorithms specified in this memo, the value is 16 octets.
T-Bit: 1 bit
The T-bit specifies whether TCP Options were omitted from the TCP header for the purpose of MAC calculation. A value of 1 indicates that all TCP options other than the Extended Authentication Option were omitted. A value of 0 indicates that TCP options were included.
The default value is 0.
K-Bit: 1 bit
This bit is reserved for future enhancement. Its value MUST be equal to zero.
Alg ID: 6 bits
The Alg ID field identifies the MAC algorithm.
Res: 2 bits
These bits are reserved. They MUST be set to zero.
Key ID: 6 bits
The Key ID field identifies the key that was used to generate the message digest.
Authentication Data: Variable length
The Authentication Data field contains data that is used to authenticate the TCP segment. This data includes, but need not be restricted to, a MAC. The length and format of the Authentication Data Field can be derived from the Alg ID.
The Authentication for TCP-based Routing and Management Protocols draft provides and overview of the TCP Enhanced Authentication Option. The details of this feature are described in draft-bonica-tcp-auth-04.txt.
Keychain
A keychain is a set of up to 64 keys, where each key is {A[i], K[i], V[i], S[i], T[i], S'[i], T'[i]} as described in draft-bonica-tcp-auth-05.txt, "Authentication for TCP-based Routing and Management Protocols". The keys can be assigned to both sides of an LDP peer.The individual keys in a keychain have a begin-time and end-time indicating when to use this key.
These fields map to the CLI tree as described in the following figure.
Field |
Definition |
CLI |
---|---|---|
i |
The key identifier expressed as an integer (0...63) |
config>system>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry config>system>security>keychain>direction>uni>send>entry |
A[i] |
Authentication algorithm to use with key[i] |
config>system>security>keychain>direction>bi>entry with algorithm algorithm parameter. config>system>security>keychain>direction>uni>receive>entry with algorithm algorithm parameter. config>system>security>keychain>direction>uni>send>entry with algorithm algorithm parameter. |
K[i] |
Shared secret to use with key[i]. |
config>system>security>keychain>direction>uni>receive>entry with shared secret parameter config>system>security>keychain>direction>uni>send>entry with shared secret parameter config>system>security>keychain>direction>bi>entry with shared secret parameter |
V[i] |
A vector that determines whether the key[i] is to be used to generate MACs for inbound segments, outbound segments, or both. |
config>system>security>keychain>direction |
S[i] |
Start time from which key[i] can be used by sending TCPs. |
config>system>security>keychain>direction>bi>entry>begin-time config>system>security>keychain>direction>uni>send>entry >begin-time |
T[i] |
End time after which key[i] cannot be used by sending TCPs. |
Inferred by the begin-time of the next key (youngest key rule). |
S'[i] |
Start time from which key[i] can be used by receiving TCPs. |
config>system>security>keychain>direction>bi>entry>begin-time config>system>security>keychain>direction>bi>entry>tolerance config>system>security>keychain>direction>uni>receive>entry >begin-time config>system>security>keychain>direction>uni>receive>entry >tolerance |
T'[i] |
End time after which key[i] cannot be used by receiving TCPs |
config>system>security>keychain>direction>uni>receive>entry >end-time |
Configuration notes
This section describes security configuration restrictions.
General
If a RADIUS or a TACACS+ server is not configured, password, profiles, and user access information must be configured on each router in the domain.
If a RADIUS authorization is enabled, VSAS must be configured on the RADIUS server.
Configuring security with CLI
This section provides information to configure security using the command line interface.
Setting up security attributes
This section provides a brief overview of the tasks that must be performed to configure security and provides the CLI commands. The following table describes the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.
Authentication |
Authorization |
Accounting |
---|---|---|
Local |
Local |
None |
RADIUS |
Local and RADIUS |
RADIUS |
TACACS+ |
Local |
TACACS+ |
Configuring authentication
See the following sections to configure authentication:
Local authentication
RADIUS authentication (only)
By default, authentication is enabled locally. Perform the following tasks to configure security on each participating router:
RADIUS authentication
To implement only RADIUS authentication, with authorization, perform the following tasks on each participating router:
TACACS+ authentication
To implement only TACACS+ authentication, perform the following tasks on each participating router:
Configuring authorization
See the following sections to configure authorization:
Local authorization
For local authorization, configure these tasks on each participating router:
RADIUS authorization (only)
For RADIUS authorization (without authentication), configure these tasks on each participating router:
For RADIUS authorization, VSAS must be configured on the RADIUS server. See Vendor-specific attributes (VSAS).
RADIUS authorization
For RADIUS authorization (with authentication), configure these tasks on each participating router:
For RADIUS authorization, VSAS must be configured on the RADIUS server. See Vendor-specific attributes (VSAS).
TACACS+ authorization (only)
For TACACS+ authorization (without authentication), configure these tasks on each participating router:
TACACS+ authorization
For TACACS+ authorization (with authentication), configure these tasks on each participating router:
Configuring accounting
See the following sections to configure accounting.
Local accounting is not implemented. For information about configuring accounting policies, see Configuring logging with CLI
Security configurations
This section provides information to configure security and configuration examples of configuration tasks.
To implement security features, configure the following components:
management access filters
profiles
user access parameters
password management parameters
enable RADIUS and/or TACACS+
one to five RADIUS and/or TACACS+ servers
RADIUS and/or TACACS+ parameters
Default values for security parameters
A:ALA-1>config>system>security# info detail
----------------------------------------------
no hash-control
telnet-server
no telnet6-server
no ftp-server
management-access-filter
exit
profile "default"
default-action none
no li
entry 10
no description
match ‟exec”
action permit
...
password
authentication-order radius tacplus local
no aging
minimum-length 6
attempts 3 time 5 lockout 10
complexity
exit
user "admin"
password "./3kQWERTYn0Q6w" hash
access console
no home-directory
no restricted-to-home
console
no login-exec
no cannot-change-password
no new-password-at-login
member "administrative"
exit
exit
snmp
view iso subtree 1
mask ff type included
exit
...
access group snmp-ro security-model snmpv1 security-level no-auth-no\
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
attempts 20 time 5 lockout 10
exit
no ssh
Security configuration procedures
Configuring Management Access Filters
Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CPM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7210 SAS router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router. These filters also apply to the management Ethernet port.
The 7210 SAS implementation exits the filter when the first match is found and execute the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the one keyword to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.
Use the following syntax to configure a management access filter. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.
config>system
security
management-access-filter
default-action {permit|deny|deny-host-unreachable}
renum old-entry-number new-entry-number
no shutdown
entry entry-id
description description-string
src-port {port-id cpm|laglag-id}
src-ip {ip-prefix/mask | ip-prefix netmask}
protocol protocol-id
dst-port port [mask]
action {permit|deny|deny-host-unreachable}
log
Configuring password management parameters
Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can enter a password.
Depending on the your authentication requirements, password parameters are configured locally.
Use the following syntax to configure password support.
config>system>security
password
admin-password password [hash|hash2]
aging days
attempts count [time minutes1] [lockout minutes2]
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
complexity-rules
allow-user-name
credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
minimum-classes minimum
minimum-length length
repeated-characters count
required [lowercase count] [uppercase count] [numeric count] [special-character count]
hashing {bcrypt|sha2-pbkdf2}
health-check [interval interval]
history-size size
minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
minimum-change distance
Password configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
password
authentication-order radius tacplus local
aging 365
minimum-length 8
attempts 5 time 5 lockout 20
exit
----------------------------------------------
A:ALA-1>config>system>security#
Configuring profiles
Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of sixteen user profiles can be defined. A user can participate in up to sixteen profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.
Use the following syntax to configure user profiles.
config>system>security
profile user-profile-name
default-action {deny-all|permit-all|none}
renum old-entry-number new-entry-number
entry entry-id
description description-string
match command-string
action {permit|deny}
User profile output
A:ALA-1>config>system>security# info
----------------------------------------------
...
profile "ghost"
default-action permit-all
entry 1
match "configure"
action permit
exit
entry 2
match "show"
exit
entry 3
match "exit"
exit
exit
...
----------------------------------------------
A:ALA-1>config>system>security#
Configuring users
Configure access parameters for individual users. For user, define the login name for the user and, optionally, information that identifies the user. Use the following syntax to configure RADIUS support.
config>system>security
user-template template-name
user user-name
access [ftp] [snmp] [console]
console
cannot-change-password
login-exec url-prefix:source-url
member user-profile-name [user-profile-name...(up to 8 max)]
new-password-at-login
home-directory url-prefix [directory][directory/directory ..]
password [password] [hash|hash2]
restricted-to-home
snmp
authentication {[none]|[[hash] {md5 key-1|sha key-1} privacy {none|des-key key-2}]}
group group-name
User configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
user "49ers"
password "qQbnuzLd7H/VxGdUqdh7bE" hash2
access console ftp snmp
restricted-to-home
console
member "default"
member "ghost"
exit
exit
...
--------------------------------------------
A:ALA-1>config>system>security#
Configuring keychains
Keychain configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
keychain "abc"
direction
bi
entry 1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg
orithm aes-128-cmac-96
begin-time 2006/12/18 22:55:20
exit
exit
exit
exit
keychain "baSASd"
direction
uni
receive
entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2
algorithm aes-128-cmac-96
tolerance forever
exit
exit
exit
exit
exit
...
----------------------------------------------
A:ALA-1>config>system>security#
Copying and overwriting users and profiles
You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified or an error occurs if the destination profile or username already exists.
User
Use the following syntax to configure copied users.
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
config>system>security# copy user testuser to testuserA
MINOR: CLI User "testuserA" already exists - use overwrite flag.
config>system>security#
config>system>security# copy user testuser to testuserA overwrite
config>system>security#
Copied user configuration output
A:ALA-12>config>system>security# info
----------------------------------------------
...
user "testuser"
password "F6XjryaATzM" hash
access snmp
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
none
group "testgroup"
exit
exit
user "testuserA"
password "" hash2
access snmp
console
new-password-at-login
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
none
group "testgroup"
exit
exit
...
----------------------------------------------
A:ALA-12>config>system>security# info
The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.
A:ALA-12>config>system>security>user# info
----------------------------------------------
password "F6XjryaATzM" hash
access snmp
console
cannot-change-password
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user# exit
A:ALA-12>config>system>security# user testuserA
A:ALA-12>config>system>security>user# info
----------------------------------------------
password "" hash2
access snmp
console
new-password-at-login
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user#
Profile
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
config>system>security# copy profile default to testuser
Copied profile output
A:ALA-49>config>system>security# info
----------------------------------------------
...
A:ALA-49>config>system>security# info detail
----------------------------------------------
...
profile "default"
default-action none
entry 10
no description
match "exec"
action permit
exit
entry 20
no description
match "exit"
action permit
exit
entry 30
no description
match "help"
action permit
exit
entry 40
no description
match "logout"
action permit
exit
entry 50
no description
match "password"
action permit
exit
entry 60
no description
match "show config"
action deny
exit
entry 70
no description
match "show"
action permit
exit
entry 80
no description
match "enable-admin"
action permit
exit
exit
profile "testuser"
default-action none
entry 10
no description
match "exec"
action permit
exit
entry 20
no description
match "exit"
action permit
exit
entry 30
no description
match "help"
action permit
exit
entry 40
no description
match "logout"
action permit
exit
entry 50
no description
match "password"
action permit
exit
entry 60
no description
match "show config"
action deny
exit
entry 70
no description
match "show"
action permit
exit
entry 80
no description
match "enable-admin"
action permit
exit
exit
profile "administrative"
default-action permit-all exit
...
----------------------------------------------
A:ALA-12>config>system>security#
Enabling SSH
Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2 (SSH version 2). This command should only be enabled or disabled when the SSH server is disabled. This setting should not be changed while the SSH server is running because the actual change only takes place after SSH is disabled or enabled. Use the following syntax to configure SSH.
config>system>security
ssh
preserve-key
no server-shutdown
version ssh-version
The following is a sample SSH server configuration output as both SSH and SSH2 using a host-key.
A:sim1>config>system>security>ssh# info
----------------------------------------------
preserve-key
version 1-2
----------------------------------------------
A:sim1>config>system>security>ssh#
RADIUS configurations
Configuring RADIUS authentication
RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key.
The system IP address must be configured in order for the RADIUS client to work. See ‟Configuring a System Interface” in the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Router Configuration Guide.
The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.
On the local router, use the following syntax to configure RADIUS authentication.
config>system>security
radius
port port
retry count
server server-index address ip-address secret key
timeout seconds
no shutdown
RADIUS authentication configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
retry 5
timeout 5
server 1 address 10.10.10.103 secret "test1"
server 2 address 10.10.0.1 secret "test2"
server 3 address 10.10.0.2 secret "test3"
server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
A:ALA-1>config>system>security#
Configuring RADIUS authorization
In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS authentication.
In addition to the local configuration requirements, VSAS must be configured on the RADIUS server. See Vendor-specific attributes (VSAS).
On the local router, use the following syntax to configure RADIUS authorization.
config>system>security
radius
authorization
RADIUS authorization configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
radius
authorization
retry 5
timeout 5
server 1 address 10.10.10.103 secret "test1"
server 2 address 10.10.0.1 secret "test2"
server 3 address 10.10.0.2 secret "test3"
server 4 address 10.10.0.3 secret "test4"
exit
...
----------------------------------------------
A:ALA-1>config>system>security#
Configuring RADIUS accounting
On the local router, use the following syntax to configure RADIUS accounting:
config>system>security
radius
accounting
RADIUS accounting configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
radius
shutdown
authorization
accounting
retry 5
timeout 5
server 1 address 10.10.10.103 secret "test1"
server 2 address 10.10.0.1 secret "test2"
server 3 address 10.10.0.2 secret "test3"
server 4 address 10.10.0.3 secret "test4"
exit
...
----------------------------------------------
A:ALA-1>config>system>security#
Configuring 802.1x RADIUS policies
Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. See the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Interface Configuration Guide.
To configure generic parameters for 802.1x authentication, enter the following syntax.
config>system>security
dot1x
radius-plcy policy-name
server server-index address ip-address secret key [port port]
source-address ip-address
no shutdown
802.1x configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
dot1x
radius-plcy "dot1x_plcy" create
server 1 address 10.1.1.1 port 65535 secret "a"
server 2 address 10.1.1.2 port 6555 secret "a"
source-address 10.1.1.255
no shutdown
...
----------------------------------------------
TACACS+ configurations
Enabling TACACS+ authentication
To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.
Use the following syntax to configure profiles.
config>system>security
tacplus
server server-index address ip-address secret key
timeout seconds
no shutdown
TACACS+ authentication configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
timeout 5
server 1 address 10.10.0.5 secret "test1"
server 2 address 10.10.0.6 secret "test2"
server 3 address 10.10.0.7 secret "test3"
server 4 address 10.10.0.8 secret "test4"
server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#
Configuring TACACS+ authorization
In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ authentication.
On the local router, use the following syntax to configure RADIUS authorization.
config>system>security
tacplus
authorization
no shutdown
TACACS+ authorization configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
authorization
timeout 5
server 1 address 10.10.0.5 secret "test1"
server 2 address 10.10.0.6 secret "test2"
server 3 address 10.10.0.7 secret "test3"
server 4 address 10.10.0.8 secret "test4"
server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#
Configuring TACACS+ accounting
On the local router, use the following syntax to configure TACACS+ accounting.
config>system>security
tacplus
accounting
TACACS+ accounting configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
accounting
authorization
timeout 5
server 1 address 10.10.0.5 secret "test1"
server 2 address 10.10.0.6 secret "test2"
server 3 address 10.10.0.7 secret "test3"
server 4 address 10.10.0.8 secret "test4"
server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#
Configuring login controls
Configure login control parameters for console, Telnet, and FTP sessions.
Use the following syntax to configure login controls.
config>system
login-control
exponential-backoff
ftp
inbound-max-sessions value
telnet
inbound-max-sessions value
outbound-max-sessions value
idle-timeout {minutes |disable}
pre-login-message login-text-string [name]
login-banner
motd {url url-prefix: source-url|text motd-text-string}
Login control configuration output
A:ALA-1>config>system# info
----------------------------------------------
...
login-control
ftp
inbound-max-sessions 5
exit
telnet
inbound-max-sessions 7
outbound-max-sessions 2
exit
idle-timeout 1440
pre-login
message "Property of Service Routing Inc. Unauthorized access prohibited."
motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
exit
no exponential-backoff
...
----------------------------------------------
A:ALA-1>config>system#
Security command reference
Command hierarchies
Configuration commands
Security commands
config
- system
- security
- copy {user source-user | profile source-profile} to destination [overwrite]
- dot1x
- [no] ftp-server
- hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]
- no hash-control
- [no] keychain keychain-name
- management-access-filter
- password
- [no] profile user-profile-name
- [no] radius
- snmp
- source-address
- application app [ip-int-name|ip-address]
- no application app
- ssh
- [no] tacplus
- [no] telnet-server
- [no] users user-name
- user-template {tacplus_default | radius_default}
Management Access Filter commands
IPv6 management access filters are supported on all platforms as described in this document, except the 7210 SAS-K 2F1C2T.
config
- system
- security
- [no] management-access-filter
- [no] ip-filter
- default-action {permit | deny | deny-host-unreachable}
- [no] entry entry-id
- action {permit | deny | deny-host-unreachable}
- no action
- description description-string
- no description
- dst-port port [mask]
- no dst-port
- fragment {true | false}
- no fragment
- l4-src-port port [mask]
- no l4-src-port
- [no] log
- protocol protocol-id
- no protocol
- router router-instance
- no router
- src-ip {ip-prefix/mask | ip-prefix netmask}
- no src-ip
- src-port {port-id | lag lag-id}
- no src-port
- [no]ipv6-filter
- default-action {permit | deny | deny-host-unreachable}
- [no] entry entry-id
- action {permit | deny | deny-host-unreachable}
- no action
- description description-string
- no description
- dst-port port [mask]
- no dst-port
- flow-label value
- no flow-label
- l4-src-port port [mask]
- no l4-src-port
- [no] log
- next-header next-header
- no next-header
- router router-instance
- no router
- src-ip {ip-prefix/prefix-length | ip-prefix netmask}
- no src-ip
- src-port {port-id | lag lag-id}
- no src-port
- renum old-entry-number new-entry-number
- [no] shutdown
Security password commands
config
- system
- security
- password
- admin-password password [hash | hash2]
- no admin-password
- aging days
- no aging
- attempts count [time minutes1] [lockout minutes2]
- no attempts
- authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
- no authentication-order
- complexity-rules
- [no] allow-user-name
- credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
- no credits
- minimum-classes minimum
- no minimum-classes
- minimum-length length
- no minimum-length
- repeated-characters count
- no repeated-characters
- required [lowercase count] [uppercase count] [numeric count] [special-character count]
- no required
- hashing {bcrypt | sha2-pbkdf2}
- [no] health-check [interval interval]
Profile commands
config
- system
- security
- [no] profile user-profile-name
- default-action {deny-all | permit-all | none}
- [no] entry entry-id
- action {deny | permit}
- description description-string
- no description
- match command-string
- no match
- renum old-entry-number new-entry-number
RADIUS commands
config
- system
- security
- [no] radius
- [no] accounting
- accounting-port port
- no accounting-port
- [no] authorization
- port port
- no port
- retry count
- no retry
- server server-index address ip-address secret key [hash | hash2]
- no server server-index
- [no] shutdown
- timeout seconds
- no timeout
- [no] use-default-template
SSH commands
config
- system
- security
- ssh
- client-cipher-list protocol-version version
- cipher index name cipher-name
- no cipher index
- client-mac-list
- mac index name mac-name
- no mac index
- client-kex-list
- kex index name kex-name
- no kex index
- [no] preserve-key
- server-cipher-list protocol-version version
- cipher index name cipher-name
- no cipher index
- server-kex-list
- kex index name kex-name
- no kex index
- server-mac-list
- mac index name mac-name
- no mac index
- [no] server-shutdown
- [no] version SSH-version
TACPLUS commands
config
- system
- security
- [no] tacplus
- accounting [record-type {start-stop | stop-only}]
- no accounting
- [no] authorization
- server server-index address ip-address secret key [hash | hash2] [port port]
- no server server-index
- [no] shutdown
- timeout seconds
- no timeout
- [no] use-default-template
User commands
config
- system
- security
- [no] users user-name
- [no] access [ftp] [snmp] [console]
- console
- [no] cannot-change-password
- login-exec url-prefix::source-url
- no login-exec
- member user-profile-name [user-profile-name…(up to 8 max)]
- no member user-profile-name
- [no] new-password-at-login
- home-directory url-prefix [directory] [directory/directory…]
- no home-directory
- password [password] [hash | hash2]
- public-keys
- ecdsa
- ecdsa-key ecdsa-public-key-id [create]
- no ecdsa-key ecdsa-public-key-id
- description description-string
- no description
- key-value ecdsa-public-key-value
- no key-value
- rsa
- rsa-key rsa-public-key-id [create]
- no rsa-key rsa-public-key-id
- description description-string
- no description
- key-value rsa-public-key-value
- no key-value
- [no] restricted-to-home
- snmp
- authentication none
- authentication authentication authentication-protocol key-1 [privacy none] [hash | hash2]
- authentication authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]
- no authentication
- authentication none
- authentication {md5 key-1 | sha key-1} [privacy none] [hash]
- authentication {md5 key-1 | sha key-1} privacy privacy-level key-2 [hash]
- no authentication
- group group-name
- no group
User template commands
config
- system
- security
- user-template {tacplus_default | radius_default}
- [no] access [ftp] [console]
- console
- login-exec url-prefix:source-url
- no login-exec
- home-directory url-prefix [directory][directory/directory..]
- no home-directory
- [no] restricted-to-home
Dot1x commands
config
- system
- security
- dot1x
- radius-plcy name [create]
- retry count
- no retry
- server server-index address ip-address secret key [hash|hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
- source-address ip-address
- [no] shutdown
- timeout seconds
- no timeout
- [no] shutdown
Keychain commands
config
- system
- security
- [no] keychain keychain-name
- description description-string
- no description
- direction {uni | bi}
- bi
- entry {null-key | entry-id key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm}
- no entry {null-key | entry-id}
- begin-time [date] [hours-minutes] [UTC] {now| forever}
- [no] shutdown
- tolerance [seconds | forever]
- uni
- receive
- entry {null-key | entry-id key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm}
- no entry {null-key | entry-id}
- begin-time [date] [hours-minutes] [UTC] {now| forever}
- end-time [date][hours-minutes] [UTC] {now| forever}
- [no] shutdown
- tolerance [seconds | forever]
- send
- entry entry-id key [authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm
- begin-time [date] [hours-minutes] [UTC] {now| forever}
- [no] shutdown
- [no] shutdown
- tcp-option-number
- receive option-number
- send option-number
Login control commands
config
- system
- login-control
- [no] exponential-backoff
- ftp
- inbound-max-sessions value
- no inbound-max-sessions
- idle-timeout {minutes | disable}
- no idle-timeout
- [no] login-banner
- motd {url url-prefix: source-url | text motd-text-string}
- no motd
- pre-login-message login-text-string [name]
- no pre-login-message
- ssh
- disable-graceful-shutdown
- inbound-max-sessions
- outbound-max-sessions
- telnet
- enable-graceful-shutdown
- inbound-max-sessions value
- no inbound-max-sessions
- outbound-max-sessions value
- no outbound-max-sessions
IPsec commands
config
- ipsec
- static-sa sa-name
- no static-sa
- authentication auth-algorithm ascii-key ascii-string
- authentication auth-algorithm hex-key hex-string [hash | hash2]
- no authentication
- description description-string
- no description
- direction ipsec-direction
- no direction
- protocol ipsec-protocol
- no protocol
- spi spi
- no spi
Show commands
Security commands
show
- system
- security
- access-group [group-name]
- authentication [statistics]
- keychain [key-chain] [detail]
- management-access-filter
- ip-filter [entry entry-id]
- ipv6-filter [entry entry-id]
- password-options
- profile [user-profile-name]
- source-address
- ssh
- user [user-id] [detail]
- view [view-name] [detail]
Login control commands
show
- users
Clear commands
Debug commands
debug
- router
- radius
- no radius
- detail-level {low | medium | high}
- no detail-level
- packet-type [authentication] [accounting] [coa]
- no packet-type
- radius-attr type attribute-type [transaction]
- radius-attr type attribute-type [transaction] {address | hex | integer | string} value attribute-value
- radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type]
- radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type] {address | hex | integer | string} value attribute-value
- no radius-attr type attribute-type
- no radius-attr type attribute-type {address | hex | integer | string} value attribute-value
- no radius-attr vendor vendor-id type attribute-type
- no radius-attr vendor vendor-id type attribute-type {address | hex | integer | string} value attribute-value
- server-address ip-address
- no server-address ip-address
Command descriptions
Configuration commands
General security commands
description
Syntax
description description-string
no description
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
config>sys>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
config>system>security>user>public-keys>ecdsa>ecdsa-key
config>system>security>user>public-keys>rsa>rsa-key
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of this command removes the string.
Parameters
- string
-
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
shutdown
Syntax
[no] shutdown
Context
config>system>security>mgmt-access-filter
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command puts an entity into the administratively enabled state.
Default
no shutdown
security
Syntax
security
Context
config>system
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure security settings.
Security commands manage user profiles and user membership. Security commands also manage user login registrations.
ftp-server
Syntax
[no] ftp-server
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables FTP servers running on the system.
FTP servers are disabled by default. At system startup, only SSH servers are enabled.
The no form of this command disables FTP servers running on the system.
hash-control
Syntax
hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]
no hash-control
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
If the user executes a save or info command, the system encrypts all passwords, for example, MD5 keys, for security reasons. At present, two algorithms exist.
The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.
The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version is different.
Default
hash-control read-version all
Parameters
- read-version {1 | 2 | all}
-
When the read-version is configured as ‟all,” both versions 1 and 2 are accepted by the system. Otherwise, only the selected version is accepted when reading configuration or exec files. The presence of incorrect hash versions aborts the script/startup.
- write-version {1 | 2}
-
Selects the hash version that is used the next time the configuration file is saved (or an info command is executed). Be careful to save the read and write version correctly, so that the file can be properly processed after the next reboot or exec.
source-address
Syntax
source-address
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the source address that should be used in all unsolicited packets sent by the application.
This feature only applies on in-band interfaces and does not apply on the out-band management interface. Packets going out the management interface will keep using that as the source IP address. That is, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite what is configured under the source-address statement.
application
Syntax
application app [ip-int-name | ip-address]
no application app
Context
config>system>security>source-address
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the application to use the source IP address specified by the source-address command.
Parameters
- app
-
Specifies the application name.
- ip-int-name | ip-address
-
Specifies the name of the IP interface and IP address. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
telnet-server
Syntax
[no] telnet-server
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables Telnet servers running on the system.
Telnet servers are off by default. At system startup, only SSH servers are enabled.
Telnet servers in networks limit Telnet clients to three attempts to login. The Telnet server disconnects the Telnet client session after three attempts.
The no form of this command disables Telnet servers running on the system.
Login, Telnet, SSH and FTP commands
exponential-backoff
Syntax
[no] exponential-backoff
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
The no form of this command disables exponential backoff.
Default
no exponential-backoff
ftp
Syntax
ftp
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure FTP login control parameters.
idle-timeout
Syntax
idle-timeout {minutes | disable}
no idle-timeout
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.
By default, an idle FTP, console, SSH, or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.
The no form of this command reverts to the default value.
Default
idle-timeout 30
Parameters
- minutes
Specifies the idle timeout in minutes. Allowed values are 1 to 1440. A value of 0 implies that the sessions never timeout.
- disable
Keyword specifying that a session will never timeout. To re-enable idle timeout, enter the command without the disable option.
inbound-max-sessions
Syntax
inbound-max-sessions value
no inbound-max-sessions
Context
config>system>login-control>ftp
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the maximum number of concurrent inbound FTP sessions.
This value is the combined total of inbound and outbound sessions.
The no form of this command reverts to the default value.
Default
inbound-max-sessions 3
Parameters
- value
Specifies the maximum number of concurrent FTP sessions on the node.
inbound-max-sessions
Syntax
inbound-max-sessions value
no inbound-max-sessions
Context
config>system>login-control>telnet
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command limits the number of inbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established to the router. The local serial port cannot be disabled.
The no form of this command reverts to the default value.
Default
inbound-max-sessions 5
Parameters
- value
Specifies the maximum number of concurrent inbound Telnet sessions, expressed as an integer.
login-banner
Syntax
[no] login-banner
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables or disables the display of a login banner. The login banner contains the 7210 SAS copyright and build date information for a console login attempt.
The no form of this command causes only the configured pre-login message and a generic login prompt to display.
login-control
Syntax
login-control
Context
config>system
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure the session control for the console, Telnet, and FTP.
motd
Syntax
motd {url url-prefix: source-url | text motd-text-string}
no motd
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the message of the day displayed after a successful console login. Only one message can be configured.
The no form of this command removes the message.
Parameters
- url url-prefix: source-url
Specifies the URL prefix and source URL of the file containing the message of the day. When the message of the day is present as a text file, provide both url-prefix and the source-url of the file containing the message of the day. The URL prefix can be local or remote.
- text motd-text-string
Specifies the text of the message of the day. The motd-text-string must be enclosed in double quotes. Multiple text strings are not appended to one another.
Some special characters can be used to format the message text. The ‟\n” character creates multi-line MOTDs and the ‟\r” character restarts at the beginning of the new line. For example, entering ‟\n\r” starts the string at the beginning of the new line, while entering ‟\n” starts the second line following the last character from the first line.
outbound-max-sessions
Syntax
outbound-max-sessions value
no outbound-max-sessions
Context
config>system>login-control>telnet
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command limits the number of outbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established from the router. The local serial port cannot be disabled.
The no form of this command reverts to the default value.
Default
outbound-max-sessions 5
Parameters
- value
Specifies the maximum number of concurrent outbound Telnet sessions, expressed as an integer.
pre-login-message
Syntax
pre-login-message login-text-string [name]
no pre-login-message
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a message displayed before console login attempts on the console using Telnet.
Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.
It is possible to add the name parameter to an existing message without affecting the current pre-login-messages.
The no form of this command removes the message.
Parameters
- login-text-string
Specifies a login text string, up to 900 characters. Any printable, 7-bit ASCII characters can be used. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
- name
When the keyword name is defined, the configured system name is always displayed first in the login message. To remove the name from the login message, the message must be cleared and a new message entered without the name.
ssh
Syntax
ssh
Context
config>system>login-control
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure SSH parameters.
disable-graceful-shutdown
Syntax
[no] disable-graceful-shutdown
Context
config>system>login-control>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables graceful shutdown of SSH sessions.
The no form of this command disables graceful shutdown of SSH sessions.
client-cipher-list
Syntax
client-cipher-list protocol-version version
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the configuration of a list of allowed ciphers by the SSH client.
Parameters
- version
Specifies the SSH version.
cipher
Syntax
cipher index name cipher-name
no cipher index
Context
config>system>security>ssh>client-cipher-list
config>system>security>ssh>server-cipher-list
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the configuration of a cipher. Client-ciphers are used when the 7210 SAS is acting as an SSH client. Server ciphers are used when the 7210 SAS is acting as an SSH server.
The no form of this command removes the index and cipher name from the configuration.
Default
no cipher index
Parameters
- index
Specifies the index of the cipher in the list.
- cipher-name
Specifies the algorithm used when performing encryption or decryption.
client-mac-list
Syntax
client-mac-list
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure SSH MAC algorithms for the 7210 SAS acting as a client.
mac
Syntax
mac index name mac-name
no mac index
Context
config>system>security>ssh>client-mac-list
config>system>security>ssh>server-mac-list
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server or an SSH client.
The no form of this command removes the specified mac index.
Default
no mac index
Parameters
- index
Specifies the index of the algorithm in the list.
- mac-name
Specifies the algorithm for calculating the message authentication code.
client-kex-list
Syntax
client-kex-list
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
Commands in this context configure SSH KEX algorithms for the 7210 SAS in the client role.
By default, the SSH advertises a KEX list that contains the following algorithms:
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
kex
Syntax
kex index name kex-name
no kex index
Context
config>system>security>ssh>client-kex-list
config>system>security>ssh>server-kex-list
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command configures phase 1 SSHv2 KEX algorithms for the 7210 SAS in the SSH server or an SSH client role.
The no form of this command removes the specified KEX index. If all KEX indexes are removed, the default list is used.
Parameters
- index
Specifies the index of the algorithm in the list. The lowest KEX index is negotiated first and the highest index, which is at the bottom of the KEX list, is negotiated last in the SSH negotiation.
- kex-name
Specifies the KEX algorithm for computing the shared secret key.
preserve-key
Syntax
[no] preserve-key
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
After enabling this command, private keys, public keys, and host key files are saved by the server. They are restored following a system reboot or restart of the SSH server.
The no form of this command specifies that the keys are held in memory by the SSH server and are not restored following a system reboot.
Default
no preserve-key
server-cipher-list
Syntax
server-cipher-list protocol-version version
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the configuration of the list of allowed ciphers by the SSH server.
Parameters
- version
Specifies the SSH version.
server-kex-list
Syntax
server-kex-list
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
Commands in this context configure SSH KEX algorithms for the 7210 SAS in the SSH server role.
By default, the SSH advertises a KEX list that contains the following algorithms:
diffie-hellman-group16-sha512
diffie-hellman-group14-sha256
diffie-hellman-group14-sha1
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
server-mac-list
Syntax
server-mac-list
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server.
server-shutdown
Syntax
[no] server-shutdown
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the SSH servers running on the system. By default, only the SSH server is enabled at startup.
version
Syntax
version ssh-version
no version
Context
config>system>security>ssh
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the SSH protocol version that is supported by the SSH server.
Default
version 2
Parameters
- ssh-version
Specifies the SSH version.
telnet
Syntax
telnet
Context
config>system>login-control
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure the Telnet login control parameters.
enable-graceful-shutdown
Syntax
[no] enable-graceful-shutdown
Context
config>system>login-control>telnet
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables graceful shutdown of Telnet sessions.
The no form of this command disables graceful shutdown of Telnet sessions.
Management Access Filter commands
management-access-filter
Syntax
[no] management-access-filter
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context edit management access filters and to reset match criteria.
Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific subnetworks or through designated ports.
Management filters, as opposed to other traffic filters, are enforced by system software.
The no form of this command removes management access filters from the configuration.
ip-filter
Syntax
[no] ip-filter
Context
config>system>security>mgmt-access-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure management access IP filter parameters.
ipv6-filter
Syntax
[no] ipv6-filter
Context
config>system>security>mgmt-access-filter
Platforms
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
Description
Commands in this context configure management access IPv6 filter parameters.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
default-action
Syntax
default-action {permit | deny | deny-host-unreachable}
Context
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.
This command enables the default action for management access in the absence of a specific management access filter match.
The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
Parameters
- permit
Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted.
- deny
Specifies that packets not matching the selection criteria be denied and that an ICMP host unreachable message are not issued.
- deny-host-unreachable
Specifies that packets not matching the selection criteria are denied and a host unreachable message is issued.
entry
Syntax
[no] entry entry-id
Context
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.
This command creates or edits a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the specified entry from the management access filter.
Parameters
- entry-id
Specifies an entry ID that uniquely identifies a match criteria and the corresponding action. Nokia recommends that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.
action
Syntax
action {permit | deny | deny-host-unreachable}
no action
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command enables the context associated with the management access filter match criteria entry.
The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
If the packet does not meet any of the match criteria, the configured default action is applied.
Parameters
- permit
Specifies that packets matching the configured criteria are permitted.
- deny
Specifies that packets matching the configured selection criteria are denied and that a ICMP host unreachable message is issued.
- deny-host-unreachable
Specifies that packets matching the configured selection criteria are denied and that a host unreachable message is not issued.
dst-port
Syntax
[no] dst-port port [mask]
Context
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source TCP or UDP port number or port range for a management access filter match criterion.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the source port match criterion.
Parameters
- port
Specifies the source TCP or UDP port number as match criteria.
- mask
Specifies a range of source port numbers as the match criterion.
This 16-bit mask can be configured using the formats in the following table.
Table 12. Mask formats Format style
Format syntax
Example
Decimal
DDDDD
63488
Hexadecimal
0xHHHH
0xF800
Binary
0bBBBBBBBBBBBBBBBB
0b1111100000000000
To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.
fragment
Syntax
[no] fragment {true | false}
Context
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.
An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the Layer 4 information.
The no form of this command removes the match criterion.
Default
no fragment
Parameters
- true
Specifies to match on all fragmented IP packets. A match occurs for all packets that have either the MF (more fragment) bit set or the Fragment Offset field of the IP header set to a non-zero value.
- false
Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and the Fragment Offset field also set to zero.
l4-src-port
Syntax
[no] l4-src-port port [mask]
Context
config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source TCP or UDP port number for an IP filter match criterion. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the source port match criterion.
Default
no l4-src-port
Parameters
- port
Specifies the source port number to be used as a match criteria expressed as a decimal integer.
- mask
Specifies the mask in dotted decimal notation.
flow-label
Syntax
flow-label value
no flow-label
Context
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
Description
This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.
Parameters
- value
Specifies the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows. For more information, see RFC 3595, Textual Conventions for IPv6 Flow Label.
log
Syntax
[no] log
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command enables match logging. When enabled, matches on this entry cause the Security event mafEntryMatch to be raised.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
Default
no log
next-header
Syntax
next-header next-header
no next-header
Context
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
Description
This command specifies the next header to match. The protocol type, such as TCP, UDP, OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).
Parameters
- next-header
Specifies the IP protocol field for IPv6 MAF, and for IPv6 the next header type to be used in the match criteria for this MAF Entry.
protocol
Syntax
[no] protocol protocol-id
Context
config>system>security>mgmt-access-filter>ip-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures an IP protocol type to be used as a management access filter match criterion.
The protocol type, such as TCP, UDP, and OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).
The no form of this command removes the protocol from the match criteria.
Parameters
- protocol
Specifies the protocol number for the match criterion.
router
Syntax
router {router-instance}
no router
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
The command configures a router name or service ID to be used as a management access filter match criterion.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of this command removes the router name or service ID from the match criteria.
Default
router Base
Parameters
- router-instance
Specifies the router name.
renum
Syntax
renum old-entry-number new-entry-number
Context
config>system>security>mgmt-access-filter>ip-filter
config>system>security>mgmt-access-filter>ipv6-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command renumbers existing management access filter entries to resequence filter entries.
The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
Parameters
- old-entry-number
Specifies the entry number of the existing entry.
- new-entry-number
Specifies the new entry number that will replace the old entry number.
src-port
Syntax
src-port {port-id | lag lag-id}
no src-port
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.
When the source interface is configured, only management traffic arriving on those ports satisfies the match criteria.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of the command reverts to the default value.
Parameters
- port-id
Specifies the port ID in the following format: slot[/mda]/port.
src-ip
Syntax
[no] src-ip {ip-prefix/prefix-length | ip-prefix netmask}
Context
config>system>security>mgmt-access-filter>ip-filter>entry
config>system>security>mgmt-access-filter>ipv6-filter>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.
This command configures a source IP address range to be used as a management access filter match criterion.
To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.
The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.
The no form of the command removes the source IP address match criterion.
Parameters
- ip-prefix/prefix-length
Specifies the IP prefix used for IP match criteria in dotted decimal notation. Can be IPv4 or an IPv6 prefix.
ipv4-prefix — a.b.c.d
ipv4-prefix-length — 0 to 32
ipv6-prefix — x:x:x:x:x:x:x:x (eight 16-bit pieces)
- x:x:x:x:x:x:d.d.d.d
- x: [0..FFFF]H
- d: [0..255]D
ipv6-prefix-length — 0 to 128 (7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C)
0 to 64 (7210 SAS-Dxp)
- netmask
Specifies the subnet mask in dotted decimal notation.
Password commands
admin-password
Syntax
admin-password password [hash | hash2]
no admin-password
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the context (with admin permissions) to configure a password that enables a user to become an administrator.
This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
This functionality can be enabled in two contexts:
config>system>security>password>admin-password
global enable-admin
See the description for enable-admin. If the admin-password command is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.
The enable-admin command is in the default profile. By default, all users have access to this command.
After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all commands.
The minimum password length is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.
The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.
The usernames and passwords in the FTP and TFTP URLs are not sent to the authorization or accounting servers when the file>copy source-file-url dest-file-url command is executed.
For example:
file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile
In this example, the username 'test' and password 'secret' are not sent to the AAA servers (or to any logs). They are replaced with '****'.
The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.
The no form of this command removes the admin password from the configuration.
Default
no admin-password
Parameters
- password
Configures the password that enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 32 characters if the hash keyword is specified, and 54 characters if the hash2 keyword is specified, 60 characters if hashed with bcrypt, or 87 to 92 characters if hashed with sha2-pbkdf2.
- hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted.
- hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
enable-admin
Syntax
enable-admin
Context
<global>
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context enter the administrative mode.
See the description for admin-password. If admin-password is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.
The enable-admin command is in the default profile. By default, all users are granted access to this command.
After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all the commands.
The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the configuration in the complexity-rules context.
There are two ways to verify that a user is in the enable-admin mode:
The administrator can use the show users command to know which users are in this mode.
Enter the enable-admin command again at the root prompt and an error message is returned.
The following output is an example of user information.
A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
aging
Syntax
aging days
no aging
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.
The no form of this command reverts to the default value.
Parameters
- days
Specifies the maximum number of days the password is valid.
attempts
Syntax
attempts count [time minutes1 [lockout minutes2]
no attempts
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.
The threshold for the number of login attempts can be configured by using the CLI parameter count in the command. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command. By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap is not sent for every failed attempt. If the threshold is exceeded, the user is locked out for a specified time period.
If multiple attempts commands are entered, each command overwrites the previously entered command.
The no form of this command resets all values to default.
Default
attempts 3 time 5 lockout 10
Parameters
- count
Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.
- time minutes
Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.
- lockout minutes
Specifies the lockout period, in minutes, when the user is not allowed to login. Allowed values are decimal integers. When the user exceeds the attempted count times in the specified time, that user is locked out from any further login attempts for the configured time period.
authentication-order
Syntax
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
no authentication-order
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.
The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.
The preferred order for password authentication is:
RADIUS
TACACS+
local passwords
The no form of this command reverts to the default authentication sequence.
Default
authentication-order radius tacplus local
Parameters
- method-1
Specifies the first password authentication method to attempt.
- method-2
Specifies the second password authentication method to attempt.
- method-3
Specifies the third password authentication method to attempt.
- radius
Specifies RADIUS authentication.
- tacplus
Specifies TACACS+ authentication.
- local
Specifies password authentication based on the local password database.
- exit-on-reject
When enabled and if one of the AAA methods configured in the authentication order sends a reject, the next method in the order is not attempted. If the exit-on-reject keyword is not specified and if one AAA method sends a reject, the next AAA method is attempted. If in this process, all the AAA methods are exhausted, it is considered as a reject.
A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration are other configured methods attempted. If the local keyword is the first authentication and:
exit-on-reject is configured and the user does not exist, the user is not authenticated.
The user is authenticated locally, then other methods, if configured, are used for authorization and accounting.
The user is configured locally but without console access, login is denied.
complexity-rules
Syntax
complexity-rules
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command defines a list of rules for configurable password options.
allow-user-name
Syntax
[no] allow-user-name
Context
config>system>security>password>complexity-rules
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the username to be used as part of the password.
The no form of this command does not allow the username to be used as part of the password.
credits
Syntax
credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
no credits
Context
config>system>security>password>complexity-rules
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the maximum credits granted for usage of the different character classes in the local passwords.
The no form of this command reverts to the default value.
Default
no credits
Parameters
- credits
Specifies the number of credits that can be used for each character class.
minimum-classes
Syntax
minimum-classes minimum
no minimum-classes
Context
config>system>security>password>complexity-rules
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command forces the use of at least as many different character classes as specified.
The no form of this command resets to default.
Default
no minimum-classes
Parameters
- minimum
Specifies the minimum number of classes to be configured.
minimum-length
Syntax
minimum-length length
no minimum-length
Context
config>system>security>password>complexity-rule
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.
If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.
The no form of this command reverts to the default value.
Default
minimum-length 6
Parameters
- value
Specifies the minimum number of characters required for a locally administered password.
repeated-characters
Syntax
repeated-characters count
no repeated-characters
Context
config>system>security>password>complexity-rules
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of times a characters can be repeated consecutively.
The no form of this command resets to default.
Default
no repeated-characters
Parameters
- count
Specifies the minimum count of consecutively repeated characters.
required
Syntax
required [lowercase count] [uppercase count] [numeric count] [special-character count]
no required
Context
config>system>security>password>complexity-rules
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the minimum number of different character classes required.
The no form of this command reverts to the default value.
Default
no required
Parameters
- count
Specifies the minimum count of characters classes.
hashing
Syntax
hashing {bcrypt | sha2-pbkdf2}
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-D
Description
This command configures the password hashing algorithm.
Parameters
- bcrypt
Keyword to configure the bcrypt algorithm.
- sha2-pbkdf2
Keyword to configure the PBKDF2 algorithm.
health-check
Syntax
[no] health-check [interval interval]
Context
config>system>security>password
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap is sent.
The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server is up if the last access was successful.
Default
health-check
Parameters
- interval
Specifies the interval of the health check in seconds.
password
Syntax
password
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure password management parameters.
public-keys
Syntax
public-keys
Context
config>system>security>user
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
Commands in this context configure public keys for SSH.
ecdsa
Syntax
ecdsa
Context
config>system>security>user>public-keys
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
Commands in this context configure ECDSA public keys.
ecdsa-key
Syntax
ecdsa-key ecdsa-public-key-id [create]
no ecdsa-key ecdsa-public-key-id
Context
config>system>security>user>public-keys>ecdsa
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured ECDSA public keys.
Default
no ecdsa-key
Parameters
- create
Keyword to create an ECDSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
- key-id
Specifies the key identifier.
key-value
Syntax
key-value public-key-value
no key-value
Context
config>system>security>user>public-keys>ecdsa>ecdsa-key
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.
The no form of this command removes the configured ECDSA public key value.
Default
no key-value
Parameters
- ecdsa-public-key-value
Specifies the public key value, up to 255 characters.
rsa
Syntax
rsa
Context
config>system>security>user>public-keys
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
Commands in this context configure RSA public keys.
rsa-key
Syntax
rsa-key rsa-public-key-id [create]
no rsa-key rsa-public-key-id
Context
config>system>security>user>public-keys>rsa
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.
The no form of this command removes the configured RSA public keys.
Default
no rsa-key
Parameters
- create
Keyword to create the RSA key. The create keyword requirement can be enabled or disabled in the environment>create context.
- key-id
Specifies the key identifier.
key-value
Syntax
key-value rsa-public-key-value
no key-value
Context
config>system>security>user>public-keys>rsa>rsa-key
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.
The no form of this command removes the configured public key value.
Default
no key-value
Parameters
- public-key-value
Specifies the public key value, up to 800 characters.
Profile management commands
action
Syntax
action {deny | permit}
Context
config>system>security>profile user-profile-name>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the action associated with the profile entry.
Parameters
- deny
Specifies that commands matching the entry command match criteria are to be denied.
- permit
Specifies that commands matching the entry command match criteria are permitted.
match
Syntax
match command-string
no match
Context
config>system>security>profile user-profile-name>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a command or command subtree.
Because the 7210 SAS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated before this profile.
All commands below the hierarchy level of the matched command are denied.
The no form of this command removes a match condition.
Parameters
- command-string
Specifies the CLI command or CLI tree level that is the scope of the profile entry.
copy
Syntax
copy {user source-user | profile source-profile} to destination [overwrite]
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command copies a profile or user from a source profile to a destination profile.
Parameters
- source-profile
Specifies the profile to copy, up to 32 characters. The profile must exist.
- dest-profile
Specifies the destination profile, up to 32 characters.
- overwrite
Specifies that the destination profile configuration is overwritten with the copied source profile configuration. A profile is not overwritten if the overwrite keyword is not specified.
default-action
Syntax
default-action {deny-all | permit-all | none}
Context
config>system>security>profile
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the default action to be applied when no match conditions are met.
Parameters
- deny-all
Sets the default of the profile to deny access to all commands.
- permit-all
Sets the default of the profile to allow access to all commands.
This keyword does not change access to security commands. Security commands are only and always available to members of the super-user profile.
- none
Sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user.
For example, if a user is a member of two profiles and the default action of the first profile is permit-all, the second profile is never evaluated because the permit-all is executed first. Set the first profile default action to none and if no match conditions are met in the first profile, the second profile is evaluated. If the default action of the last profile is none and no explicit match is found, the default deny-all takes effect.
description
Syntax
description description-string
no description
Context
config>system>security>profile user-profile-name>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a text description stored in the configuration file for a configuration context.
The description command associates a text string with a configuration context to help identify the context in the configuration file.
The no form of this command removes the string from the context.
Parameters
- string
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.
entry
Syntax
[no] entry entry-id
Context
config>system>security>profile
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates a user profile entry.
More than one entry can be created with unique entry-id numbers. The 7210 SAS exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.
An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.
The no form of this command removes the specified entry from the user profile.
Parameters
- entry-id
Specifies a unique user profile command match criteria and a corresponding action. If more than one entry is configured, the entry IDs should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.
profile
Syntax
[no] profile user-profile-name
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates user profiles for CLI command tree permissions.
Profiles are used to either deny or allow user console access to a hierarchical branch or to specific commands.
After the profiles are created, the users command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.
The no form of this command deletes a user profile.
Default
user-profile default
Parameters
- user-profile-name
Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
renum
Syntax
renum old-entry-number new-entry-number
Context
config>system>security>profile user-profile-name
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command renumbers profile entries to re-sequence the entries.
Because the 7210 SAS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.
Parameters
- old-entry-number
Specifies the entry number of an existing entry.
- new-entry-number
Specifies the new entry number.
User management commands
access
Syntax
[no] access [ftp] [snmp] [console]
Context
config>system>security>user
config>system>security>user-template
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command grants a user permission for FTP, SNMP, console, or lawful intercept (LI) access.
If a user requires access to more than one application, multiple applications can be specified in a single command. Multiple commands are treated additively.
The no form of this command removes access for a specific application.
The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access FTP denies FTP access.
Parameters
- ftp
Specifies FTP permission.
- snmp
Specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.
- console
Specifies console access (serial port or Telnet) permission.
authentication
Syntax
authentication none
authentication authentication-protocol key-1 [privacy none] [hash | hash2]
authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]
no authentication
Context
config>system>security>user>snmp
Platforms
Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D
Description
This command configures the authentication and and encryption method that the device uses to validate the user. The SNMP authentication allows the device to validate the managing node that issues the SNMP message and detect message tampering.
The no form of this command reverts to the default value.
Default
authentication none
Parameters
- authentication-protocol
Specifies the SNMP authentication protocol.
- privacy-protocol
Specifies the SNMP privacy protocol.
- hash
-
Keyword to indicate the encryption mechanism used to store the authentication and privacy keys in an encrypted format in the configuration file. When hash is not specified, non-encrypted characters can be entered. When hash is specified, the key is expected to be decrypted using the hash mechanism. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.
- hash2
-
Keyword to indicate the encryption mechanism used to store all specified keys in an encrypted format in the configuration file. For example, the hash2 encrypted variable cannot be copied and pasted to a different node. If the hash2 keyword is not specified, the key is assumed to be unencrypted in cleartext form. The hash2 keyword is the default mechanism used if hash is not specified. Therefore, the user does not need to specify hash2 explicitly while entering the key. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.
- key-1
-
Specifies the key-1 value for SNMP packet encryption.
- key-2
-
Specifies the key-2 value for SNMP packet encryption.
authentication
Syntax
authentication none
authentication {md5 key-1 | sha key-1} [privacy none] [hash]
authentication {md5 key-1 | sha key-1} privacy privacy-level key-2 [hash]
no authentication
Context
config>system>security>user>snmp
Platforms
Supported on the 7210 SAS-D
Description
This command configures the authentication and encryption method for the user to be validated by the device. SNMP authentication allows the device to validate the managing node that issued the SNMP message and detect message tampering.
The user password is encrypted first by the MD5/SHA/DES algorithm. The output of the algorithm is always a fixed length string (key). Copy the password key and paste the output in the appropriate authentication command key parameter.
The no form of this command reverts to the default value.
Default
authentication none
Parameters
- none
-
Keyword to specify that authentication should not be used. If none is specified, privacy cannot be configured.
- hash
-
Keyword to store all specified keys in an encrypted format in the configuration file. The password must be entered in encrypted form when this keyword is used. When hash is not specified, non-encrypted characters can be entered.
- md5 key
-
Specifies the authentication protocol, which can be either HMAC-MD5-96 or HMAC-SHA-96.
The MD5 authentication key is stored in an encrypted format. The minimum key length is determined by the config system security password complexity-rules minimum-length minimum-length value. The maximum length is 16 octets (32 printable characters).
The complexity of the key is determined by the configuration in the complexity-rules context.
- sha key
-
The authentication protocol, which can be either HMAC-MD5-96 or HMACSHA-96.
The sha authentication key is stored in an encrypted format. The minimum key length is determined by the config system security password complexity-rules minimum-length value. The maximum length is 20 octets (40 printable characters).
The complexity of the key is determined by the configuration in the complexity-rules context.
- privacy none
-
Keyword to specify that SNMP packet encryption should not be performed.
- privacy-level
-
Specifies the privacy level.
group
Syntax
group group-name
no group
Context
config>system>security>user>snmp
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user>snmp>group command. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.
Parameters
- group-name
Specifies the group name, up to 32 characters, that is associated with this user. A user can be associated with one group name per security model.
cannot-change-password
Syntax
[no] cannot-change-password
Context
config>system>security>user>console
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command disables the user’s privilege to change their password for both FTP and console login.
The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.
The no form of this command enables the user privilege to change their password.
Default
no cannot-change-password
console
Syntax
console
Context
config>system>security>user
config>system>security>user-template
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure user profile membership for the console (either Telnet or serial port user).
copy
Syntax
copy {user source-user | profile source-profile} to destination [overwrite]
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command copies specific user configuration parameters to another (destination) user.
The password is set to a carriage return and a new password at login must be selected.
Parameters
- source-user
Specifies the user to copy, up to 32 characters. The user must already exist.
- dest-user
Specifies the destination user to which the profile is copied, up to 32 characters.
- overwrite
Specifies that the destination user configuration is overwritten with the copied source user configuration. A configuration is not overwritten if the overwrite command is not specified.
home-directory
Syntax
home-directory url-prefix [directory] [directory/directory…]
no home-directory
Context
config>system>security>user
config>system>security>user-template
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the local home directory for the user for both console and FTP access.
If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.
If restrict-to-home is configured, no file access is granted and no home-directory is created. If restrict-to-home is not applied, the root becomes the user’s home-directory.
The no form of this command removes the configured home directory.
Default
no home-directory
Parameters
- local-url-prefix [directory] [directory/directory…]
Specifies the user’s local home directory URL prefix and directory structure, up to 190 characters in length.
profile
Syntax
profile user-profile-name
no profile
Context
config>system>security>user-template
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the profile for the user based on the specified template.
Parameters
- user-profile-name
Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.
login-exec
Syntax
[no] login-exec url-prefix: source-url
Context
config>system>security>user>console
config>system>security>user-template>console
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.
Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.
The no form of this command disables the login exec file for the user.
Parameters
- url-prefix: source-url
Specifies either a local or remote URL, up to 200 characters, that identifies the exec file that is executed after the user successfully logs in.
member
Syntax
member user-profile-name [user-profile-name…up to 8max]
no member user-profile-name
Context
config>system>security>user>console
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command allows the user access to a profile.
A user can participate in up to eight profiles.
The no form of this command deletes user access to a profile.
Parameters
- user-profile-name
Specifies the user profile name, up to 32 characters.
new-password-at-login
Syntax
[no] new-password-at-login
Context
config>system>security>user>console
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.
The no form of this command does not force the user to change passwords.
Default
no new-password-at-login
password
Syntax
password [password] [hash | hash2]
Context
config>system>security>user
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the user password for console and FTP access.
The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the specific password was hashed using hashing algorithm version 1.
The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (" ") at the time of the password creation. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.
The use of the hash2 keyword specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.
The following output is an example of user syntax.
config>system>security# user testuser1
config>system>security>user$ password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
config>system>security>user# exit
config>system>security# info
-------------------------------------
...
user "testuser1"
password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
exit
...
-------------------------------------
config>system>security#
Parameters
- password
Specifies the password that the user must be entered during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length can be up to 20 characters if unhashed and 32 characters if hashed.
All password special characters (#, $, spaces, and so on) must be enclosed within double quotes.
For example: config>system>security>user# password ‟south#bay?”
The question mark character (?) cannot be directly inserted as input during a Telnet connection because the character is bound to the help command during a normal Telnet/console connection.
To insert a # or ? character, they must be entered inside a notepad or clipboard program and cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.
If a password is entered without any parameters, a password length of zero is implied: (carriage return).
- hash
Specifies that the specific password is already hashed using hashing algorithm version 1. A semantic check is performed on the specific password field to verify if it is a valid hash 1 key to store in the database.
- hash2
Specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.
restricted-to-home
Syntax
[no] restricted-to-home
Context
config>system>security>user
config>system>security>user-template
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.
If a home-directory is not configured or the home directory is not available, the user has no file access.
The no form of this command allows the user access to navigate to directories above their home directory.
Default
no restricted-to-home
snmp
Syntax
snmp
Context
config>system>security>user
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure SNMP group membership for a specific user and defines encryption and authentication parameters.
All SNMPv3 users must be configured with the commands available in this CLI node.
The 7210 SAS always uses the configured SNMPv3 username as the security username.
user-template
Syntax
user-template {tacplus_default | radius_default}
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures default security user template parameters.
Parameters
- tacplus_default
Specifies that the default TACACS+ user template is actively applied to the TACACS+ user.
- radius_default
Specifies that the default RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server.
users
Syntax
users
Context
show
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command creates a local user and a context to edit the user configuration.
When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, no password is required. The user can log in to the system and <ENTER> at the password prompt. The user is logged in.
Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.
user
Syntax
user user-name
Context
admin
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables a local user and a context to edit the user configuration.
If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, no password is required. The user can log in to the system and <ENTER> at the password prompt; the user is logged in.
Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.
The no form of this command deletes the user and all configuration data. Users cannot delete themselves.
Parameters
- user-name
Specifies the name of the user, up to 16 characters.
RADIUS client commands
accounting
Syntax
[no] accounting
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables RADIUS accounting.
The no form of this command disables RADIUS accounting.
Default
no accounting
accounting-port
Syntax
accounting-port port
no accounting-port
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.
Parameters
- port
Specifies the UDP port number.
authorization
Syntax
[no] authorization
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures RADIUS authorization parameters for the system.
Default
no authorization
port
Syntax
port port
no port
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the TCP port number to contact the RADIUS server.
The no form of this command reverts to the default value.
Default
port 1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))
Parameters
- port
Specifies the TCP port number to contact the RADIUS server.
radius
Syntax
[no] radius
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure RADIUS authentication on the 7210 SAS router.
Implement redundancy by configuring multiple server addresses for each 7210 SAS series router.
The no form of this command removes the RADIUS configuration.
retry
Syntax
retry count
no retry
Context
config>system>security>radius
config>system>security>dot1x>radius-plcy
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of this command reverts to the default value.
Default
retry 3
Parameters
- count
Specifies the retry count.
server
Syntax
server index address ip-address secret key [hash|hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
no server index
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.
Up to five RADIUS servers can be configured at one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The 7210 SAS-K 2F1C2T does not support IPv6 addresses for RADIUS servers.
The no form of the command removes the server from the configuration.
Parameters
- index
Specifies the index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
- address ip-address
Specifies the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
- secret key
Specifies the secret key, up to 20 characters, to access the RADIUS server. This secret key must match the password on the RADIUS server.
- hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
- hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
shutdown
Syntax
[no] shutdown
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command administratively enables the protocol.
Default
no shutdown
timeout
Syntax
timeout seconds
no timeout
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of this command reverts to the default value.
Default
timeout 3
Parameters
- seconds
Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.
use-default-template
Syntax
[no] use-default-template
Context
config>system>security>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies whether the RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server.
The no form of this command disables the command.
TACACS+ client commands
tacplus
Syntax
[no] tacplus
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure TACACS+ authentication on the router.
Configure multiple server addresses for each router for redundancy.
The no form of this command removes the TACACS+ configuration.
accounting
Syntax
accounting [record-type {start-stop | stop-only}]
no accounting
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.
Default
record-type stop-only
Parameters
- record-type start-stop
Specifies that a TACACS+ start packet is sent whenever the user executes a command.
- record-type stop-only
Specifies that a stop packet is sent whenever the command execution is complete.
authorization
Syntax
[no] authorization
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures TACACS+ authorization parameters for the system.
Default
no authorization
server
Syntax
server index address ip-address secret key [hash | hash2]
no server index
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.
Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.
The 7210 SAS-K 2F1C2T does not support IPv6 addresses for TACACS+ servers.
The no form of the command removes the server from the configuration.
Parameters
- index
Specifies the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.
- address ip-address
Specifies the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
- secret key
Specifies the secret key, up to 128 characters, to access the RADIUS server. This secret key must match the password on the RADIUS server.
- hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
- hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
shutdown
Syntax
[no] shutdown
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command administratively enables the protocol.
Default
no shutdown
timeout
Syntax
timeout seconds
no timeout
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of seconds the router waits for a response from a TACACS+ server.
The no form of the command reverts to the default value.
Default
timeout 3
Parameters
- seconds
Specifies the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer.
shutdown
Syntax
[no] shutdown
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.
The no form of this command administratively enables the protocol which is the default state.
Default
no shutdown
use-default-template
Syntax
[no] use-default-template
Context
config>system>security>tacplus
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.
Generic 802.1x commands
dot1x
Syntax
[no] dot1x
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure 802.1x network access control on the 7210 SAS router.
The no form of this command removes the 802.1x configuration.
radius-plcy
Syntax
[no] radius-plcy name [create]
Context
config>system>security>dot1x
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures RADIUS server parameters for 802.1x network access control on the 7210 SAS router.
The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7210 SAS as opposed to the RADIUS server configured under the config>system>radius context which authenticates CLI login users who get access to the management plane of the 7210 SAS.
The no form of this command removes the RADIUS server configuration for 802.1x.
Parameters
- name
Specifies the name of the RADIUS policy, up to 32 characters.
- create
This keyword is mandatory to create a RADIUS policy.
retry
Syntax
retry count
no retry
Context
config>system>security>dot1x
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.
The no form of this command reverts to the default value.
Default
retry 3
Parameters
- count
Specifies the retry count.
server
Syntax
server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
no server index
Context
config>system>security> dot1x>radius-plcy
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command adds a dot1x server and configures the dot1x server IP address, index, and key values.
Up to five dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.
The 7210 SAS-K 2F1C2T does not support IPv6 addresses for dot1x servers.
The no form of the command removes the server from the configuration.
Parameters
- server-index
Specifies the index for the dot1x server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.
- address ip-address
Specifies the IP address of the dot1x server. Two dot1x servers cannot have the same IP address. An error message is generated if the server address is a duplicate.
- secret key
Specifies the secret key, up to 128 characters, to access the dot1x server. This secret key must match the password on the dot1x server.
- hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
- hash2
Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.
- acct-port acct-port
Specifies the UDP port number on which to contact the RADIUS server for accounting requests.
- auth-port auth-port
Specifies a UDP port number to be used as a match criteria.
- type server-type
Specifies the server type.
source-address
Syntax
source-address ip-address
no source-address
Context
config>system>security> dot1x>radius-plcy
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the NAS IP address to be sent in the RADIUS packet.
By default the System IP address is used in the NAS field.
The no form of the command reverts to the default value.
Parameters
- ip-address
Specifies the IP prefix for the IP match criterion in dotted decimal notation.
shutdown
Syntax
[no] shutdown
Context
config>system>security>dot1x
config>system>security>dot1x>radius-plcy
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.
The operational state of the entity is disabled as well as the operational state of any entities contained within.
The no form of the command administratively enables the protocol which is the default state.
Default
shutdown
timeout
Syntax
timeout seconds
no timeout
Context
config>system>security>dot1x>radius-plcy
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the number of seconds the router waits for a response from a RADIUS server.
The no form of the command reverts to the default value.
Default
timeout 3
Parameters
- seconds
Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.
TCP Enhanced Authentication commands
keychain
Syntax
[no] keychain keychain-name
Context
config>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.
The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command is not accepted and an error indicating that the keychain is in use is printed.
Parameters
- keychain-name
Specifies a keychain name, up to 32 characters, that identifies this particular keychain entry.
direction
Syntax
direction
Context
config>system>security>keychain
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the data type that indicates the TCP stream direction to apply the keychain.
bi
Syntax
bi
Context
config>system>security>keychain>direction
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures keys for both send and receive stream directions.
uni
Syntax
uni
Context
config>system>security>keychain>direction
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures keys for send or receive stream directions.
receive
Syntax
receive
Context
config>system>security>keychain>direction>uni
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.
send
Syntax
send
Context
config>system>security>keychain>direction>uni
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.
entry
Syntax
entry entry-id key [authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm
no entry entry-id
Context
config>system>security>keychain>direction>bi
config>system>security>keychain>direction>uni>receive
config>system>security>keychain>direction>uni>send
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP enhanced authentication mechanism to work.
The no form of this command removes the entry from the keychain. If the entry is the active entry for sending, this causes a new active key to be selected (if one is available using the youngest key rule). If it is the only possible send key, the system rejects the command with an error indicating that the configured key is the only available send key.
If the key is one of the eligible keys for receiving, it is removed. If the key is the only possible eligible key, the command is not accepted, and an error message indicating that this is the only eligible key is displayed.
Parameters
- entry-id
Specifies an entry that represents a key configuration to be applied to a keychain.
- key
Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.
- authentication-key
Specifies the authentication-key that will be used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.
The authentication-key can be any combination of letters or numbers.
- algorithm-algorithm
Specifies an enumerated integer that indicates the encryption algorithm to be used by the key defined in the keychain.
- hash-key | hash2-key
Specifies the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and 96 characters for the hash2-key in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (‟ ”).
This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.
- hash
Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.
- hash2
Specifies the key is entered in a more complex encrypted form.
begin-time
Syntax
begin-time [date] [hours-minutes] [UTC] [now] [forever]
Context
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and authenticate the protocol stream.
If no date and time is set, the begin-time is represented by a date and time string with all nulls and the key is not valid by default.
Parameters
- date hours-minutes
Specifies the date and time for the key to become active.
- now
Specifies that the key should become active immediately.
- forever
Specifies that the key should always be active.
end-time
Syntax
end-time [date] [hours-minutes] [UTC] [now] [forever]
Context
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream.
Default
end-time forever
Parameters
- date
Specifies the calendar date after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream in the YYYY/MM/DD format. When no year is specified the system assumes the current year.
- hours-minutes
Specifies the time after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream in the hh:mm[:ss] format. Seconds are optional, and if not included, assumed to be 0.
- UTC
Indicates that time is specified with reference to Coordinated Universal Time in the input.
- now
Specifies a time equal to the current system time.
- forever
Specifies a time beyond the current epoch.
tolerance
Syntax
tolerance [seconds | forever]
Context
config>system>security>keychain>direction>bi>entry
config>system>security>keychain>direction>uni>receive>entry
config>system>security>keychain>direction>uni>send>entry
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.
Parameters
- seconds
Specifies the duration that an eligible receive key overlaps with the active send key.
- forever
Specifies that an eligible receive key overlaps with the active send key forever.
tcp-option-number
Syntax
tcp-option-number
Context
config>system>security>keychain
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
Commands in this context configure the TCP option number to be placed in the TCP packet header.
receive
Syntax
receive option-number
Context
config>system>security>keychain>tcp-option-number
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the TCP option number accepted in TCP packets received.
Default
receive 254
Parameters
- option-number
Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.
send
Syntax
send option-number
Context
config>system>security>keychain>tcp-option-number
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the TCP option number accepted in TCP packets sent.
Default
send 254
Parameters
- option-number
Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.
dst-port
Syntax
dst-port [tcp/udp port-number] [mask]
no dst-port
Context
config>sys>sec>cpm>entry>match
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the TCP/UDP port to match the destination port of the packet. An entry containing L4 match criteria do not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.
The no form of this command removes the destination port match criterion.
Parameters
- dst-port-number
Specifies the destination port number to be used as a match criteria expressed as a decimal integer.
- mask
Specifies the 16 bit mask to be applied when matching the destination port.
lockout
Syntax
lockout all
lockout user user-name
Context
admin>clear
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command clears any lockouts for a specific user.
Parameters
- all
Specifies to clear the lockout for all users.
- user-name
Specifies the locked username, up to 32 characters.
IPsec commands
ipsec
Syntax
ipsec
Context
config
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
Commands in this context configure Internet Protocol security (IPsec) parameters. IPsec is a structure of open standards that uses cryptographic security services to ensure private, secure communications over IP networks.
static-sa
Syntax
static-sa sa-name [create]
no static-sa
Context
config>ipsec
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command configures an IPsec static security association (SA).
The no form of this command removes the configuration.
Parameters
- sa-name
Specifies the SA name, up to 32 characters.
- create
Mandatory keyword to create an SA instance.
authentication
Syntax
authentication auth-algorithm ascii-key ascii-string
authentication auth-algorithm hex-key hex-string [hash | hash2]
no authentication
Context
config>ipsec>static-sa
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command configures the authentication algorithm to use for an IPsec manual SA.
The no form of this command removes the configuration.
Default
no authentication
Parameters
- auth-algorithm
Specifies the authentication algorithm.
- ascii-string
Specifies the ASCII key, up to 16 characters for md5 and 20 characters for sha1.
The authentication key is stored an encrypted format. The minimum key length is configured using the config>system>security>password>minimum-length command.
The complexity of the key is configured using the commands in the config>system>security>password>complexity-rules context.
- hex-string
Specifies the hexadecimal key, up to 32 hexadecimal nibbles for md5 and up to 40 hexadecimal nibbles for sha1.
- hash
Keyword that stores all specified keys in encrypted format in the configuration file. The password must be entered in encrypted form when this keyword is configured. If this keyword is not configured, the key is assumed to be in a non-encrypted form.
- hash2
Keyword to store the key in a more complex encrypted form. If this keyword is not used, the less encrypted hash form is assumed.
description
Syntax
description description-string
no description
Context
config>ipsec>static-sa
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command creates a text description, which is stored in the configuration file, to help identify the content of the entity.The no form of this command removes the string from the configuration.
Parameters
- description-string
Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. It the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed in double quotes.
direction
Syntax
direction ipsec-direction
no direction
Context
config>ipsec>static-sa
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command configures the direction for an IPsec manual SA.
The no form of this command reverts to the default value.
Default
direction bidirectional
Parameters
- ipsec-direction
Specifies the direction.
protocol
Syntax
protocol ipsec-protocol
no protocol
Context
config>ipsec>static-sa
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command configures the security protocol to use for an IPsec manual SA.
The no form of this command reverts to the default value.
Default
protocol esp
Parameters
- ipsec-protocol
Specifies the security protocol.
spi
Syntax
spi spi
no spi
Context
config>ipsec>static-sa
Platforms
7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C
Description
This command configures the security parameter index (SPI) key value for an IPsec manual SA.
The no form of this command removes the configured SPI key value.
Parameters
- spi
Specifies the SPI value.
Show commands
Security commands
access-group
Syntax
access-group [group-name]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays SNMP access group information.
Parameters
- group-name
Displays information for the specified access group.
Output
The following output is an example of SNMP access group information, and Output fields: access group describes the output fields.
Sample outputA:ALA-4# show system security access-group
===============================================================================
Access Groups
===============================================================================
group name security security read write notify
model level view view view
-------------------------------------------------------------------------------
snmp-ro snmpv1 none no-security no-security
snmp-ro snmpv2c none no-security no-security
snmp-rw snmpv1 none no-security no-security no-security
snmp-rw snmpv2c none no-security no-security no-security
snmp-rwa snmpv1 none iso iso iso
snmp-rwa snmpv2c none iso iso iso
snmp-trap snmpv1 none iso
snmp-trap snmpv2c none iso
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
Group name |
Displays the access group name |
Security model |
Displays the security model required to access the views configured in this node |
Security level |
Specifies the required authentication and privacy levels to access the views configured in this node |
Read view |
Specifies the variable of the view to read the MIB objects |
Write view |
Specifies the variable of the view to configure the contents of the agent |
Notify view |
Specifies the variable of the view to send a trap about MIB objects |
authentication
Syntax
authentication [statistics]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays system login authentication configuration and statistics.
Parameters
- statistics
Appends login and accounting statistics to the display.
Output
The following output is an example of system login authentication information, and Output fields: security authentication describes the output fields.
Sample outputA:ALA-4# show system security authentication
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
server address status type timeout(secs) single connection retry count
-------------------------------------------------------------------------------
10.10.10.103 up radius 5 n/a 5
10.10.0.1 up radius 5 n/a 5
10.10.0.2 up radius 5 n/a 5
10.10.0.3 up radius 5 n/a 5
-------------------------------------------------------------------------------
radius admin status : down
tacplus admin status : up
health check : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALA-4#
A:ALA-7>show>system>security# authentication statistics
===============================================================================
Authentication sequence : radius tacplus local
===============================================================================
server address status type timeout(secs) single connection retry count
-------------------------------------------------------------------------------
10.10.10.103 up radius 5 n/a 5
10.10.0.1 up radius 5 n/a 5
10.10.0.2 up radius 5 n/a 5
10.10.0.3 up radius 5 n/a 5
-------------------------------------------------------------------------------
radius admin status : down
tacplus admin status : up
health check : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address connection errors accepted logins rejected logins
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
10.10.0.3 0 0 0
local n/a 1 0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address connection errors sent packets rejected packets
-------------------------------------------------------------------------------
===============================================================================
Accounting Statistics
===============================================================================
server address connection errors sent packets rejected packets
-------------------------------------------------------------------------------
10.10.10.103 0 0 0
10.10.0.1 0 0 0
10.10.0.2 0 0 0
10.10.0.3 0 0 0
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
Sequence |
Displays the sequence in which authentication is processed |
Server address |
Displays the IP address of the RADIUS server |
Status |
Displays the current status of the RADIUS server |
Type |
Displays the authentication type |
Timeout (secs) |
Displays the number of seconds the router waits for a response from a RADIUS server |
Single connection |
Enabled — Specifies a single connection to the TACACS+ server and validates everything via that connection. Disabled — Specifies the TACACS+ protocol operation is disabled. |
Retry count |
Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server |
Connection errors |
Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed |
Accepted logins |
Displays the number of times the user has successfully logged in |
Rejected logins |
Displays the number of unsuccessful login attempts |
Sent packets |
Displays the number of packets sent |
Rejected packets |
Displays the number of packets rejected |
keychain
Syntax
keychain [key-chain] [detail]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays keychain information.
Parameters
- key-chain
Specifies the keychain name to display.
- detail
Displays detailed keychain information.
Output
The following output is an example of keychain information, and Output fields: keychain describes the output fields.
Sample output*A:ALA-A# show system security keychain test
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
===============================================================================
*A:ALA-A#
*A:ALA-A# show system security keychain test detail
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send : 254 Admin state : Up
TCP-Option number receive : 254 Oper state : Up
===============================================================================
Key entries for key chain: test
===============================================================================
Id : 0
Direction : send-receive Algorithm : hmac-sha-1-96
Admin State : Up Valid : Yes
Active : Yes Tolerance : 300
Begin Time : 2007/02/15 18:28:37 Begin Time (UTC) : 2007/02/15 17:28:37
End Time : N/A End Time (UTC) : N/A
===============================================================================
Id : 1
Direction : send-receive Algorithm : aes-128-cmac-96
Admin State : Up Valid : Yes
Active : No Tolerance : 300
Begin Time : 2007/02/15 18:27:57 Begin Time (UTC) : 2007/02/15 17:27:57
End Time : 2007/02/15 18:28:13 End Time (UTC) : 2007/02/15 17:28:13
===============================================================================
Id : 2
Direction : send-receive Algorithm : aes-128-cmac-96
Admin State : Up Valid : Yes
Active : No Tolerance : 500
Begin Time : 2007/02/15 18:28:13 Begin Time (UTC) : 2007/02/15 17:28:13
End Time : 2007/02/15 18:28:37 End Time (UTC) : 2007/02/15 17:28:37
===============================================================================
*A:ALA-A#
Label |
Description |
---|---|
TCP-Option number send |
Displays the TCP option number to be inserted in the header of sent TCP packets |
Admin state |
Displays the administrative state of the keychain: up or down |
TCP-Option number receive |
Displays the TCP option number that is accepted in the header of received TCP packets |
Oper state |
Displays the operational state of the keychain: up or down |
Key entries for key chain: test |
|
Id |
Displays the ID of the key entry |
Direction |
Displays the stream direction on which keys are applied for this entry: send, receive, or send-receive |
Algorithm |
Displays the encryption algorithm to be used by this key entry |
Option |
Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS) |
Admin State |
Displays the administrative state of the key entry: up or down |
Valid |
Indicates if the receive key is valid |
Active |
Indicates if the transmit (sent) key is active |
Tolerance |
Displays the tolerance time configured for support of both currently active and new keys |
Begin Time |
Displays the time at which the new key is used to sign and/or authenticate protocol packets |
Begin Time (UTC) |
Displays the begin time in UTC time |
End Time |
Displays the time at which the key is no longer eligible to authenticate protocol packets |
End Time (UTC) |
Displays the end time in UTC time |
management-access-filter
Syntax
management-access-filter
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays management access filter information for IP filters.
ip-filter
Syntax
ip-filter [entry entry-id]
Context
show>system>security>mgmt-access-filter
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays management-access IP filters.
Parameters
- entry-id
Displays information for the specified entry.
Output
The following output is an example of management access IP filter information, and Output fields: IP filter describes the output fields.
Sample output*7210-SAS>show>system>security>management-access-filter# ip-filter entry 1
===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type : ip
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Src interface : undefined
Dest port : undefined
L4 Src port : undefined
Fragment : off
Protocol : undefined
Router : undefined
Action : none
Log : disabled
Matches : 0
===============================================================================
*7210-SAS>show>system>security>management-access-filter#
Label |
Description |
---|---|
Def. action |
Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that an ICMP host unreachable message will be issued Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays a text string describing the filter |
Src IP |
Displays the source IP address used for management access filter match criteria |
Src Interface |
Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry |
Dest port |
Displays the destination port |
Match |
Displays the number of times a management packet has matched this filter entry |
Protocol |
Displays the IP protocol to match |
Action |
Displays the action to take for packets that match this filter entry |
Flow label |
Displays the flow label value to match |
Next-header |
Displays the IPv6 next header value to match |
L4 Src port |
Displays the TCP/UDP source port number to match |
Fragment |
Indicates whether the entry should match a fragment |
Router |
Displays the router instance ID to match |
Log |
Indicates if packet matching this entry must be logged or not. On 7210 SAS, platforms logging is not supported. |
ipv6-filter
Syntax
ipv6-filter [entry entry-id]
Context
show>system>security>mgmt-access-filter
Platforms
Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T
Description
This command displays management-access IPv6 filters.
Parameters
- entry-id
Displays information for the specified entry.
Output
The following output is an example of management access IPV6 filter information, and Output fields: IPv6 filter describes the output fields.
Sample outputA:7210SAS# show system security management-access-filter ipv6-filter
===============================================================================
IPv6 Management Access Filter
===============================================================================
filter type : ipv6
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Flow label : undefined
Src interface : 1/1/1
Dest port : undefined
L4 Src port : undefined
Next-header : undefined
Router : undefined
Action : permit
Log : disabled
Matches : 0
===============================================================================
*A:7210SAS#
Label |
Description |
---|---|
Def. action |
Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays a text string describing the filter |
Src IP |
Displays the source IPv6 address used for management access filter match criteria |
Src Interface |
Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry |
Dest port |
Displays the destination port |
Flow label |
Displays the flow label value to match |
Protocol |
Displays the IPv6 protocol to match |
Action |
Displays the action to take for packets that match this filter entry |
Next-header |
Displays the IPv6 next header value to match |
L4 Src port |
Displays the TCP/UDP source port number to match |
Router |
Displays the router instance ID to match |
Log |
Indicates if packet matching this entry must be logged or not. On 7210 SAS platforms, logging is not supported. |
password-options
Syntax
password-options
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays configured password options.
Output
The following output is an example of configured password options information, and Output fields: password options describes the output fields.
Sample outputA:ALA-7# show system security password-options
===============================================================================
Password Options
===============================================================================
Password aging in days : none
Number of invalid attempts permitted per login : 3
Time in minutes per login attempt : 5
Lockout period (when threshold breached) : 10
Authentication order : radius tacplus local
Configured complexity options :
Minimum password length : 6
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
Password aging in days |
Displays the number of days a user password is valid before the user must change their password |
Number of invalid attempts permitted per login |
Displays the number of unsuccessful login attempts allowed for the specified time |
Time in minutes per login attempt |
Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out |
Lockout period (when threshold breached) |
Displays the lockout period in minutes where the user is not allowed to login |
Authentication order |
Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords |
Configured complexity options |
Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the authentication section |
Minimum password length |
Displays the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the system security section |
profile
Syntax
profile [profile-name]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays user profile information.
If the profile-name is not specified, then information for all profiles are displayed.
Parameters
- profile-name
Displays information for the specified user profile.
Output
The following output is an example of user profile information, and Output fields: security profile describes the output fields.
Sample outputA:ALA-7# show system security profile administrative
===============================================================================
User Profile
===============================================================================
User Profile : administrative
Def. Action : permit-all
-------------------------------------------------------------------------------
Entry : 10
Description :
Match Command: configure system security
Action : permit
-------------------------------------------------------------------------------
Entry : 20
Description :
Match Command: show system security
Action : permit
-------------------------------------------------------------------------------
No. of profiles:
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
User Profile |
Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands |
Def. action |
Permit all — Permits access to all commands Deny — Denies access to all commands None — No action is taken |
Entry |
Displays the entry ID in a policy or filter table |
Description |
Displays the text string describing the entry |
Match Command |
Displays the command or subtree commands in subordinate command levels |
Action |
Permit all — Commands matching the entry command match criteria are permitted Deny — Commands not matching the entry command match criteria are not permitted |
No. of profiles |
Displays the total number of profiles listed |
source-address
Syntax
source-address
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays the source address configured for applications.
The 7210 SAS-K 2F1C2T does not support IPv6 source addresses.
Output
The following output is an example of source address information, and Output fields: source address describes the output fields.
Sample outputA:SR-7# show system security source-address
===============================================================================
Source-Address applications
===============================================================================
Application IP address/Interface Name Oper status
-------------------------------------------------------------------------------
telnet 10.20.1.7 Up
radius loopback1 Up
===============================================================================
A:SR-7#
Label |
Description |
---|---|
Application |
Displays the source-address application |
IP address Interface Name |
Displays the source address IP address or interface name |
Oper status |
Up — The source address is operationally up Down — The source address is operationally down |
ssh
Syntax
ssh
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays all SSH sessions as well as the SSH status and fingerprint.
Output
The following output is an example of SSH information, and Output fields: SSH describes the output fields.
Sample outputALA-7# show system security ssh
SSH is enabled
SSH preserve key: Enabled
SSH protocol version 1: Enabled
RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34
SSH protocol version 2: Enabled
DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79
=======================================================
Connection Encryption Username
=======================================================
192.168.5.218 3des admin
-------------------------------------------------------
Number of SSH sessions : 1
=======================================================
ALA-7#
A:ALA-49>config>system>security# show system security ssh
SSH is disabled
A:ALA-49>config>system>security#
Label |
Description |
---|---|
SSH status |
SSH is enabled — Displays that SSH server is enabled SSH is disabled — Displays that SSH server is disabled |
SSH Preserve Key |
Enabled — Displays that preserve-key is enabled Disabled — Displays that preserve-key is disabled |
SSH protocol version 1 |
Enabled — Displays that SSH1 is enabled Disabled — Displays that SSH1 is disabled |
SSH protocol version 2 |
Enabled — Displays that SSH2 is enabled Disabled — Displays that SSH2 is disabled |
Key fingerprint |
Displays the key fingerprint, which is the server identity. Clients trying to connect to the server verify the server fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session because the server may be spoofed. |
Connection |
Displays the IP address of the connected routers (remote client) |
Encryption |
des — Data encryption using a private (secret) key 3des — An encryption method that allows proprietary information to be transmitted over untrusted networks |
Username |
Displays the name of the user |
Number of SSH sessions |
Displays the total number of SSH sessions |
user
Syntax
user [user-id] [detail]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays user registration information.
By default, if no command line options are specified, summary information for all users displays.
Parameters
- user-id
Displays information for the specified user, up to 32 characters.
- detail
Displays detailed user information to the summary output.
Output
The following output is an example of user registration information, and Output fields: security user describes the output fields.
Sample outputA:ALA-7# show system security user
===============================================================================
Users
===============================================================================
user id need user permissions password attempted failed local
new pwd console ftp snmp expires logins logins conf
-------------------------------------------------------------------------------
admin n y n n never 21 0 y
===============================================================================
A:ALA-7#
A:
ALA-7# show system security user detail
===============================================================================
Users
===============================================================================
user id need user permissions password attempted failed local
new pwd console ftp snmp expires logins logins conf
-------------------------------------------------------------------------------
admin n y n n never 21 0 y
===============================================================================
===============================================================================
User Configuration Detail
===============================================================================
user id : admin
-------------------------------------------------------------------------------
console parameters
-------------------------------------------------------------------------------
new pw required : no cannot change pw : no
home directory : cf1:\
restricted to home : no
login exec file :
profile : administrative
-------------------------------------------------------------------------------
snmp parameters
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
User ID |
Displays the name of a system user |
Need new pwd |
Y — The user must change their password at the next login |
N — The user is not forced to change their password at the next login |
|
Cannot change pw |
Y — The user has the ability to change the login password |
N — The user does not have the ability to change the login password |
|
User permissions |
Console Y — The user is authorized for console access N — The user is not authorized for console access FTP Y — The user is authorized for FTP access N — The user is not authorized for FTP access SNMP Y — The user is authorized for SNMP access N — The user is not authorized for SNMP access |
Password expires |
Displays the number of days in which the user must change their login password |
Attempted logins |
Displays the number of times the user has attempted to log in regardless of whether the login succeeded or failed |
Failed logins |
Displays the number of unsuccessful login attempts |
Local conf |
Y — Password authentication is based on the local password database N — Password authentication is not based on the local password database |
Home directory |
Specifies the local home directory for the user for both console and FTP access |
Restricted to home |
Yes — The user is not allowed to navigate to a directory higher in the directory tree on the home directory device No — The user is allowed to navigate to a directory higher in the directory tree on the home directory device |
Login exec file |
Displays the user login exec file, which executes whenever the user successfully logs in to a console session |
view
Syntax
view [view-name] [detail]
Context
show>system>security
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays the SNMP MIB views.
Parameters
- view-name
Specifies the name of the view to display output, up to 32 characters. If no view name is specified, the complete list of views displays.
- detail
Displays detailed view information.
Output
The following output is an example of SNMP MIB view information, and Output fields: security view describes the output fields.
Sample outputA:ALA-48# show system security view
===============================================================================
Views
===============================================================================
view name oid tree mask permission
-------------------------------------------------------------------------------
iso 1 included
read1 1.1.1.1 11111111 included
write1 2.2.2.2 11111111 included
testview 1 11111111 included
testview 1.3.6.1.2 11111111 excluded
mgmt-view 1.3.6.1.2.1.2 included
mgmt-view 1.3.6.1.2.1.4 included
mgmt-view 1.3.6.1.2.1.5 included
mgmt-view 1.3.6.1.2.1.6 included
mgmt-view 1.3.6.1.2.1.7 included
mgmt-view 1.3.6.1.2.1.31 included
mgmt-view 1.3.6.1.2.1.77 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included
mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included
no-security 1 included
no-security 1.3.6.1.6.3 excluded
no-security 1.3.6.1.6.3.10.2.1 included
no-security 1.3.6.1.6.3.11.2.1 included
no-security 1.3.6.1.6.3.15.1.1 included
on-security 2 00000000 included
-------------------------------------------------------------------------------
No. of Views:
===============================================================================
A:ALA-48#
Label |
Description |
---|---|
view name |
Displays the name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree. |
oid tree |
Displays the object identifier of the ASN.1 subtree |
mask |
Displays the bit mask that defines a family of view subtrees |
permission |
Indicates whether each view is included or excluded |
No. of Views |
Displays the total number of views |
Login control
users
Syntax
users
Context
show
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command displays console user login and connection information.
Output
The following output is an example of console user login and connection information, and Output fields: users describes the output fields.
Sample outputA:ALA-7# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
testuser Console -- 21FEB2007 04:58:55 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 1
'A' indicates user is in admin mode
===============================================================================
A:ALA-7#
Label |
Description |
---|---|
User |
Displays the username |
Type |
Displays the access type that the user is authorized |
From |
Displays the originating IP address |
Login time |
Displays the time the user logged in |
Idle time |
Displays the amount of idle time for a specific login |
Number of users |
Displays the total number of users logged in |
Debug commands
radius
Syntax
radius
no radius
Context
debug>router
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command enables debugging for RADIUS connections.
The no form of this command disables RADIUS debugging.
Default
no radius
detail-level
Syntax
detail-level {low | medium | high}
no detail-level
Context
debug>router>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command configures the RADIUS debugging output detail level.
The no form of this command reverts to the default value.
Default
detail-level medium
Parameters
- low
Specifies that the output include the packet type, server address, length, and RADIUS server policy name.
- medium
Specifies that the output include the RADIUS attributes in the packets, in addition to all information included in low detail output.
- high
Specifies that the output include hexadecimal packet dumps, in addition to all information included in medium and low detail output.
packet-type
Syntax
packet-type [authentication] [accounting] [coa]
no packet-type
Context
debug>router>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the RADIUS packet types to include in the RADIUS debugging output.
The no form of this command reverts to the default values.
Default
packet-type authentication accounting coa
Parameters
- authentication
Specifies that RADIUS authentication packets should be included.
- accounting
Specifies that RADIUS accounting packets should be included.
- coa
Specifies that RADIUS change-of-authorization packets should be included.
radius-attr
Syntax
radius-attr type attribute-type [transaction]
radius-attr type attribute-type [transaction] {address | hex | integer | string} value attribute-value
radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type]
radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type] {address | hex | integer | string} value attribute-value
no radius-attr type attribute-type
no radius-attr type attribute-type {address | hex | integer | string} value attribute-value
no radius-attr vendor vendor-id type attribute-type
no radius-attr vendor vendor-id type attribute-type {address | hex | integer | string} value attribute-value
Context
debug>router>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the RADIUS attributes to include in medium or high detail RADIUS debugging output.
The no form of this command disables the inclusion of the specified attributes.
Parameters
- address
Specifies that the attribute-value is an IPv4 or IPv6 address, prefix, or subnet.
- attribute-type
Specifies the RADIUS attribute type.
- attribute-value
Specifies the value of the RADIUS attribute.
- encoding-type
Specifies the size of the vendor-type and vendor-length in bytes. The information is configured in the format xy, where x is the size of the vendor-type and y is the size of the vendor-length.
- hex
Specifies that the attribute-value is a binary string in hexadecimal format.
- integer
Specifies that the attribute-value is an integer.
- string
Specifies that the attribute-value is an ASCII string.
- transaction
Specifies that the system outputs both request and response packets in the same session, even if the response packet does not include the filtered attributes.
- vendor-id
Specifies the vendor ID for the vendor-specific attributes.
server-address
Syntax
server-address ip-address
no server-address ip-address
Context
debug>router>radius
Platforms
Supported on all 7210 SAS platforms as described in this document
Description
This command specifies the RADIUS server information to include in the RADIUS debugging output.
The no form of this command removes the specified RADIUS server from the RADIUS debugging output.
Parameters
- ip-address
Specifies the IPv4 or IPv6 address of the RADIUS server.