Security

This chapter provides information to configure security parameters.

Authentication, authorization, and accounting

This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on 7210 SAS routers. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.

Another step, accounting, keeps track of the activity of a user who has accessed the network. The type of accounting information recorded can include a history of the commands executed, the amount of time spent in the session, the services accessed, and the data transfer size during the session. The accounting data can then be used to analyze trends, and also for billing and auditing purposes.

You can configure 7210 SAS routers to use local, Remote Authentication Dial In User Service (RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) security to validate users who attempt to access the router by console, Telnet, or FTP. You can select the authentication order which determines the authentication method to try first, second, and third.

7210 SAS supports the following security features:

  • RADIUS can be used for authentication, authorization, and accounting.

  • TACACS+ can be used for authentication, authorization, and accounting.

  • Local security can be implemented for authentication and authorization.

The following figure shows end-user access requests sent to a RADIUS server. After validating the usernames and passwords, the RADIUS server returns an access-accept message to the users on ALA-1 and ALA-2. The username and password from ALA-3 could not be authenticated, therefore access is denied.

Figure 1. RADIUS requests and responses

Authentication

Authentication validates a username and password combination when a user attempts to log in.

When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the 7210 SAS client sends an access request to a RADIUS, TACACS+, or local database.

Transactions between the client and a RADIUS server are authenticated through the use of a shared secret. The secret is never transmitted over the network. User passwords are sent encrypted between the client and RADIUS server, which prevents someone snooping on an insecure network to learn password information.

If the RADIUS server does not respond within a specified time, the router issues the access request to the next configured servers. Each RADIUS server must be configured identically to guarantee consistent results.

If any RADIUS server rejects the authentication request, it sends an access reject message to the router. In this case, no access request is issued to any other RADIUS servers. However, if other authentication methods such as TACACS+ or local are configured, these methods are attempted. If no other authentication methods are configured, or all methods reject the authentication request, then access is denied.

For the RADIUS server selection, round-robin is used if multiple RADIUS servers are configured. Although, if the first alive server in the list cannot find a username, the router does not query the next server in the RADIUS server list and denies the access request. It may get authenticated on the next login attempt if the next selected RADIUS server has the appropriate username. It is recommended that the same user databases be maintained for RADIUS servers to avoid inconsistent behavior.

The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message.

Implementing authentication without authorization for the 7210 SAS routers does not require the configuration of VSAS (Vendor Specific Attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.

Any combination of the following authentication methods can be configured to control network access from a 7210 SAS router.

Local authentication

Local authentication uses usernames and passwords to authenticate login attempts. The usernames and passwords are local to each router not to user profiles.

By default, local authentication is enabled. When one or more of the other security methods are enabled, local authentication is disabled. Local authentication is restored when the other authentication methods are disabled. Local authentication is attempted if the other authentication methods fail and local is included in the authentication order password parameters.

Locally, you can configure usernames and password management information. This is referred to as local authentication. Remote security servers such as RADIUS or TACACS+ are not enabled.

RADIUS authentication

Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service.

RADIUS allows you to maintain user profiles in a shared central database and provides better security, allowing a company to set up a policy that can be applied at a single administered network point.

RADIUS server selection

The RADIUS server selection algorithm is used by different applications:

  • RADIUS operator management

  • RADIUS authentication for Enhanced Subscriber Management

  • RADIUS accounting for Enhanced Subscriber Management

  • RADIUS PE-discovery

In all these applications, up to five RADIUS servers pools (per RADIUS policy, if used) can be configured.

The RADIUS server selection algorithm can work in two modes, either Direct mode or Round-robin mode.

Direct mode

The first server is used as the primary server. If this server is unreachable, the next server, based on the server index, of the server pool is used. This continues until either all servers in the pool have been tried or an answer is received.

If a server is unreachable, it is not used again by the RADIUS application for the next 30 seconds to allow the server to recover from its unreachable state. After 30 seconds, the unreachable server is available again for the RADIUS application. If, in these 30 seconds, the RADIUS application receives a valid response for a previously sent RADIUS packet on that unreachable server, the server is available for the RADIUS application again, immediately after reception of that response.

Round-robin mode

The RADIUS application sends the next RADIUS packet to the next server in the server pool. The same server non-reachability behavior is valid as in the Direct mode.

Server reachability detection

A server is reachable when the operational state is Up and a valid response is received within a timeout period that is configurable by the retry parameter on the RADIUS policy level.

A server is treated as not-reachable when the operational state is Down and the following occurs:

  • a timeout

    If a number of consecutive timeouts are encountered for a specific server. This number is configurable by the retry parameter at the RADIUS policy level.

  • a send failed

    If a packet cannot be sent to the RADIUS server because the forwarding path toward the RADIUS server is broken (for example, the route is not available or the interface is shut down), no retry mechanism is invoked and the next server in line is immediately used.

A server that is down can only be used again by the RADIUS algorithm after 30 seconds, unless during these 30 seconds, a valid RADIUS reply is received for that server. Then, the server is immediately marked Up again.

The operational state of a server can also be ‟unknown” if the RADIUS application is not aware of the state of the RADIUS server (for example, if the server was previously down but no requests have been sent to the server, it is not known yet whether the server is actually reachable).

Application-specific behavior
Operator management

The server access mode is fixed to Round-Robin (Direct cannot be configured for operator management). A health-check function is available for operator management, which can optionally be disabled. The health-check polls the server once every 10 seconds with an improbable user name. If the server does not respond to this health-check, it will be marked down.

If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

RADIUS authentication

If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

RADIUS accounting

The RADIUS accounting application tries to send all the concerned packets of a subscriber host to the same server. If that server is down, the packet is sent to the next server and, from that moment on, the RADIUS application uses that server to send its packets for that subscriber host.

RADIUS PE-discovery

If the first server in the list cannot find a user, the next server in the RADIUS server list is not queried and access is denied. If multiple RADIUS servers are used, it is assumed they all have the same user database.

The RADIUS PE-discovery application makes use of a 10 second time period instead of the generic 30 seconds and uses a fixed consecutive timeout value of 2 (see Server reachability detection).

As long as the Session-Timeout (attribute in the RADIUS user file) is specified, it is used for the polling interval. Otherwise, the configured polling interval is used (60 seconds by default).

TACACS+ authentication

Terminal Access Controller Access Control System, commonly referred to as TACACS is an authentication protocol that allows a remote access server to forward a user's log in password to an authentication server to determine whether access can be allowed to a specific system. TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.

TACACS+ and RADIUS have largely replaced earlier protocols in the newer or recently updated networks. TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations.

Password hashing

Note:

This feature is supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D.

The 7210 SAS supports two algorithms for user password hashing: bcrypt, which is the default algorithm, and PBKDF2. The PBKDF2 algorithm can use SHA2 (SHA-256) for hashing.

The password hashing algorithm can be configured using the configure system security password hashing command. The configured algorithm hashes all user passwords.

When password hashing is configured, the following sequence of steps occurs at login:

  1. The node checks the stored password and notes its hash algorithm.

  2. The password entered by the user is hashed with the noted algorithm, and the node compares the hash with the stored user password hash.

  3. If the entered and stored passwords are the same, and if the hash algorithm of the stored user password is different from the hash algorithm of the system password, the user is prompted to enter a new password two times to ensure password match. The node stores this new password in the RAM (not in the system configuration file).

    To store the new password in the configuration file, an admin user must perform the admin save command. If the admin save command is not executed, on the next reboot the hash algorithm of the stored user password may be different from the system hash, and the user must go through this process again from step 2.

After an upgrade to a software load that supports PBKDF2, the default password continues to be stored using the bcrypt algorithm. The following example describes the procedure to change the algorithm. In this example, the algorithm is changed to PBKDF2, and ‟User_name” can be any user:

  1. User_name logs in and runs the hashing command to change the algorithm.

  2. To save the algorithm change, an admin user performs an admin save command.

  3. To store User_name’s password using PBKDF2, the admin user changes User_name’s password.

  4. From this point onward, any new user passwords or changes to existing user passwords are stored using PBKDF2.

Authorization

The 7210 SAS supports local, RADIUS, and TACACS+ authorization to control the actions of specific users by applying a profile based on username and password configurations when network access is granted. The profiles are configured locally as well as VSAS on the RADIUS server. See Vendor-specific attributes (VSAS).

After a user is authenticated using RADIUS (or another method), the router can be configured to perform authorization. The RADIUS server can be used to:

  • download the user profile to the router

  • send the profile name that the node should apply to the router

Profiles consist of a suite of commands that the user is allowed or not allowed to execute. When a user issues a command, the authorization server looks at the command and the user information and compares it with the commands in the profile. If the user is authorized to issue the command, the command is executed. If the user is not authorized to issue the command, then the command is not executed.

Profiles must be created on each router and should be identical for consistent results. If the profile is not present, then access is denied.

Supported authorization configurations lists the following scenarios:

  • Remote (RADIUS) authorization cannot be performed if authentication is done locally (on the router).

  • The reverse scenario is supported if RADIUS authentication is successful and no authorization is configured for the user on the RADIUS server, then local (router) authorization is attempted, if configured in the authorization order.

When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates.

Table 1. Supported authorization configurations

User type

RADIUS supplied profile

Configured user

Not Supported

RADIUS server configured user

Supported

TACACS+ server configured user

Not Supported

When using authorization, maintaining a user database on the router is not required. Usernames can be configured on the RADIUS server. Usernames are temporary and are not saved in the configuration when the user session terminates. Temporary user login names and their associated passwords are not saved as part of the configuration.

Local authorization

Local authorization uses user profiles and user access information after a user is authenticated. The profiles and user access information specifies the actions the user can and cannot perform.

By default, local authorization is enabled. Local authorization is disabled only when a different remote authorization method is configured (RADIUS authorization). Local authorization is restored when RADIUS authorization is disabled.

You must configure profile and user access information locally.

RADIUS authorization

RADIUS authorization grants or denies access permissions for a router. Permissions include the use of FTP, Telnet, SSH (SCP), and console access. When granting Telnet, SSH (SCP) and console access to the router, authorization can be used to limit what CLI commands the user is allowed to issue and which file systems the user is allowed or denied access.

TACACS+ authorization

Like RADIUS authorization, TACACS+ grants or denies access permissions for a router. The TACACS+ server sends a response based on the username and password.

TACACS+ separates the authentication, authorization, and accounting function. RADIUS combines the authentication and authorization functions.

Accounting

When enabled, RADIUS accounting sends command line accounting from the router to the RADIUS server. The router sends accounting records using UDP packets at port 1813 (decimal).

The router issues an accounting request packet for each event requiring the activity to be recorded by the RADIUS server. The RADIUS server acknowledges each accounting request by sending an accounting response after it has processed the accounting request. If no response is received in the time defined in the timeout parameter, the accounting request must be retransmitted until the configured retry count is exhausted. A trap is issued to alert the NMS (or trap receiver) that the server is unresponsive. The router issues the accounting request to the next configured RADIUS server (up to five).

User passwords and authentication keys of any type are never transmitted as part of the accounting request.

RADIUS accounting

Accounting tracks user activity to a specified host. When RADIUS accounting is enabled, the server is responsible for receiving accounting requests and returning a response to the client indicating that it has successfully received the request. Each command issued on the router generates a record sent to the RADIUS server. The record identifies the user who issued the command and the time-stamp.

Accounting can be configured independently from RADIUS authorization and RADIUS authentication.

TACACS+ accounting

The 7210 SAS allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent. Start/stop messages are only sent for individual commands, not for the session.

When a user logs in to request access to the network using Telnet or SSH, or a user enters a command for which accounting parameters are configured, or a system event occurs, such as a reboot or a configuration file reload, the router checks the configuration to see if TACACS+ accounting is required for the particular event.

If TACACS+ accounting is required, then, depending on the accounting record type specified, sends a start packet to the TACACS+ accounting server which contains information about the event.

The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server.

Security controls

You can configure routers to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords can be specifically configured. For example, the authentication order can be configured to process authorization through TACACS+ first, then RADIUS for authentication and accounting. Local access can be specified next in the authentication order if that the RADIUS and TACACS+ servers are not operational.

The following table lists the types of security supported by each protocol.

Table 2. Security methods capabilities

Method

Authentication

Authorization

Accounting 1

Local

Y

Y

N

TACACS+

Y

Y

Y

RADIUS

Y

Y

Y

When a server does not respond

A trap is issued if a RADIUS server is unresponsive. An alarm is raised if RADIUS is enabled with at least one RADIUS server and no response is received to either accounting or user access requests from any server.

Periodic checks to determine if the primary server is responsive again are not performed. If a server is down, it is not contacted for 5 minutes. If a login is attempted after 5 minutes, the server is contacted again. When a server does not respond with the health check feature enabled, the server’s status is checked every 30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Nokia Fault Manager or other third party fault management servers.

The servers are accessed in order from lowest to highest specified index (from 1 to 5) for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received, implying a lower indexed server is not available. If a response from the server is received, no other server is queried.

Access request flow

In Security flow, the authentication process is defined in the config>system>security> password context. The authentication order is determined by specifying the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. This example uses the authentication order of RADIUS, then TACACS+, and finally, local. An access request is sent to RADIUS server 1. One of two scenarios can occur. If there is no response from the server, the request is passed to the next RADIUS server with the next lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted (RADIUS server 5). If server 5 does not respond, the request is passed to the TACACS+ server 1. If there is no response from that server, the request is passed to the next TACACS+ server with the next lowest index (TACACS+ server 2) and so on.

If a request is sent to an active RADIUS server and the username and password is not recognized, access is denied and passed on to the next authentication option, in this case, the TACACS+ server. The process continues until the request is either accepted, denied, or each server is queried. Finally, if the request is denied by the active TACACS+ server, the local parameters are checked for username and password verification. This is the last chance for the access request to be accepted.

Figure 2. Security flow

Control and management traffic protection

7210 SAS platforms support an extensive set of configurable mechanisms to protect the CPU from being flooded with control or management traffic.

The protection mechanisms are a set of configurable hardware-based filters, classification, queuing, and rate-limiting functions that drop unwanted traffic before it reaches the control processor.

  • In-band traffic extracted from the line cards to the control processing module (CPM) on chassis-based systems, or extracted from front-panel ports on fixed form-factor devices:

    • line card or fixed form-factor platform features:

      • ACLs filters - IPv4, IPv6, and MAC

      • anti-spoofing, uRPF (supported only on the 7210 SAS-K 3SFP+ 8C)

    • CPM features:

      • centralized CPU protection

  • out-of-band and in-band traffic:

    • management access filters

CPM management access filters

CPM traffic is extracted from the data plane and sent to the CPM for processing. Packets from all network and access ports can be filtered using management access filters, which use CPU resources. Packets originating from a management Ethernet port can also be filtered using management access filters.

CPM protocols and ports

Nokia recommends using a strict CPM management access filter that allows traffic from trusted IP subnets for protocols and ports actively used in the router and explicitly drops other traffic.

The following table identifies the protocols and TCP/UDP ports used per application on 7210 SAS platforms. The source port and destination port reflect the CPM management access filter entry configuration for traffic that is ingressing the router and is sent to the CPM.

Note:

Out-of-band management ports are not supported on the 7210 SAS platforms as described in this guide.

Table 3. Protocols and TCP/UDP ports used by applications on 7210 SAS platforms

TCP/UDP port number

IP protocol

Application description

Protocols and ports available for in-band and out-of-band management on 7210 SAS platforms

Source

Destination

SAS-D

SAS-Dxp

SAS-K 2F2C2T

SAS-K 2F6C4T

SAS-K 3SFP+ 8C

In-band

In-band

In-band

In-band

In-band

BFD application

3784

UDP

BFD control 1 hop BFD

3785

UDP

BFD echo

4784

UDP

BFD control multi-hop

BGP application

179

TCP

BGP: server terminated TCP sessions

179

TCP

BGP: client responses for initiated TCP session

DHCPv4 application

67

67

UDP

DHCPv4: relay agent to server; server to relay agent; relay agent to relay agent

68

67

UDP

DHCPv4: client to relay agent; client to server

67

68

UDP

DHCPv4: relay agent to server; relay agent to client

DHCPv6 application

546

547

UDP

DHCPv6: client to server; client to relay agent

547

546

UDP

DHCPv6: server to relay agent; relay agent to server; relay agent to relay agent

DNS application

53

UDP

DNS Client

FTP application

20

TCP

FTP server data and active FTP client

21

TCP

FTP server control

20

TCP

FTP client data

v

21

TCP

FTP client control

GRE application

N/A

N/A

GRE

GRE

ICMP application

N/A

N/A

ICMP

ICMP

IGMP application

N/A

N/A

IGMP

IGMP

LDP application

646

UDP

LDP hello adjacency

646

TCP

LDP/T-LDP: terminated TCP sessions

646

TCP

LDP/T-LDP: responses for initiated TCP sessions

MC-APS application

1025

UDP

Multi-chassis LAG

MCS application

45067

TCP

Multi-chassis synchronization: terminated TCP session

45067

TCP

Multi-chassis synchronization: responses for initiated TCP session

NETCONF application

830

TCP

NETCONF

NTP application

123

UDP

NTP server

123

UDP

NTP client

OAM application

3503

UDP

LSP ping

33408 to 33535

UDP

OAM traceroute

OSPF application

N/A

N/A

OSPF

OSPF

PCEP application

4189

TCP

Path Computation Element Protocol (PCEP)

PIM application

3232

UDP

PIM MDT

N/A

N/A

PIM

PIM

PTP application

319

UDP

1588 PTP event

320

UDP

1588 PTP general

RADIUS application

1812

UDP

Radius authentication

1813

UDP

Radius accounting

RSVP application

N/A

N/A

RSVP

RSVP

SNMP application

161

UDP

SNMP server; SET and GET commands

SSH application

22

TCP

SSH server and terminated TCP session

22

TCP

SSH client and responses for initiated TCP sessions

TACACS application

49

TCP

TACACS client and responses for initiated TCP sessions

TELNET application

23

TCP

TELNET server

TWAMP application

862

TCP

TWAMP control: terminated TCP session

Any

UDP

TWAMP test

1 to 65535

UDP

TWAMP light (per router instance)

VRRP application

N/A

N/A

VRRP

VRRP

Management Access Filter

Note:

IPv6 Management Access Filters (MAFs) are not supported on the 7210 SAS-K 2F1C2T.

MAFs are software-based filters used to restrict traffic extracted from the data plane and restrict traffic from the management port to the CPU.

MAF packet match

Two different management-access-filter policies can be configured: ip-filter and ipv6-filter.

The following are the MAF packet match rules:

  • Each MAF policy is an ordered list of entries; therefore, entries must be sequenced correctly from the most to the least explicit.

  • If multiple match criteria are specified in a single MAF policy entry, all criteria must be met for the packet to be considered a match against that policy entry (logical AND).

  • Any match criteria not explicitly defined is ignored during a match.

  • A MAF filter policy entry defined without a match criteria is inactive.

  • A MAF filter policy entry with match criteria defined but no action configured inherits the default action defined at the management-access-filter level.

  • The management-access-filter default-action applies individually per IPv4 or IPv6 filter policies that are in a no shutdown state.

MAF IPv4/IPv6 filter entry match criteria

The following table lists the supported IPv4 and IPv6 match criteria.

Table 4. IPv4 and IPv6 match criteria

Criteria

Description

dst-port

Matches the specified port value against the destination port number of the UDP or TCP packet header.

flow-label

Matches the IPv6 flow label.

fragment

Matches fragmented or non-fragmented IP packets.

next-header

Matches the specified upper-layer protocol (such as TCP, UDP, or IGMPv6) against the next-header field of the IPv6 packet header. "*" can be used to specify a TCP or UDP upper-layer protocol match (logical OR). Next-header matching also allows matching on presence of a subset of IPv6 extension headers. See Management Access Filter commands for details about which extension header match is supported.

l4-source-port

Matches the specified port value against the L4 source port number of the UDP or TCP packet header.

protocol

Matches the specified protocol against the Protocol field in the IPv4 packet header (for example, TCP, UDP, or IGMP) of the outer IPv4. "*" can be used to specify TCP or UDP upper-layer protocol match (logical OR).

router

Matches the router instance that packets are ingressing from for this filter entry.

src-ip

Matches the specified source IPv4 or IPv6 address prefix and mask against the source IPv4 or IPv6 address field in the IP packet header.

src-port

Matches the packets that are ingressing from this port.

MAF policy action

MAFs allow actions to permit or deny (or use the deny-host-unreachable response for IP filters) traffic.

MAF policy statistics and logging

The management access filter match count can be displayed using show commands. Logging is recorded in the system security logs.

Centralized CPU protection

The 7210 SAS provides rate limiting mechanisms to protect the CPM/CFM processing resources of the router. Centralized CPU protection is a centralized rate-limiting function that operates on the CPM to limit traffic destined for the CPUs. The CPU protection mechanism is not user-configurable. It is supported on all 7210 SAS platforms. For historical reasons, the term ‟centralized CPU protection” is called ‟CPU protection” in this user guide.

When it is configured on a node, the CPU protection mechanism protects the CPU from a DoS attack by limiting the amount of ingress port traffic destined for the CPM to be processed by its CPU. On the 7210 SAS, a set of dedicated policers are used to limit the amount of traffic to the software-defined rate (the rate is not user-configurable) before the packets are queued to the CPU queues. A strict policy scheduler schedules packets from the CPU queues. A CPU queue traffic shaper, configured to a pre-defined rate by software, is used to limit the amount of traffic for a protocol or group of protocols using the CPU queue. In most cases, access interfaces and network uplinks do not share the policers and CPU queues used to manage the amount of traffic sent to the CPM. Access interfaces (typically used to deliver customer services) use a dedicated set of policers and CPU queues; a separate set is used for network facing ports (that is, network ports, hybrid ports, and access-uplink ports).

ETH-CFM ingress squelching

Note: ETH-CFM squelching is only user configurable on the 7210 SAS-Dxp. On the 7210 SAS-K platforms, CFM packets are dropped by default when received on the passive side of the UP MEP that has a level less than or equal to the level of the configured MEP.

The 7210 SAS implements a mechanism to protect the CPU on extraction when a management port (MP) is configured. It is also important to protect the ETH-CFM architecture deployed in the service provider network. This protection mechanism varies from CPU protection. This model prevents the ETH-CFM frames at the service provider MD-levels from gaining access to the network even when extraction is not in place. ETH-CFM squelching drops all ETH-CFM packets at or below the configured MD-level. The ETH-CFM squelch feature is supported at ingress only.

ETH-CFM hierarchical model shows a typical ETH-CFM hierarchical model with a subscriber ME (6), test ME (5), EVC ME (4), and an operator ME (2). This model provides the necessary transparency at each level of the architecture. For security reasons, it may be necessary to prevent errant levels from entering the service provider network at the UNI or other untrusted interconnection points. Configuring squelching at level four on both UNI-N interconnection ensures that ETH-CFM packets matching the SAP delimited configuration silently discards ETH-CFM packets at ingress.

Figure 3. ETH-CFM hierarchical model

Squelching configuration uses a single MD-level (0 to 7) to silently drop all ETH-CFM packets matching the SAP delimited configuration at the specified MD-level. For example, if a squelch level is configured at MD-level 4, the configuration silently discards MD-levels 4, assuming there is a SAP match.

Caution: Use extreme caution when deploying this feature.

The operator can configure down MEPs and ingress MIPs that conflict with the squelched levels. This means that any existing MEP or MIP that is processing ingress CFM packets on a SAP is interrupted as soon as squelching is enabled. These MPs are unable to receive any ingress ETH-CFM frames because squelching is processed before ETH-CFM extraction.

CPU protection for ETH-CFM is still required in ETH-CFM hierarchical model because the subscriber ME (6) and the test ME (5) enter the network across an untrusted connection, the UNI. Squelching is processed first, followed by the CPU protection for ETH-CFM.

Note: The dot1q-range SAP on the7210 SAS-Dxp supports primary VLANs on up MEPs. This support is subject to the ETH-CFM squelch function.

CPU protection is used to control access to the CPU resources when processing is required. Squelching is required when the operator is protecting the ETH-CFM architecture from external sources. The difference between the two protection mechanisms is described in the following table.

Note: CPU protection is not user configurable on 7210 SAS platforms.
Table 5. CPU protection and squelching
Description CPU protection for ETH-CFM ETH-CFM squelching

Ingress filtering

Yes

Yes

Egress filtering

Yes

Granularity

All MPs configured on this node

Level

Rate

System-defined rate (not user configurable)

Silent drop

Primary VLAN support

Rate shared with all MPs

Exposed to squelch

Extraction

Requires MEP or MIP to extract

No MEP or MIP required

Use the following commands to display squelching information.
show service service-id all
show service sap-using eth-cfm squelch-ingress-levels

show service sap-using squelch-ingress-levels

=========================================================================
ETH-CFM Squelching
=========================================================================
PortId             SvcId      Squelch Level
-------------------------------------------------------------------------
6/1/1:100.*        1          0 1 2 3 4 5 6 7
lag-1:100.*        1          0 1 2 3 4 
6/1/1:200.*        2          0 1 2 
lag-1:200.*        2          0 1 2 3 4 5 
-------------------------------------------------------------------------
Number of SAPs: 4
------------------------------------------------------------------------- 

Vendor-specific attributes (VSAS)

The 7210 SAS supports the configuration of Nokia-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAS) and are discussed in RFC 2138. VSAS must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Nokia-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.

The PE-record entry is required to support the RADIUS Discovery for Layer 2 VPN feature. A PE-record is only relevant if the RADIUS Discovery feature is used, not for the standard RADIUS setup.

The following RADIUS vendor-specific attributes (VSAS) are supported by Nokia:

  • timetra-access ftp console both

    This is a mandatory command that must be configured. This command specifies if the user has FTP and /or console (serial port, Telnet, and SSH) access.

  • timetra-profile profile-name

    When configuring this VSA for a user, it is assumed that the user profiles are configured on the local router and the following applies for local and remote authentication:

    • The authentication-order parameters configured on the router must include the local keyword.

    • The username may or may not be configured on the router.

    • The user must be authenticated by the RADIUS server

Up to eight valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant. The most explicit matching criteria must be ordered first. The process stops when the first complete match is found.

If all the above mentioned conditions are not met, then access to the router is denied and a failed login event/trap is written to the security log.

  • timetra-default-action permit-all | deny-all | none

    This is a mandatory command that must be configured even if the timetra-cmd VSA is not used. This command specifies the default action when the user has entered a command and no entry configured in the timetra-cmd VSA for the user resulted in a match condition.

  • timetra-cmd match-string

    Configures a command or command subtree as the scope for the match condition.

  • The command and all subordinate commands in subordinate command levels are specified.

  • Configure from most specific to least specific. The 7210 SAS implementation exits on the first match, subordinate levels cannot be modified with subsequent action commands. Subordinate level VSAS must be entered before this entry is effective.

  • All commands at and below the hierarchy level of the matched command are subject to the timetra-action VSA.

  • Multiple match-strings can be entered in a single timetra-cmd VSA. Match strings must be semicolon (;) separated (maximum string length is 254 characters).

One or more timetra-cmd VSAS can be entered followed by a single timetra-action VSA:

  • timetra-action deny | permit

    Causes the permit or deny action to be applied to all match strings specified since the last timetra-action VSA.

  • timetra-home-directory home-directory string

    Specifies the home directory that applies for the FTP and CLI user. If this VSA is not configured, the home directory is Compact Flash slot 1 (cf1:).

  • timetra-restrict-to-home-directory true | false

    Specifies if user access is limited to their home directory (and directories and files subordinate to their home directory). If this VSA is not configured the user is allowed to access the entire file system.

  • timetra-login-exec login-exec-string

    Specifies the login exec file that is executed when the user login is successful. If this VSA is not configured no login exec file is applied.

If no VSAS are configured for a user, the following applies:

  • The password authentication-order command on the router must include local.

  • The username must be configured on the router.

  • The user must be successfully be authenticated by the RADIUS server

  • A valid profile must exist on the router for this user.

If all conditions listed above are not met, then access to the router is denied and a failed login event/trap is written to the security log.

The complete list of TiMetra VSAS is available on a file included on the compact flash shipped with the image.

User (VSA) configuration example

The following example displays a user-specific VSA configuration. This configuration shows attributes for users named ruser1 and ruser2.

The following example shows that user ruser1 is granted console access. ruser1’s home directory is in compact flash slot 3 and is limited to the home directory. The default action allows all packets when matching conditions are not met. The timetra-cmd parameters allow or deny the user to use the tools>telnet>configure system security commands. Matching strings specified in the timetra-action command are denied for this user because the timetra-action is deny.

The user ruser2 is granted FTP access.The default action denies all packets when matching conditions are not met. The timetra-cmd parameters allow the user to use the configure, show, and debug commands. Matching strings specified in the timetra-action command are permitted for this user.

users.timetra

ruser1 Auth-Type := System, Password == "ruser1"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = console,
Timetra-Home-Directory = cf1:
Timetra-Restrict-To-Home = true
Timetra-Default-Action = permit-all,
Timetra-Cmd  = "tools;telnet;configure system security",
Timetra-Action = deny

ruser2 Auth-Type := System, Password == "ruser2"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = ftp
Timetra-Default-Action = deny-all,
Timetra-Cmd  = "configure",
Timetra-Cmd  = "show",
Timetra-Action = permit,
Timetra-Cmd = "debug",
Timetra-Action = permit,

Other security features

This sections describes security features supported on the 7210 SAS.

Security algorithms

Note:

This section applies only to the 7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C.

The following table lists the security algorithms supported per protocol.

Table 6. Security algorithm support per protocol

Protocol

Clear

text

MD5

HMAC-

MD5

HMAC-

SHA1-96

HMAC-

SHA1

HMAC-

SHA256

AES-128-

CMAC-96

OSPF

IS-IS

RSVP

BGP

LDP

Secure Shell (SSH)

Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes places by one of the configured authentication methods (local, RADIUS, or TACACS+). With authentication and encryption, SSH allows for a secure connection over an insecure network.

The 7210 SAS supports Secure Shell (SSH) Version 2 (SSH2). SSH1 and SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses a server as well as host keys to authenticate systems whereas SSH2 only uses host keys. SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure, efficient, and portable version of SSH.

Note:

  • SSH for IPv4 is supported on all platforms as described in this document.

  • SSH for IPv6 is supported on all platforms as described in this document, except the 7210 SAS-K 2F1C2T.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and encryption capabilities. SSH supports remote login to another computer over a network, remote command execution, and file relocation from one host to another.

The 7210 SAS has a global SSH server process to support inbound SSH and SCP sessions initiated by external SSH or SCP client applications. The SSH server supports SSHv1. Note that this server process is separate from the SSH and SCP client commands on the routers which initiate outbound SSH and SCP sessions.

Inbound SSH sessions are counted as inbound Telnet sessions for the purposes of the maximum number of inbound sessions specified by Login Control. Inbound SCP sessions are counted as inbound FTP sessions by Login Control.

When the SSH server is enabled, an SSH security key is generated. Unless the perserve-key command option is configured for SSH, the security key is only valid until the node is restarted or the SSH server is stopped and restarted. The key size is non-configurable and set to 2048 for SSHv2 RSA, and to 1024 for SSHv2 DSA and SSHv1 RSA. When the server is enabled, both inbound SSH and SCP sessions are accepted, as long as the session is properly authenticated.

When the global SSH server process is disabled, no inbound SSH or SCP sessions are accepted.

When using SCP to copy files from an external device to the file system, the SCP server accepts either forward slash (‟/”) or backslash (‟\”) characters to delimit directory and filenames. Similarly, the SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems often interpret the backslash character as an ‟escape” character which does not get transmitted to the SCP server. For example, a destination directory specified as ‟cf1:\dir1\file1” will be transmitted to the SCP server as ‟cf1:dir1file1” where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an ‟escape” character, a double backslash ‟\\” or the forward slash ‟/” can typically be used to properly delimit directories and the filename.

SSH PKI authentication

Note:

This feature is supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D.

The SSH server supports a public key authentication provided that the server has been previously configured to know the client's public key.

Using public key authentication, also known as Public Key Infrastructure (PKI), can be more secure than the existing username and password method because of the following:

  • A user typically reuses the same password with multiple servers. If the password is compromised, the user must reconfigure the password on all affected servers.

  • A password is not transmitted between the client and server using PKI. Instead the sensitive information (the private key) is kept on the client. Consequently, the password is less likely to be compromised.

The 7210 SAS supports server-side SSHv2 public key authentication, but does not include a key-generation utility.

PKI should be configured in the system-level configuration where one or more public keys may be bound to a username. This configuration does not affect any other system security or login functions.

PKI has preference over password or keyboard authentication. PKI is supported using only local authentication. PKI authentication is not supported on TACACS+ or RADIUS.

User public key generation

Before SSH can be used with PKI, the client must generate a public/private key pair. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYGen that generates key pairs.

The 7210 SAS currently supports only Rivest, Shamir, and Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) user public keys.

If the SSH client software uses PuTTY, it must first generate a key pair using PuTTYGen. The client sets the key type to SSH-2 RSA and configures the number of bits to be used for the key. The client can also configure a passphrase to store the key locally in encrypted form. If the passphrase is configured, it acts as a password that the client must enter to use the private key. If a passphrase is not configured, the private key is stored in plain text locally.

Next, use the config>system>security>user>public-keys command to configure the public key for the client (the public key is obtained as part of the key pair). On the 7210 SAS, the user can program the public key using CLI commands (accessed through Telnet/SSH) or SNMP.

Note:

The preceding process to generate a key pair is an example only. This process is not executed on a 7210 SAS node, but on a third-party node acting as the SSH client or any other node.

MAC client and server list

The 7210 SAS supports a configurable client and server MAC list for SSHv2, which allows the user to add or remove Message Authentication Code (MAC) algorithms from the list. The user can program the strong Hashed Message Authentication Code (HMAC) algorithms on top of the configurable MAC list (for example, lowest index in the list) to be negotiated first between the client and server. The first algorithm in the list that is supported by both the client and the server is the one that is agreed upon.

There are two configurable MAC lists:

  • client list

  • server list

The default client and server MAC list includes all supported algorithms in the following preference order:

  1. mac 200 name hmac-sha2-512

  2. mac 210 name hmac-sha2-256

  3. mac 215 name hmac-sha1

  4. mac 220 name hmac-sha1-96

  5. mac 225 name hmac-md5

  6. mac 230 name hmac-ripemd160

  7. mac 235 name hmac-ripemd160-openssh-com

  8. mac 240 name hmac-md5-96

Note:

The configurable MAC list is only supported for SSHv2 and not for SSHv1. SSHv1 only supports 32-bit CRC.

Cipher client and server list

The 7210 SAS supports cipher client and server lists. The user can add or remove the required SSH cipher client and server algorithms to be negotiated. The list is an index list with the lower index having higher preference in the SSH negotiation. The lowest index algorithm in the list is negotiated first in SSH connections and is on top of the negotiation list to the peer.

There is a separate cipher list for SSHv1 and SSHv2 for both client and server.

The default client cipher list for SSHv1 includes all supported algorithms in the following preference order:

  1. cipher 200 name 3des

  2. cipher 205 name blowfish

  3. cipher 210 name des

The default server cipher list for SSHv1 includes algorithms in the following preference order:

  1. cipher 200 name 3des

  2. cipher 205 name blowfish

The default server and client lists for SSHv2 include all supported algorithms in the following preference order:

  1. cipher 190 name aes256-ctr

  2. cipher 192 name aes192-ctr

  3. cipher 194 name aes128-ctr

  4. cipher 200 name aes128-cbc

  5. cipher 205 name 3des-cbc

  6. cipher 210 name blowfish-cbc

  7. cipher 215 name cast128-cbc

  8. cipher 220 name arcfour

  9. cipher 225 name aes192-cbc

  10. cipher 230 name aes256-cbc

  11. cipher 235 name rijndael-cbc

Use the following CLI to configure the client and server cipher list.

configure system security ssh client-cipher-list  
  client-cipher-list protocol-version <version>
 <version>            : [1..2]
configure system security ssh client-cipher-list cipher  
  cipher <index> name <cipher-name>
  no cipher <index>
 <index>              : [1..255]
 <cipher-name>        : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
                        3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
                        aes192-cbc|aes256-cbc|rijndael-cbc
configure system security ssh server-cipher-list
  server-cipher-list protocol-version <version>
 <version>            : [1..2]
configure system security ssh server-cipher-list cipher
  no cipher <index>
  cipher <index> name <cipher-name>
 <index>              : [1..255]
 <cipher-name>        : aes128-ctr|aes192-ctr|aes256-ctr|des|3des|blowfish|
                        3des-cbc|blowfish-cbc|cast128-cbc|arcfour|aes128-cbc|
                        aes192-cbc|aes256-cbc|rijndael-cbc

KEX client and server list

Note:

This feature is supported on all 7210 SAS as described in this document, except the 7210 SAS-D.

The 7210 SAS supports key exchange (KEX) client and server lists. The user can add or remove the KEX client or server algorithms that the SSH application negotiates using an SSHv2 phase one handshake. The KEX list is an index list with the lower index having higher preference in the SSH negotiation. The lowest indexed algorithm in the list is negotiated first in SSH and is at the top of the negotiation list to the peer.

By default, the KEX list is empty and a hard-coded list that includes all supported algorithms in the following preference order is used:

  1. kex 200 name diffie-hellman-group16-sha512

  2. kex 210 name diffie-hellman-group14-sha256

  3. kex 215 name diffie-hellman-group14-sha1

  4. kex 220 name diffie-hellman-group-exchange-sha1

  5. kex 225 name diffie-hellman-group1-sha1

As soon as the user configures the KEX list, the 7210 SAS starts using the algorithms from the user-defined KEX list instead of the hard-coded list. To revert to the hard-coded list, the user must remove all configured KEX indexes until the list is empty.

Use the following CLI to configure the cipher or MAC server and client lists.

configure system security ssh server-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

configure system security ssh client-kex-list kex
   kex <index> name <kex-name>
   no kex <index>

<index>              : [1..255]
<kex-name>           : diffie-hellman-group14-sha1| diffie-hellman-group14-sha256|
                       diffie-hellman-group16-sha512|diffie-hellman-group-exchange-
                       sha1| diffie-hellman-group1-sha1

Exponential login back-off

A malicious user may attempt to gain CLI access by means of a dictionary attack, in which a script is used to attempt automatic logins as an ‟admin” user and a dictionary list is used to test all possible passwords. By using the exponential-backoff feature in the config>system>login-control context, the 7210 SAS increases the delay between login attempts exponentially to mitigate attacks.

When a user attempts to log into a router using a Telnet or an SSH session, the system allows a limited number of attempts to enter the correct password. The interval between the unsuccessful attempts change after each try (1, 2, and 4 seconds). If user lockout is configured on the system, the user is locked out when the number of unsuccessful attempts is exceeded.

However, if lockout is not configured, three password entry attempts are allowed in the first session after the first failure, at fixed 1, 2 and 4 second intervals, and then the session terminates. Users do not have an unlimited number of login attempts per session. After each failed password attempt, the wait period becomes longer until the maximum number of attempts is reached.

The 7210 SAS terminates after four unsuccessful attempts. A wait period is never longer than 4 seconds. The periods are fixed and restart in subsequent sessions.

The config system login-control [no] exponential-backoff command works in conjunction with the config system security password attempts command, which is also a system-wide configuration.

*A:ALA-48>config>system# security password attempts
  - attempts <count> [time <minutes1>] [lockout <minutes2>]
  - no attempts

 <count>              : [1..64]
 <minutes1>           : [0..60]
 <minutes2>           : [0..1440]

Exponential backoff applies to any user and by any login method, such as console, SSH, and Telnet.

See Configuring login controls for more information. The related commands are described in Login, Telnet, SSH and FTP commands.

User lockout

When a user exceeds the maximum number of attempts allowed (the default is three attempts) during a specific period of time (the default is 5 minutes) the account used during those attempts is locked out for a preconfigured lock-out period (the default is 10 minutes).

A security event log is generated as soon as a user account has exceeded the number of allowed attempts and the show>system>security>user command can be used to display the total number of failed attempts per user.

The account is automatically re-enabled as soon as the lock-out period has expired.

Encryption

Data Encryption Standard (DES) and Triple DES (3DES) are supported for encryption:

  • DES is a widely-used method of data encryption using a private (secret) key. Both the sender and the receiver must know and use the same private key.

  • 3DES is a more secure version of the DES protocol.

802.1x network access control

The 7210 SAS supports network access control of client devices (PCs, STBs, and so on.) on an Ethernet network using the IEEE. 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.

TCP Enhanced Authentication Option

The TCP Enhanced Authentication Option, currently covered in draft-bonica-tcp-auth-05.txt, "Authentication for TCP-based Routing and Management Protocols", extends the previous MD5 authentication option to include the ability to change keys without tearing down the session, and allows for stronger authentication algorithms to be used.

The TCP Enhanced Authentication Option is a TCP extension that enhances security for BGP, LDP and other TCP-based protocols. This includes the ability to change keys in a BGP or LDP session seamlessly without tearing down the session. It is intended for applications where secure administrative access to both the end-points of the TCP connection is normally available.

TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon current practice, which is described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP peers can update authentication keys during the lifetime of a TCP connection. TCP peers can also use stronger authentication algorithms to authenticate routing messages.

Packet formats

The following figure shows the TCP Enhanced Authentication Option packet format.

Figure 4. Packet format

Option Syntax

  • Kind: 8 bits

    The Kind field identifies the TCP Enhanced Authentication Option. This value is assigned by IANA.

  • Length: 8 bits

    The Length field specifies the length of the TCP Enhanced Authentication Option, in octets. This count includes two octets representing the Kind and Length fields.

    The valid range for this field is from 4 to 40 octets, inclusive.

    For all algorithms specified in this memo, the value is 16 octets.

  • T-Bit: 1 bit

    The T-bit specifies whether TCP Options were omitted from the TCP header for the purpose of MAC calculation. A value of 1 indicates that all TCP options other than the Extended Authentication Option were omitted. A value of 0 indicates that TCP options were included.

    The default value is 0.

  • K-Bit: 1 bit

    This bit is reserved for future enhancement. Its value MUST be equal to zero.

  • Alg ID: 6 bits

    The Alg ID field identifies the MAC algorithm.

  • Res: 2 bits

    These bits are reserved. They MUST be set to zero.

  • Key ID: 6 bits

    The Key ID field identifies the key that was used to generate the message digest.

  • Authentication Data: Variable length

    The Authentication Data field contains data that is used to authenticate the TCP segment. This data includes, but need not be restricted to, a MAC. The length and format of the Authentication Data Field can be derived from the Alg ID.

    The Authentication for TCP-based Routing and Management Protocols draft provides and overview of the TCP Enhanced Authentication Option. The details of this feature are described in draft-bonica-tcp-auth-04.txt.

Keychain

A keychain is a set of up to 64 keys, where each key is {A[i], K[i], V[i], S[i], T[i], S'[i], T'[i]} as described in draft-bonica-tcp-auth-05.txt, "Authentication for TCP-based Routing and Management Protocols". The keys can be assigned to both sides of an LDP peer.The individual keys in a keychain have a begin-time and end-time indicating when to use this key.

These fields map to the CLI tree as described in the following figure.

Table 7. Keychain mapping

Field

Definition

CLI

i

The key identifier expressed as an integer (0...63)

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

A[i]

Authentication algorithm to use with key[i]

config>system>security>keychain>direction>bi>entry with algorithm algorithm parameter.

config>system>security>keychain>direction>uni>receive>entry with algorithm algorithm parameter.

config>system>security>keychain>direction>uni>send>entry with algorithm algorithm parameter.

K[i]

Shared secret to use with key[i].

config>system>security>keychain>direction>uni>receive>entry with shared secret parameter

config>system>security>keychain>direction>uni>send>entry with shared secret parameter

config>system>security>keychain>direction>bi>entry with shared secret parameter

V[i]

A vector that determines whether the key[i] is to be used to generate MACs for inbound segments, outbound segments, or both.

config>system>security>keychain>direction

S[i]

Start time from which key[i] can be used by sending TCPs.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>uni>send>entry >begin-time

T[i]

End time after which key[i] cannot be used by sending TCPs.

Inferred by the begin-time of the next key (youngest key rule).

S'[i]

Start time from which key[i] can be used by receiving TCPs.

config>system>security>keychain>direction>bi>entry>begin-time

config>system>security>keychain>direction>bi>entry>tolerance

config>system>security>keychain>direction>uni>receive>entry >begin-time

config>system>security>keychain>direction>uni>receive>entry >tolerance

T'[i]

End time after which key[i] cannot be used by receiving TCPs

config>system>security>keychain>direction>uni>receive>entry >end-time

Configuration notes

This section describes security configuration restrictions.

General

  • If a RADIUS or a TACACS+ server is not configured, password, profiles, and user access information must be configured on each router in the domain.

  • If a RADIUS authorization is enabled, VSAS must be configured on the RADIUS server.

Configuring security with CLI

This section provides information to configure security using the command line interface.

Setting up security attributes

This section provides a brief overview of the tasks that must be performed to configure security and provides the CLI commands. The following table describes the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 8. Security configuration requirements

Authentication

Authorization

Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local

TACACS+

Configuring authentication

See the following sections to configure authentication:

Configuring authorization

See the following sections to configure authorization:

Security configurations

This section provides information to configure security and configuration examples of configuration tasks.

To implement security features, configure the following components:

  • management access filters

  • profiles

  • user access parameters

  • password management parameters

  • enable RADIUS and/or TACACS+

    • one to five RADIUS and/or TACACS+ servers

    • RADIUS and/or TACACS+ parameters

Default values for security parameters

A:ALA-1>config>system>security# info detail
----------------------------------------------
no hash-control
telnet-server
no telnet6-server
no ftp-server
management-access-filter
exit
profile "default"
default-action none
no li
entry 10
no description
match ‟exec”
action permit
...
password
authentication-order radius tacplus local
no aging
minimum-length 6
attempts 3 time 5 lockout 10
complexity
exit
user "admin"
password "./3kQWERTYn0Q6w" hash
access console
no home-directory
no restricted-to-home
console
no login-exec
no cannot-change-password
no new-password-at-login
member "administrative"
exit
exit
snmp
view iso subtree 1
mask ff type included
exit
...
access group snmp-ro security-model snmpv1 security-level no-auth-no\
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
attempts 20 time 5 lockout 10
exit
no ssh

Security configuration procedures

Configuring Management Access Filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CPM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7210 SAS router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router. These filters also apply to the management Ethernet port.

The 7210 SAS implementation exits the filter when the first match is found and execute the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the one keyword to be considered complete. Entries without the action keyword are considered incomplete and are rendered inactive.

Use the following syntax to configure a management access filter. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

config>system
        security
            management-access-filter
                default-action {permit|deny|deny-host-unreachable}
                renum old-entry-number new-entry-number
                no shutdown
                entry entry-id
                    description description-string
                    src-port {port-id cpm|laglag-id}
                    src-ip {ip-prefix/mask | ip-prefix netmask}
                    protocol protocol-id
                    dst-port port [mask]
                    action {permit|deny|deny-host-unreachable}
                    log

Configuring password management parameters

Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can enter a password.

Depending on the your authentication requirements, password parameters are configured locally.

Use the following syntax to configure password support.

config>system>security
        password
            admin-password password [hash|hash2]
            aging days
            attempts count [time minutes1] [lockout minutes2]
            authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
            complexity-rules 
                allow-user-name
                credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
                minimum-classes minimum
                minimum-length length
                repeated-characters count
                required [lowercase count] [uppercase count] [numeric count] [special-character count]
            hashing {bcrypt|sha2-pbkdf2}
            health-check [interval interval]
            history-size size
            minimum-age [days days] [hrs hours] [min minutes] [sec seconds]
            minimum-change distance
Password configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
password
authentication-order radius tacplus local
aging 365
minimum-length 8
attempts 5 time 5 lockout 20
exit
----------------------------------------------
A:ALA-1>config>system>security#

Configuring profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of sixteen user profiles can be defined. A user can participate in up to sixteen profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.

Use the following syntax to configure user profiles.

config>system>security
        profile user-profile-name 
            default-action {deny-all|permit-all|none}
            renum old-entry-number new-entry-number
            entry entry-id
                description description-string
                match command-string
                action {permit|deny}
User profile output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring users

Configure access parameters for individual users. For user, define the login name for the user and, optionally, information that identifies the user. Use the following syntax to configure RADIUS support.

config>system>security
        user-template template-name
        user user-name
        access [ftp] [snmp] [console]
        console
        cannot-change-password
        login-exec url-prefix:source-url
        member user-profile-name [user-profile-name...(up to 8 max)]
        new-password-at-login
        home-directory url-prefix [directory][directory/directory ..]
        password [password] [hash|hash2]
        restricted-to-home
        snmp
        authentication {[none]|[[hash] {md5 key-1|sha key-1} privacy {none|des-key key-2}]}
        group group-name
User configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            user "49ers"
                password "qQbnuzLd7H/VxGdUqdh7bE" hash2
                access console ftp snmp
                restricted-to-home
                console
                    member "default"
                    member "ghost"
                exit
            exit
...
--------------------------------------------
A:ALA-1>config>system>security#

Configuring keychains

Keychain configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            keychain "abc"
                direction
                    bi
                        entry 1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg
orithm aes-128-cmac-96
                            begin-time 2006/12/18 22:55:20
                        exit
                    exit
                exit
            exit
            keychain "baSASd"
                direction
                    uni
                        receive
                            entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2
 algorithm aes-128-cmac-96
                                tolerance forever
                            exit
                        exit
                    exit
                exit
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Copying and overwriting users and profiles

You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified or an error occurs if the destination profile or username already exists.

User

Use the following syntax to configure copied users.

config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
config>system>security# copy user testuser to testuserA
    	MINOR: CLI User "testuserA" already exists - use overwrite flag.
    	config>system>security#
    config>system>security# copy user testuser to testuserA overwrite
    	config>system>security#
Copied user configuration output
A:ALA-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "F6XjryaATzM" hash
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "" hash2
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
A:ALA-12>config>system>security# info

The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.

A:ALA-12>config>system>security>user# info
----------------------------------------------
password "F6XjryaATzM" hash
access snmp
console
cannot-change-password 
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user# exit
A:ALA-12>config>system>security# user testuserA
A:ALA-12>config>system>security>user# info
----------------------------------------------
password "" hash2
access snmp
console
new-password-at-login
exit
snmp
authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
group "testgroup"
exit
----------------------------------------------
A:ALA-12>config>system>security>user#
Profile
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
config>system>security# copy profile default to testuser
Copied profile output
A:ALA-49>config>system>security# info
----------------------------------------------
...
A:ALA-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...
----------------------------------------------
A:ALA-12>config>system>security#

Enabling SSH

Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2 (SSH version 2). This command should only be enabled or disabled when the SSH server is disabled. This setting should not be changed while the SSH server is running because the actual change only takes place after SSH is disabled or enabled. Use the following syntax to configure SSH.

config>system>security
        ssh
            preserve-key
            no server-shutdown
            version ssh-version

The following is a sample SSH server configuration output as both SSH and SSH2 using a host-key.

A:sim1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
                version 1-2
----------------------------------------------
A:sim1>config>system>security>ssh# 

RADIUS configurations

Configuring RADIUS authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key.

The system IP address must be configured in order for the RADIUS client to work. See ‟Configuring a System Interface” in the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Router Configuration Guide.

The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

On the local router, use the following syntax to configure RADIUS authentication.

config>system>security
        radius
            port port
            retry count
            server server-index address ip-address secret key
            timeout seconds
            no shutdown 
RADIUS authentication configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
A:ALA-1>config>system>security#

Configuring RADIUS authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS authentication.

In addition to the local configuration requirements, VSAS must be configured on the RADIUS server. See Vendor-specific attributes (VSAS).

On the local router, use the following syntax to configure RADIUS authorization.

config>system>security
        radius
            authorization
RADIUS authorization configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring RADIUS accounting

On the local router, use the following syntax to configure RADIUS accounting:

config>system>security
        radius
            accounting
RADIUS accounting configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
A:ALA-1>config>system>security#

Configuring 802.1x RADIUS policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. See the 7210 SAS-D, Dxp, K 2F1C2T, K 2F6C4T, K 3SFP+ 8C Interface Configuration Guide.

To configure generic parameters for 802.1x authentication, enter the following syntax.

config>system>security
        dot1x
            radius-plcy policy-name 
                server server-index address ip-address secret key [port port]
                source-address ip-address
                no shutdown
802.1x configuration output
A:ALA-1>config>system>security# info
----------------------------------------------
            dot1x
                radius-plcy "dot1x_plcy" create
                   server 1 address 10.1.1.1 port 65535 secret "a"
                   server 2 address 10.1.1.2 port 6555 secret "a"
                   source-address 10.1.1.255
                no shutdown
...
----------------------------------------------

TACACS+ configurations

Enabling TACACS+ authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following syntax to configure profiles.

config>system>security
        tacplus
            server server-index address ip-address secret key
            timeout seconds
            no shutdown 
TACACS+ authentication configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

Configuring TACACS+ authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ authentication.

On the local router, use the following syntax to configure RADIUS authorization.

config>system>security
        tacplus
            authorization
            no shutdown
TACACS+ authorization configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus# 

Configuring TACACS+ accounting

On the local router, use the following syntax to configure TACACS+ accounting.

config>system>security
        tacplus
            accounting
TACACS+ accounting configuration output
A:ALA-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                server 1 address 10.10.0.5 secret "test1"
                server 2 address 10.10.0.6 secret "test2"
                server 3 address 10.10.0.7 secret "test3"
                server 4 address 10.10.0.8 secret "test4"
                server 5 address 10.10.0.9 secret "test5"
----------------------------------------------
A:ALA-1>config>system>security>tacplus#

Configuring login controls

Configure login control parameters for console, Telnet, and FTP sessions.

Use the following syntax to configure login controls.

config>system 
        login-control
            exponential-backoff
            ftp
                inbound-max-sessions value
            telnet
                inbound-max-sessions value
                outbound-max-sessions value
            idle-timeout {minutes |disable}
            pre-login-message login-text-string [name]
            login-banner
            motd {url url-prefix: source-url|text motd-text-string}

Login control configuration output

A:ALA-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           telnet
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
 no exponential-backoff
...
----------------------------------------------
A:ALA-1>config>system#

Security command reference

Command hierarchies

Configuration commands

Security commands
config
    - system 
        - security
            - copy {user source-user | profile source-profile} to destination [overwrite] 
            - dot1x
            - [no] ftp-server
            - hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]
            - no hash-control
            - [no] keychain keychain-name
            - management-access-filter
            - password
            - [no] profile user-profile-name
            - [no] radius
            - snmp
            - source-address 
                - application app [ip-int-name|ip-address]
                - no application app
            - ssh
            - [no] tacplus
            - [no] telnet-server
            - [no] users user-name
            - user-template {tacplus_default | radius_default}
Management Access Filter commands
Note:

IPv6 management access filters are supported on all platforms as described in this document, except the 7210 SAS-K 2F1C2T.

config
    - system 
        - security
            - [no] management-access-filter
                - [no] ip-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - fragment {true | false}
                        - no fragment
                        - l4-src-port port [mask]
                        - no l4-src-port
                        - [no] log
                        - protocol protocol-id
                        - no protocol
                        - router router-instance
                        - no router
                        - src-ip {ip-prefix/mask | ip-prefix netmask}
                        - no src-ip
                        - src-port {port-id | lag lag-id}
                        - no src-port
                - [no]ipv6-filter
                    - default-action {permit | deny | deny-host-unreachable}
                    - [no] entry entry-id
                        - action {permit | deny | deny-host-unreachable}
                        - no action
                        - description description-string
                        - no description
                        - dst-port port [mask]
                        - no dst-port
                        - flow-label value
                        - no flow-label
                        - l4-src-port port [mask]
                        - no l4-src-port
                        - [no] log
                        - next-header next-header
                        - no next-header
                        - router router-instance
                        - no router
                        - src-ip {ip-prefix/prefix-length | ip-prefix netmask}
                        - no src-ip
                        - src-port {port-id | lag lag-id}
                        - no src-port
                - renum old-entry-number new-entry-number
                - [no] shutdown
Security password commands
config
    - system 
        - security
            - password
                - admin-password password [hash | hash2]
                - no admin-password
                - aging days
                - no aging
                - attempts count [time minutes1] [lockout minutes2]
                - no attempts
                - authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
                - no authentication-order
                - complexity-rules 
                    - [no] allow-user-name
                    - credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]
                    - no credits
                    - minimum-classes minimum
                    - no minimum-classes
                    - minimum-length length
                    - no minimum-length
                    - repeated-characters count
                    - no repeated-characters
                    - required [lowercase count] [uppercase count] [numeric count] [special-character count]
                    - no required
                - hashing {bcrypt | sha2-pbkdf2}
                - [no] health-check [interval interval]
SSH commands
config
    - system 
        - security
            - ssh
                - client-cipher-list protocol-version version
                    - cipher index name cipher-name
                    - no cipher index
                - client-mac-list 
                    - mac index name mac-name
                    - no mac index
                - client-kex-list 
                    - kex index name kex-name
                    - no kex index 
                - [no] preserve-key
                - server-cipher-list protocol-version version
                    - cipher index name cipher-name
                    - no cipher index
                - server-kex-list 
                    - kex index name kex-name 
                    - no kex index 
                - server-mac-list 
                    - mac index name mac-name
                    - no mac index
                - [no] server-shutdown
                - [no] version SSH-version
User commands
config
    - system 
        - security
            - [no] users user-name
                - [no] access [ftp] [snmp] [console] 
                - console
                    - [no] cannot-change-password
                    - login-exec url-prefix::source-url
                    - no login-exec
                    - member user-profile-name [user-profile-name…(up to 8 max)]
                    - no member user-profile-name
                    - [no] new-password-at-login 
                - home-directory url-prefix [directory] [directory/directory…]
                - no home-directory 
                - password [password] [hash | hash2] 
                - public-keys
                    - ecdsa
                        - ecdsa-key ecdsa-public-key-id [create] 
                        - no ecdsa-key ecdsa-public-key-id
                            - description description-string
                            - no description
                            - key-value ecdsa-public-key-value
                            - no key-value 
                    - rsa
                        - rsa-key rsa-public-key-id [create] 
                        - no rsa-key rsa-public-key-id
                            - description description-string
                            - no description
                            - key-value rsa-public-key-value
                            - no key-value 
                - [no] restricted-to-home
                - [no] save-when-restricted
                - snmp 
                    - authentication none
                    - authentication authentication authentication-protocol key-1 [privacy none] [hash | hash2] 
                    - authentication authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]
                    - no authentication
                    - authentication none
                    - authentication {md5 key-1 | sha key-1} [privacy none] [hash]
                    - authentication {md5 key-1 | sha key-1} privacy privacy-level key-2 [hash]
                    - no authentication
                    - group group-name
                    - no group
Keychain commands
config
    - system 
        - security
            - [no] keychain keychain-name
                - description description-string
                - no description
                - direction {uni | bi}
                    - bi
                        - entry {null-key | entry-id key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm}
                        - no entry {null-key | entry-id}
                            - begin-time [date] [hours-minutes] [UTC] {now| forever}
                            - [no] shutdown
                            - tolerance [seconds | forever]
                    - uni
                        - receive
                            - entry {null-key | entry-id key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm}
                            - no entry {null-key | entry-id}
                            - begin-time [date] [hours-minutes] [UTC] {now| forever}
                            - end-time [date][hours-minutes] [UTC] {now| forever}
                            - [no] shutdown
                            - tolerance [seconds | forever]
                        - send
                            - entry entry-id key [authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm
                            - begin-time [date] [hours-minutes] [UTC] {now| forever}
                            - [no] shutdown
                - [no] shutdown
                - tcp-option-number
                    - receive option-number
                    - send option-number
Login control commands
config
    - system 
        - login-control
            - [no] exponential-backoff
            - ftp
                - inbound-max-sessions value
                - no inbound-max-sessions
            - idle-timeout {minutes | disable}
            - no idle-timeout
            - [no] login-banner
            - motd {url url-prefix: source-url | text motd-text-string}
            - no motd
            - pre-login-message login-text-string [name]
            - no pre-login-message
            - ssh
                - disable-graceful-shutdown
                - inbound-max-sessions
                - outbound-max-sessions
            - telnet
                - enable-graceful-shutdown
                - inbound-max-sessions value
                - no inbound-max-sessions
                - outbound-max-sessions value
                - no outbound-max-sessions

Debug commands

debug
    - router
        - radius
        - no radius
            - detail-level {low | medium | high}
            - no detail-level
            - packet-type [authentication] [accounting] [coa]
            - no packet-type
            - radius-attr type attribute-type [transaction]
            - radius-attr type attribute-type [transaction] {address | hex | integer | string} value attribute-value
            - radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type]
            - radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type] {address | hex | integer | string} value attribute-value
            - no radius-attr type attribute-type
            - no radius-attr type attribute-type {address | hex | integer | string} value attribute-value
            - no radius-attr vendor vendor-id type attribute-type
            - no radius-attr vendor vendor-id type attribute-type {address | hex | integer | string} value attribute-value
            - server-address ip-address
            - no server-address ip-address

Command descriptions

Configuration commands

General security commands
description
Syntax

description description-string

no description

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

config>sys>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

config>system>security>user>public-keys>ecdsa>ecdsa-key

config>system>security>user>public-keys>rsa>rsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string.

Parameters
string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

shutdown
Syntax

[no] shutdown

Context

config>system>security>mgmt-access-filter

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

The shutdown command administratively disables the entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. Many entities must be explicitly enabled using the no shutdown command. The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command puts an entity into the administratively enabled state.

Default

no shutdown

security
Syntax

security

Context

config>system

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure security settings.

Security commands manage user profiles and user membership. Security commands also manage user login registrations.

ftp-server
Syntax

[no] ftp-server

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables FTP servers running on the system.

FTP servers are disabled by default. At system startup, only SSH servers are enabled.

The no form of this command disables FTP servers running on the system.

hash-control
Syntax

hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}]

no hash-control

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

If the user executes a save or info command, the system encrypts all passwords, for example, MD5 keys, for security reasons. At present, two algorithms exist.

The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password. However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key.

The second algorithm is a more complex key, and cannot be copied and pasted in different locations in the configuration file. In this case, if the same key or password is used repeatedly in different contexts, each encrypted (hashed) version is different.

Default

hash-control read-version all

Parameters
read-version {1 | 2 | all}

When the read-version is configured as ‟all,” both versions 1 and 2 are accepted by the system. Otherwise, only the selected version is accepted when reading configuration or exec files. The presence of incorrect hash versions aborts the script/startup.

write-version {1 | 2}

Selects the hash version that is used the next time the configuration file is saved (or an info command is executed). Be careful to save the read and write version correctly, so that the file can be properly processed after the next reboot or exec.

source-address
Syntax

source-address

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the source address that should be used in all unsolicited packets sent by the application.

This feature only applies on in-band interfaces and does not apply on the out-band management interface. Packets going out the management interface will keep using that as the source IP address. That is, when the RADIUS server is reachable through both the management interface and a network interface, the management interface is used despite what is configured under the source-address statement.

application
Syntax

application app [ip-int-name | ip-address]

no application app

Context

config>system>security>source-address

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the application to use the source IP address specified by the source-address command.

Parameters
app

Specifies the application name.

Values

telnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp

Note:

PTP is not supported on all platforms. Only the applications supported on the platform can be used as a value with this command. Using an unsupported application value does not have the needed effect.

ip-int-name | ip-address

Specifies the name of the IP interface and IP address. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

telnet-server
Syntax

[no] telnet-server

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables Telnet servers running on the system.

Telnet servers are off by default. At system startup, only SSH servers are enabled.

Telnet servers in networks limit Telnet clients to three attempts to login. The Telnet server disconnects the Telnet client session after three attempts.

The no form of this command disables Telnet servers running on the system.

Login, Telnet, SSH and FTP commands
exponential-backoff
Syntax

[no] exponential-backoff

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.

The no form of this command disables exponential backoff.

Default

no exponential-backoff

ftp
Syntax

ftp

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure FTP login control parameters.

idle-timeout
Syntax

idle-timeout {minutes | disable}

no idle-timeout

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the idle timeout for FTP, console, or Telnet sessions before the session is terminated by the system.

By default, an idle FTP, console, SSH, or Telnet session times out after 30 minutes of inactivity. This timer can be set per session.

The no form of this command reverts to the default value.

Default

idle-timeout 30

Parameters
minutes

Specifies the idle timeout in minutes. Allowed values are 1 to 1440. A value of 0 implies that the sessions never timeout.

Values

1 to 1440

disable

Keyword specifying that a session will never timeout. To re-enable idle timeout, enter the command without the disable option.

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>ftp

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the maximum number of concurrent inbound FTP sessions.

This value is the combined total of inbound and outbound sessions.

The no form of this command reverts to the default value.

Default

inbound-max-sessions 3

Parameters
value

Specifies the maximum number of concurrent FTP sessions on the node.

Values

0 to 5

inbound-max-sessions
Syntax

inbound-max-sessions value

no inbound-max-sessions

Context

config>system>login-control>telnet

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command limits the number of inbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established to the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

Default

inbound-max-sessions 5

Parameters
value

Specifies the maximum number of concurrent inbound Telnet sessions, expressed as an integer.

Values

0 to 7

login-banner
Syntax

[no] login-banner

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables or disables the display of a login banner. The login banner contains the 7210 SAS copyright and build date information for a console login attempt.

The no form of this command causes only the configured pre-login message and a generic login prompt to display.

login-control
Syntax

login-control

Context

config>system

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure the session control for the console, Telnet, and FTP.

motd
Syntax

motd {url url-prefix: source-url | text motd-text-string}

no motd

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the message of the day displayed after a successful console login. Only one message can be configured.

The no form of this command removes the message.

Parameters
url url-prefix: source-url

Specifies the URL prefix and source URL of the file containing the message of the day. When the message of the day is present as a text file, provide both url-prefix and the source-url of the file containing the message of the day. The URL prefix can be local or remote.

text motd-text-string

Specifies the text of the message of the day. The motd-text-string must be enclosed in double quotes. Multiple text strings are not appended to one another.

Some special characters can be used to format the message text. The ‟\n” character creates multi-line MOTDs and the ‟\r” character restarts at the beginning of the new line. For example, entering ‟\n\r” starts the string at the beginning of the new line, while entering ‟\n” starts the second line following the last character from the first line.

outbound-max-sessions
Syntax

outbound-max-sessions value

no outbound-max-sessions

Context

config>system>login-control>telnet

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command limits the number of outbound Telnet and SSH sessions. A maximum of 15 Telnet and SSH connections can be established from the router. The local serial port cannot be disabled.

The no form of this command reverts to the default value.

Default

outbound-max-sessions 5

Parameters
value

Specifies the maximum number of concurrent outbound Telnet sessions, expressed as an integer.

Values

0 to 7

pre-login-message
Syntax

pre-login-message login-text-string [name]

no pre-login-message

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a message displayed before console login attempts on the console using Telnet.

Only one message can be configured. If multiple pre-login-messages are configured, the last message entered overwrites the previous entry.

It is possible to add the name parameter to an existing message without affecting the current pre-login-messages.

The no form of this command removes the message.

Parameters
login-text-string

Specifies a login text string, up to 900 characters. Any printable, 7-bit ASCII characters can be used. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

name

When the keyword name is defined, the configured system name is always displayed first in the login message. To remove the name from the login message, the message must be cleared and a new message entered without the name.

ssh
Syntax

ssh

Context

config>system>login-control

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SSH parameters.

disable-graceful-shutdown
Syntax

[no] disable-graceful-shutdown

Context

config>system>login-control>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables graceful shutdown of SSH sessions.

The no form of this command disables graceful shutdown of SSH sessions.

client-cipher-list
Syntax

client-cipher-list protocol-version version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of a list of allowed ciphers by the SSH client.

Parameters
version

Specifies the SSH version.

Values

1 — Specifies that the SSH server only accepts connections from clients that support SSH protocol version 1.

2 — Specifies that the SSH server accepts connections from clients that support SSH protocol version 2.

cipher
Syntax

cipher index name cipher-name

no cipher index

Context

config>system>security>ssh>client-cipher-list

config>system>security>ssh>server-cipher-list

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of a cipher. Client-ciphers are used when the 7210 SAS is acting as an SSH client. Server ciphers are used when the 7210 SAS is acting as an SSH server.

The no form of this command removes the index and cipher name from the configuration.

Default

no cipher index

Parameters
index

Specifies the index of the cipher in the list.

Values

1 to 255

cipher-name

Specifies the algorithm used when performing encryption or decryption.

Values

The following table lists the default ciphers used for SSHv1.

Table 9. SSHv1 default ciphers

Cipher index value

Cipher name

Cipher

Client

Server

200

3des

205

blowfish

210

des

Values

The following table lists the default ciphers used for SSHv2.

Table 10. SSHv2 default ciphers

Cipher index value

Cipher name

Cipher

Client

Server

190

aes256-ctr

192

aes192-ctr

194

aes128-ctr

200

aes128-cbc

205

3des-cbc

210

blowfish-cbc

215

cast128-cbc

220

arcfour

225

aes192-cbc

230

aes256-cbc

235

rijndael-cbc

client-mac-list
Syntax

client-mac-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SSH MAC algorithms for the 7210 SAS acting as a client.

mac
Syntax

mac index name mac-name

no mac index

Context

config>system>security>ssh>client-mac-list

config>system>security>ssh>server-mac-list

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server or an SSH client.

The no form of this command removes the specified mac index.

Default

no mac index

Parameters
index

Specifies the index of the algorithm in the list.

Values

1 to 255

mac-name

Specifies the algorithm for calculating the message authentication code.

Values

The following table lists the default client and server algorithms used for SSHv2.

Table 11. SSHv2 default client and server algorithms

Cipher Index Value

MAC Name

200

hmac-sha2-512

210

hmac-sha2-256

215

hmac-sha1

220

hmac-sha1-96

225

hmac-md5

230

hmac-ripemd160

235

hmac-ripemd160-openssh-com

240

hmac-md5-96

client-kex-list
Syntax

client-kex-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the client role.

By default, the SSH advertises a KEX list that contains the following algorithms:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group-exchange-sha1

  • diffie-hellman-group1-sha1

kex
Syntax

kex index name kex-name

no kex index

Context

config>system>security>ssh>client-kex-list

config>system>security>ssh>server-kex-list

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command configures phase 1 SSHv2 KEX algorithms for the 7210 SAS in the SSH server or an SSH client role.

The no form of this command removes the specified KEX index. If all KEX indexes are removed, the default list is used.

Parameters
index

Specifies the index of the algorithm in the list. The lowest KEX index is negotiated first and the highest index, which is at the bottom of the KEX list, is negotiated last in the SSH negotiation.

Values

1 to 255

kex-name

Specifies the KEX algorithm for computing the shared secret key.

Values

diffie-hellman-group16-sha512, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1

preserve-key
Syntax

[no] preserve-key

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

After enabling this command, private keys, public keys, and host key files are saved by the server. They are restored following a system reboot or restart of the SSH server.

The no form of this command specifies that the keys are held in memory by the SSH server and are not restored following a system reboot.

Default

no preserve-key

server-cipher-list
Syntax

server-cipher-list protocol-version version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the configuration of the list of allowed ciphers by the SSH server.

Parameters
version

Specifies the SSH version.

Values

1 — Specifies that the SSH server only accepts connections from clients that support SSH protocol version 1.

2 — Specifies that the SSH server accepts connections from clients supporting either SSH protocol version 2.

server-kex-list
Syntax

server-kex-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

Commands in this context configure SSH KEX algorithms for the 7210 SAS in the SSH server role.

By default, the SSH advertises a KEX list that contains the following algorithms:

  • diffie-hellman-group16-sha512

  • diffie-hellman-group14-sha256

  • diffie-hellman-group14-sha1

  • diffie-hellman-group-exchange-sha1

  • diffie-hellman-group1-sha1

server-mac-list
Syntax

server-mac-list

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command allows the user to configure SSH MAC algorithms for the 7210 SAS acting as an SSH server.

server-shutdown
Syntax

[no] server-shutdown

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the SSH servers running on the system. By default, only the SSH server is enabled at startup.

version
Syntax

version ssh-version

no version

Context

config>system>security>ssh

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the SSH protocol version that is supported by the SSH server.

Default

version 2

Parameters
ssh-version

Specifies the SSH version.

Values

1 — Specifies that the SSH server only accepts connections from clients that support SSH protocol version 1.

2 — Specifies that the SSH server accepts connections from clients supporting either SSH protocol version 2.

1-2 — Specifies that the SSH server accepts connections from clients supporting either SSH protocol version 1, or SSH protocol version 2 or both.

telnet
Syntax

telnet

Context

config>system>login-control

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure the Telnet login control parameters.

enable-graceful-shutdown
Syntax

[no] enable-graceful-shutdown

Context

config>system>login-control>telnet

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables graceful shutdown of Telnet sessions.

The no form of this command disables graceful shutdown of Telnet sessions.

Management Access Filter commands
management-access-filter
Syntax

[no] management-access-filter

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context edit management access filters and to reset match criteria.

Management access filters control all traffic in and out. They can be used to restrict management of the router by other nodes outside either specific subnetworks or through designated ports.

Management filters, as opposed to other traffic filters, are enforced by system software.

The no form of this command removes management access filters from the configuration.

ip-filter
Syntax

[no] ip-filter

Context

config>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure management access IP filter parameters.

ipv6-filter
Syntax

[no] ipv6-filter

Context

config>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T

Description

Commands in this context configure management access IPv6 filter parameters.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

default-action
Syntax

default-action {permit | deny | deny-host-unreachable}

Context

config>system>security>mgmt-access-filter>ip-filter

config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.

This command enables the default action for management access in the absence of a specific management access filter match.

The default-action is applied to a packet that does not satisfy any match criteria in any of the management access filters. Whenever management access filters are configured, the default-action must be defined.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Parameters
permit

Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted.

deny

Specifies that packets not matching the selection criteria be denied and that an ICMP host unreachable message are not issued.

deny-host-unreachable

Specifies that packets not matching the selection criteria are denied and a host unreachable message is issued.

entry
Syntax

[no] entry entry-id

Context

config>system>security>mgmt-access-filter>ip-filter

config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter context is not supported on the 7210 SAS-K 2F1C2T.

This command creates or edits a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7210 SAS exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the specified entry from the management access filter.

Parameters
entry-id

Specifies an entry ID that uniquely identifies a match criteria and the corresponding action. Nokia recommends that entries are numbered in staggered increments. This allows users to insert a new entry in an existing policy without having to renumber the existing entries.

Values

1 to 9999

action
Syntax

action {permit | deny | deny-host-unreachable}

no action

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command enables the context associated with the management access filter match criteria entry.

The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

If the packet does not meet any of the match criteria, the configured default action is applied.

Parameters
permit

Specifies that packets matching the configured criteria are permitted.

deny

Specifies that packets matching the configured selection criteria are denied and that a ICMP host unreachable message is issued.

deny-host-unreachable

Specifies that packets matching the configured selection criteria are denied and that a host unreachable message is not issued.

dst-port
Syntax

[no] dst-port port [mask]

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source TCP or UDP port number or port range for a management access filter match criterion.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the source port match criterion.

Parameters
port

Specifies the source TCP or UDP port number as match criteria.

Values

1 to 65535 (decimal)

mask

Specifies a range of source port numbers as the match criterion.

This 16-bit mask can be configured using the formats in the following table.

Table 12. Mask formats

Format style

Format syntax

Example

Decimal

DDDDD

63488

Hexadecimal

0xHHHH

0xF800

Binary

0bBBBBBBBBBBBBBBBB

0b1111100000000000

To select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask.

Default

65535 (exact match)

Values

1 to 65535 (decimal)

fragment
Syntax

[no] fragment {true | false}

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies fragmented or non-fragmented IP packets as an IP filter match criterion.

An entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the Layer 4 information.

The no form of this command removes the match criterion.

Default

no fragment

Parameters
true

Specifies to match on all fragmented IP packets. A match occurs for all packets that have either the MF (more fragment) bit set or the Fragment Offset field of the IP header set to a non-zero value.

false

Specifies to match on all non-fragmented IP packets. Non-fragmented IP packets are packets that have the MF bit set to zero and the Fragment Offset field also set to zero.

l4-src-port
Syntax

[no] l4-src-port port [mask]

Context

config>system>security>mgmt-access-filter>ip-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source TCP or UDP port number for an IP filter match criterion. An entry containing L4 match criteria will not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the source port match criterion.

Default

no l4-src-port

Parameters
port

Specifies the source port number to be used as a match criteria expressed as a decimal integer.

Values

1 to 65535

mask

Specifies the mask in dotted decimal notation.

Values

1 to 65535, decimal hex or binary

flow-label
Syntax

flow-label value

no flow-label

Context

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T

Description

This command configures flow label match conditions. Flow labeling enables the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non default quality of service or real-time service.

Parameters
value

Specifies the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows. For more information, see RFC 3595, Textual Conventions for IPv6 Flow Label.

Values

0 to 1048575

log
Syntax

[no] log

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command enables match logging. When enabled, matches on this entry cause the Security event mafEntryMatch to be raised.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Default

no log

next-header
Syntax

next-header next-header

no next-header

Context

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T

Description

This command specifies the next header to match. The protocol type, such as TCP, UDP, OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), TCP(6), UDP(17).

Parameters
next-header

Specifies the IP protocol field for IPv6 MAF, and for IPv6 the next header type to be used in the match criteria for this MAF Entry.

Values

next-header: 0 to 255, protocol numbers accepted in DHB

keywords: none, crtp, crudp, egp, eigrp, encap, ether-ip, gre, icmp, idrp, igmp, igp, ip, ipv6, ipv6-icmp, ipv6-no-nxt, isis, iso-ip, l2tp, ospf-igp, pim, pnni, ptp, rdp, rsvp, stp, tcp, udp, vrrp

protocol
Syntax

[no] protocol protocol-id

Context

config>system>security>mgmt-access-filter>ip-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures an IP protocol type to be used as a management access filter match criterion.

The protocol type, such as TCP, UDP, and OSPF, and OSPF3, is identified by its respective protocol number. Well-known protocol numbers include ICMP (1), TCP (6), and UDP (17).

The no form of this command removes the protocol from the match criteria.

Parameters
protocol

Specifies the protocol number for the match criterion.

Values

1 to 255 (decimal)

router
Syntax

router {router-instance}

no router

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

The command configures a router name or service ID to be used as a management access filter match criterion.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of this command removes the router name or service ID from the match criteria.

Default

router Base

Parameters
router-instance

Specifies the router name.

Values

Base, management

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>mgmt-access-filter>ip-filter

config>system>security>mgmt-access-filter>ipv6-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command renumbers existing management access filter entries to resequence filter entries.

The system exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

Parameters
old-entry-number

Specifies the entry number of the existing entry.

Values

1 to 9999

new-entry-number

Specifies the new entry number that will replace the old entry number.

Values

1 to 9999

src-port
Syntax

src-port {port-id | lag lag-id}

no src-port

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command restricts ingress management traffic to either the CPM Ethernet port or any other logical port (LAG or port) on the device.

When the source interface is configured, only management traffic arriving on those ports satisfies the match criteria.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of the command reverts to the default value.

Parameters
port-id

Specifies the port ID in the following format: slot[/mda]/port.

src-ip
Syntax

[no] src-ip {ip-prefix/prefix-length | ip-prefix netmask}

Context

config>system>security>mgmt-access-filter>ip-filter>entry

config>system>security>mgmt-access-filter>ipv6-filter>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description
Note:

The config>system>security>mgmt-access-filter>ipv6-filter>entry context is not supported on the 7210 SAS-K 2F1C2T.

This command configures a source IP address range to be used as a management access filter match criterion.

To match on the source IP address, specify the address and the associated mask (that is, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used.

The 7210 SAS-K 2F1C2T does not support IPv6 access management filters.

The no form of the command removes the source IP address match criterion.

Parameters
ip-prefix/prefix-length

Specifies the IP prefix used for IP match criteria in dotted decimal notation. Can be IPv4 or an IPv6 prefix.

ipv4-prefix — a.b.c.d

ipv4-prefix-length — 0 to 32

ipv6-prefix — x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d
  • x: [0..FFFF]H
  • d: [0..255]D

ipv6-prefix-length — 0 to 128 (7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C)

0 to 64 (7210 SAS-Dxp)

netmask

Specifies the subnet mask in dotted decimal notation.

Values

a.b.c.d (network bits all 1 and host bits all 0)

Password commands
admin-password
Syntax

admin-password password [hash | hash2]

no admin-password

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the context (with admin permissions) to configure a password that enables a user to become an administrator.

This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.

This functionality can be enabled in two contexts:

  • config>system>security>password>admin-password

  • global enable-admin

Note:

See the description for enable-admin. If the admin-password command is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users have access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all commands.

The minimum password length is determined by the minimum-length command. The complexity requirements for the password is determined by the configuration in the complexity-rules context.

The password argument of this command is not sent to the servers. This is consistent with other commands that configure secrets.

The usernames and passwords in the FTP and TFTP URLs are not sent to the authorization or accounting servers when the file>copy source-file-url dest-file-url command is executed.

For example:

file copy ftp://test:secret@131.12.31.79/test/srcfile cf1:\destfile

In this example, the username 'test' and password 'secret' are not sent to the AAA servers (or to any logs). They are replaced with '****'.

Note:

The configure system security password hashing command affects the maximum number of characters that can be used to configure the password parameter.

The no form of this command removes the admin password from the configuration.

Default

no admin-password

Parameters
password

Configures the password that enables a user to become a system administrator. The maximum length can be up to 56 characters if unhashed, 32 characters if the hash keyword is specified, and 54 characters if the hash2 keyword is specified, 60 characters if hashed with bcrypt, or 87 to 92 characters if hashed with sha2-pbkdf2.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

enable-admin
Syntax

enable-admin

Context

<global>

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context enter the administrative mode.

Note:

See the description for admin-password. If admin-password is configured in the config>system>security>password context, any user can enter the administrative mode by entering the enable-admin command.

The enable-admin command is in the default profile. By default, all users are granted access to this command.

After the enable-admin command is entered, the user is prompted for a password. If the password matches, the user is granted unrestricted access to all the commands.

The minimum length of the password is determined by the minimum-length command. The complexity requirements for the password are determined by the configuration in the complexity-rules context.

There are two ways to verify that a user is in the enable-admin mode:

  • The administrator can use the show users command to know which users are in this mode.

  • Enter the enable-admin command again at the root prompt and an error message is returned.

The following output is an example of user information.

A:ALA-1# show users
===============================================================================
User Type From Login time Idle time
===============================================================================
admin Console -- 10AUG2006 13:55:24 0d 19:42:22
admin Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A
-------------------------------------------------------------------------------
Number of users : 2
'A' indicates user is in admin mode
===============================================================================
A:ALA-1#
A:ALA-1# enable-admin
MINOR: CLI Already in admin mode.
A:ALA-1#
aging
Syntax

aging days

no aging

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval.

The no form of this command reverts to the default value.

Parameters
days

Specifies the maximum number of days the password is valid.

Values

1 to 500

attempts
Syntax

attempts count [time minutes1 [lockout minutes2]

no attempts

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a threshold value of unsuccessful login attempts allowed in a specified time frame.

The threshold for the number of login attempts can be configured by using the CLI parameter count in the command. An SNMP trap is generated by the device when the number of login attempts exceeds the configured threshold. Generation of the trap can be suppressed using the config>log>event-control command. By default, the device generates a trap when the login attempts exceed the configured threshold. The trap carries information about the user ID used for the login attempt. An SNMP trap is not sent for every failed attempt. If the threshold is exceeded, the user is locked out for a specified time period.

If multiple attempts commands are entered, each command overwrites the previously entered command.

The no form of this command resets all values to default.

Default

attempts 3 time 5 lockout 10

Parameters
count

Specifies the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered.

Values

1 to 64

time minutes

Specifies the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out.

Values

0 to 60

lockout minutes

Specifies the lockout period, in minutes, when the user is not allowed to login. Allowed values are decimal integers. When the user exceeds the attempted count times in the specified time, that user is locked out from any further login attempts for the configured time period.

Values

0 to 1440

Default

10

authentication-order
Syntax

authentication-order [method-1] [method-2] [method-3] [exit-on-reject]

no authentication-order

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords.

The order should be from the most preferred authentication method to the least preferred. The presence of all methods in the command line does not guarantee that they are all operational. Specifying options that are not available delays user authentication.

If all (operational) methods are attempted and no authentication for a particular login has been granted, an entry in the security log registers the failed attempt. Both the attempted login identification and originating IP address are logged with a timestamp.

The preferred order for password authentication is:

  1. RADIUS

  2. TACACS+

  3. local passwords

The no form of this command reverts to the default authentication sequence.

Default

authentication-order radius tacplus local

Parameters
method-1

Specifies the first password authentication method to attempt.

Default

radius

Values

radius, tacplus, local

method-2

Specifies the second password authentication method to attempt.

Default

tacplus

Values

radius, tacplus, local

method-3

Specifies the third password authentication method to attempt.

Default

local

Values

radius, tacplus, local

radius

Specifies RADIUS authentication.

tacplus

Specifies TACACS+ authentication.

local

Specifies password authentication based on the local password database.

exit-on-reject

When enabled and if one of the AAA methods configured in the authentication order sends a reject, the next method in the order is not attempted. If the exit-on-reject keyword is not specified and if one AAA method sends a reject, the next AAA method is attempted. If in this process, all the AAA methods are exhausted, it is considered as a reject.

A rejection is distinct from an unreachable authentication server. When the exit-on-reject keyword is specified, authorization and accounting only use the method that provided an affirmation authentication; only if that method is no longer readable or is removed from the configuration are other configured methods attempted. If the local keyword is the first authentication and:

  • exit-on-reject is configured and the user does not exist, the user is not authenticated.

  • The user is authenticated locally, then other methods, if configured, are used for authorization and accounting.

  • The user is configured locally but without console access, login is denied.

complexity-rules
Syntax

complexity-rules

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command defines a list of rules for configurable password options.

allow-user-name
Syntax

[no] allow-user-name

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the username to be used as part of the password.

The no form of this command does not allow the username to be used as part of the password.

credits
Syntax

credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits]

no credits

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the maximum credits granted for usage of the different character classes in the local passwords.

The no form of this command reverts to the default value.

Default

no credits

Parameters
credits

Specifies the number of credits that can be used for each character class.

Values

0 to 10

minimum-classes
Syntax

minimum-classes minimum

no minimum-classes

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command forces the use of at least as many different character classes as specified.

The no form of this command resets to default.

Default

no minimum-classes

Parameters
minimum

Specifies the minimum number of classes to be configured.

Values

2 to 4

minimum-length
Syntax

minimum-length length

no minimum-length

Context

config>system>security>password>complexity-rule

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the minimum number of characters required for locally administered passwords and keys used with SNMPv3 user authentication and encryption. See the configure system security user snmp authentication command for more information about the use of keys with SNMPv3-based authentication and encryption algorithms.

If multiple minimum-length commands are entered, each new command overwrites the previously configured password length.

The no form of this command reverts to the default value.

Default

minimum-length 6

Parameters
value

Specifies the minimum number of characters required for a locally administered password.

Values

6 to 50

repeated-characters
Syntax

repeated-characters count

no repeated-characters

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of times a characters can be repeated consecutively.

The no form of this command resets to default.

Default

no repeated-characters

Parameters
count

Specifies the minimum count of consecutively repeated characters.

Values

2 to 8

required
Syntax

required [lowercase count] [uppercase count] [numeric count] [special-character count]

no required

Context

config>system>security>password>complexity-rules

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the minimum number of different character classes required.

The no form of this command reverts to the default value.

Default

no required

Parameters
count

Specifies the minimum count of characters classes.

Values

0 to 10

hashing
Syntax

hashing {bcrypt | sha2-pbkdf2}

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-D

Description

This command configures the password hashing algorithm.

Parameters
bcrypt

Keyword to configure the bcrypt algorithm.

sha2-pbkdf2

Keyword to configure the PBKDF2 algorithm.

health-check
Syntax

[no] health-check [interval interval]

Context

config>system>security>password

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured have 3 seconds of idle time. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap is sent.

The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ servers. In this case, the operational status for the active server is up if the last access was successful.

Default

health-check

Parameters
interval

Specifies the interval of the health check in seconds.

Values

6 to 1500

password
Syntax

password

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure password management parameters.

public-keys
Syntax

public-keys

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

Commands in this context configure public keys for SSH.

ecdsa
Syntax

ecdsa

Context

config>system>security>user>public-keys

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

Commands in this context configure ECDSA public keys.

ecdsa-key
Syntax

ecdsa-key ecdsa-public-key-id [create]

no ecdsa-key ecdsa-public-key-id

Context

config>system>security>user>public-keys>ecdsa

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command creates an ECDSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured ECDSA public keys.

Default

no ecdsa-key

Parameters
create

Keyword to create an ECDSA key. The create keyword requirement can be enabled or disabled in the environment>create context.

key-id

Specifies the key identifier.

Values

1 to 32

key-value
Syntax

key-value public-key-value

no key-value

Context

config>system>security>user>public-keys>ecdsa>ecdsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command configures a value for the ECDSA public key. The public key must be enclosed in quotation marks. The key is between 1 and 1024 bits.

The no form of this command removes the configured ECDSA public key value.

Default

no key-value

Parameters
ecdsa-public-key-value

Specifies the public key value, up to 255 characters.

rsa
Syntax

rsa

Context

config>system>security>user>public-keys

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

Commands in this context configure RSA public keys.

rsa-key
Syntax

rsa-key rsa-public-key-id [create]

no rsa-key rsa-public-key-id

Context

config>system>security>user>public-keys>rsa

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command creates an RSA public key and associates it with the username. Multiple public keys can be associated with the user. The key ID is used to identify these keys for the user.

The no form of this command removes the configured RSA public keys.

Default

no rsa-key

Parameters
create

Keyword to create the RSA key. The create keyword requirement can be enabled or disabled in the environment>create context.

key-id

Specifies the key identifier.

Values

1 to 32

key-value
Syntax

key-value rsa-public-key-value

no key-value

Context

config>system>security>user>public-keys>rsa>rsa-key

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command configures a value for the RSA public key. The public key must be enclosed in quotation marks. The key is between 768 and 4096 bits.

The no form of this command removes the configured public key value.

Default

no key-value

Parameters
public-key-value

Specifies the public key value, up to 800 characters.

Profile management commands
action
Syntax

action {deny | permit}

Context

config>system>security>profile user-profile-name>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the action associated with the profile entry.

Parameters
deny

Specifies that commands matching the entry command match criteria are to be denied.

permit

Specifies that commands matching the entry command match criteria are permitted.

match
Syntax

match command-string

no match

Context

config>system>security>profile user-profile-name>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a command or command subtree.

Because the 7210 SAS exits when the first match is found, subordinate levels cannot be modified with subsequent action commands. More specific action commands should be entered with a lower entry number or in a profile that is evaluated before this profile.

All commands below the hierarchy level of the matched command are denied.

The no form of this command removes a match condition.

Parameters
command-string

Specifies the CLI command or CLI tree level that is the scope of the profile entry.

copy
Syntax

copy {user source-user | profile source-profile} to destination [overwrite]

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command copies a profile or user from a source profile to a destination profile.

Parameters
source-profile

Specifies the profile to copy, up to 32 characters. The profile must exist.

dest-profile

Specifies the destination profile, up to 32 characters.

overwrite

Specifies that the destination profile configuration is overwritten with the copied source profile configuration. A profile is not overwritten if the overwrite keyword is not specified.

default-action
Syntax

default-action {deny-all | permit-all | none}

Context

config>system>security>profile

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the default action to be applied when no match conditions are met.

Parameters
deny-all

Sets the default of the profile to deny access to all commands.

permit-all

Sets the default of the profile to allow access to all commands.

This keyword does not change access to security commands. Security commands are only and always available to members of the super-user profile.

none

Sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user.

For example, if a user is a member of two profiles and the default action of the first profile is permit-all, the second profile is never evaluated because the permit-all is executed first. Set the first profile default action to none and if no match conditions are met in the first profile, the second profile is evaluated. If the default action of the last profile is none and no explicit match is found, the default deny-all takes effect.

description
Syntax

description description-string

no description

Context

config>system>security>profile user-profile-name>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a text description stored in the configuration file for a configuration context.

The description command associates a text string with a configuration context to help identify the context in the configuration file.

The no form of this command removes the string from the context.

Parameters
string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed within double quotes.

entry
Syntax

[no] entry entry-id

Context

config>system>security>profile

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates a user profile entry.

More than one entry can be created with unique entry-id numbers. The 7210 SAS exits when the first match is found and executes the actions according to the accompanying action command. Entries should be sequenced from most explicit to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action for it to be considered complete.

The no form of this command removes the specified entry from the user profile.

Parameters
entry-id

Specifies a unique user profile command match criteria and a corresponding action. If more than one entry is configured, the entry IDs should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.

Values

1 to 9999

profile
Syntax

[no] profile user-profile-name

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates user profiles for CLI command tree permissions.

Profiles are used to either deny or allow user console access to a hierarchical branch or to specific commands.

After the profiles are created, the users command assigns users to one or more profiles. You can define up to 16 user profiles, but a maximum of 8 profiles can be assigned to a user. The user-profile-name can consist of up to 32 alphanumeric characters.

The no form of this command deletes a user profile.

Default

user-profile default

Parameters
user-profile-name

Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

renum
Syntax

renum old-entry-number new-entry-number

Context

config>system>security>profile user-profile-name

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command renumbers profile entries to re-sequence the entries.

Because the 7210 SAS exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit.

Parameters
old-entry-number

Specifies the entry number of an existing entry.

Values

1 to 9999

new-entry-number

Specifies the new entry number.

Values

1 to 9999

User management commands
access
Syntax

[no] access [ftp] [snmp] [console]

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command grants a user permission for FTP, SNMP, console, or lawful intercept (LI) access.

If a user requires access to more than one application, multiple applications can be specified in a single command. Multiple commands are treated additively.

The no form of this command removes access for a specific application.

The no access command denies permission for all management access methods. To deny a single access method, enter the no form of the command followed by the method to be denied, for example, no access FTP denies FTP access.

Parameters
ftp

Specifies FTP permission.

snmp

Specifies SNMP permission. This keyword is only configurable in the config>system>security>user context.

console

Specifies console access (serial port or Telnet) permission.

authentication
Syntax

authentication none

authentication authentication-protocol key-1 [privacy none] [hash | hash2]

authentication authentication-protocol key-1 privacy privacy-protocol key-2 [hash | hash2]

no authentication

Context

config>system>security>user>snmp

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command configures the authentication and and encryption method that the device uses to validate the user. The SNMP authentication allows the device to validate the managing node that issues the SNMP message and detect message tampering.

The no form of this command reverts to the default value.

Default

authentication none

Parameters
authentication-protocol

Specifies the SNMP authentication protocol.

Values

hmac-md5-96 — Specifies use of the HMAC-MD5-96 authentication protocol.

hmac-sha1-96 — Specifies use of the HMAC-SHA-96 authentication protocol.

hmac-sha2-224 — Specifies use of the HMAC-SHA-224 authentication protocol.

hmac-sha2-256 — Specifies use of the HMAC-SHA-256 authentication protocol.

hmac-sha2-384 — Specifies use of the HMAC-SHA-384 authentication protocol.

hmac-sha-512 — Specifies use of the HMAC-SHA-512 authentication protocol.

privacy-protocol

Specifies the SNMP privacy protocol.

Values

none — Specifies that encryption should not be used.

cbc-des — Specifies the use of the CBC-DES privacy protocol.

cfb128-aes-128 — Specifies the use of the CFB128-AES-128 privacy protocol.

cfb128-aes-192 — Specifies the use of the CFB128-AES-192 privacy protocol.

cfb128-aes-256 — Specifies the use of the CFB128-AES-256 privacy protocol.

hash

Keyword to indicate the encryption mechanism used to store the authentication and privacy keys in an encrypted format in the configuration file. When hash is not specified, non-encrypted characters can be entered. When hash is specified, the key is expected to be decrypted using the hash mechanism. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.

hash2

Keyword to indicate the encryption mechanism used to store all specified keys in an encrypted format in the configuration file. For example, the hash2 encrypted variable cannot be copied and pasted to a different node. If the hash2 keyword is not specified, the key is assumed to be unencrypted in cleartext form. The hash2 keyword is the default mechanism used if hash is not specified. Therefore, the user does not need to specify hash2 explicitly while entering the key. For security, all keys are stored in encrypted form in the configuration file with the hash or hash2 keyword specified.

key-1

Specifies the key-1 value for SNMP packet encryption.

Values

localized-privacy-key — Key value generated by using the tools>perform>system>management-interface>snmp>generate-key command. When this key is stored in the configuration, it is stored in encrypted form using one of the mechanisms available (for example, hash or hash2) along with the keyword to indicate the mechanism used (for example, config>system>security>user “User1" snmp>privacy cbc-des e8482d1f66e057450afa6e hash).

hash-key — Key value obtained by using the hash mechanism to store the key in encrypted format in the configuration file. Initially the key value is generated by using the tools>perform>system>management-interface>snmp>generate-key command and further stored in the configuration using the hash mechanism.

hash2-key — Key value obtained by using the hash2 mechanism for encrypting the key. This value cannot be entered by the user. It is automatically generated using the hash2 mechanism, when the user does not explicitly specify the hash mechanism for encrypting the key, and stored in the configuration file.

key-2

Specifies the key-2 value for SNMP packet encryption.

Values

localized-privacy-key — Key value generated by using the tools>perform>system>management-interface>snmp>generate-key command. When this key is stored in the configuration, it is stored in encrypted form using one of the mechanisms available (for example, hash or hash2) along with the keyword to indicate the mechanism used (for example, config>system>security>user “User1" snmp>authentication hmac-md5-96 e8482d1f66e057a0be0e50afa6e hash).

hash-key — Key value obtained by using the hash mechanism to store the key in encrypted format in the configuration file. Initially, the key value is generated by using the tools>perform>system>management-interface>snmp>generate-key command and further stored in the configuration using the hash mechanism.

hash2-key — Key value obtained by using the hash2 mechanism for encrypting the key. This value cannot be entered by the user. It is automatically generated using the hash2 mechanism, when the user does not explicitly specify the hash mechanism for encrypting the key, and stored in the configuration file.

authentication
Syntax

authentication none

authentication {md5 key-1 | sha key-1} [privacy none] [hash]

authentication {md5 key-1 | sha key-1} privacy privacy-level key-2 [hash]

no authentication

Context

config>system>security>user>snmp

Platforms

Supported on the 7210 SAS-D

Description

This command configures the authentication and encryption method for the user to be validated by the device. SNMP authentication allows the device to validate the managing node that issued the SNMP message and detect message tampering.

The user password is encrypted first by the MD5/SHA/DES algorithm. The output of the algorithm is always a fixed length string (key). Copy the password key and paste the output in the appropriate authentication command key parameter.

The no form of this command reverts to the default value.

Default

authentication none

Parameters
none

Keyword to specify that authentication should not be used. If none is specified, privacy cannot be configured.

hash

Keyword to store all specified keys in an encrypted format in the configuration file. The password must be entered in encrypted form when this keyword is used. When hash is not specified, non-encrypted characters can be entered.

md5 key

Specifies the authentication protocol, which can be either HMAC-MD5-96 or HMAC-SHA-96.

The MD5 authentication key is stored in an encrypted format. The minimum key length is determined by the config system security password complexity-rules minimum-length minimum-length value. The maximum length is 16 octets (32 printable characters).

The complexity of the key is determined by the configuration in the complexity-rules context.

sha key

The authentication protocol, which can be either HMAC-MD5-96 or HMACSHA-96.

The sha authentication key is stored in an encrypted format. The minimum key length is determined by the config system security password complexity-rules minimum-length value. The maximum length is 20 octets (40 printable characters).

The complexity of the key is determined by the configuration in the complexity-rules context.

privacy none

Keyword to specify that SNMP packet encryption should not be performed.

privacy-level

Specifies the privacy level.

Values

des-key, aes-128-cfb-key

group
Syntax

group group-name

no group

Context

config>system>security>user>snmp

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command associates (or links) a user to a group name. The group name must be configured with the config>system>security>user>snmp>group command. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.

Parameters
group-name

Specifies the group name, up to 32 characters, that is associated with this user. A user can be associated with one group name per security model.

cannot-change-password
Syntax

[no] cannot-change-password

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command disables the user’s privilege to change their password for both FTP and console login.

The cannot-change-password flag is not replicated when a user copy is performed. A new-password-at-login flag is created instead.

The no form of this command enables the user privilege to change their password.

Default

no cannot-change-password

console
Syntax

console

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure user profile membership for the console (either Telnet or serial port user).

copy
Syntax

copy {user source-user | profile source-profile} to destination [overwrite]

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command copies specific user configuration parameters to another (destination) user.

The password is set to a carriage return and a new password at login must be selected.

Parameters
source-user

Specifies the user to copy, up to 32 characters. The user must already exist.

dest-user

Specifies the destination user to which the profile is copied, up to 32 characters.

overwrite

Specifies that the destination user configuration is overwritten with the copied source user configuration. A configuration is not overwritten if the overwrite command is not specified.

home-directory
Syntax

home-directory url-prefix [directory] [directory/directory…]

no home-directory

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the local home directory for the user for both console and FTP access.

If the URL or the specified URL/directory structure is not present, a warning message is issued and the default is assumed.

Note:

If restrict-to-home is configured, no file access is granted and no home-directory is created. If restrict-to-home is not applied, the root becomes the user’s home-directory.

The no form of this command removes the configured home directory.

Default

no home-directory

Parameters
local-url-prefix [directory] [directory/directory…]

Specifies the user’s local home directory URL prefix and directory structure, up to 190 characters in length.

profile
Syntax

profile user-profile-name

no profile

Context

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the profile for the user based on the specified template.

Parameters
user-profile-name

Specifies the user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces.

login-exec
Syntax

[no] login-exec url-prefix: source-url

Context

config>system>security>user>console

config>system>security>user-template>console

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures a user’s login exec file, which executes whenever the user successfully logs in to a console session.

Only one exec file can be configured. If multiple login-exec commands are entered for the same user, each subsequent entry overwrites the previous entry.

The no form of this command disables the login exec file for the user.

Parameters
url-prefix: source-url

Specifies either a local or remote URL, up to 200 characters, that identifies the exec file that is executed after the user successfully logs in.

member
Syntax

member user-profile-name [user-profile-name…up to 8max]

no member user-profile-name

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command allows the user access to a profile.

A user can participate in up to eight profiles.

The no form of this command deletes user access to a profile.

Parameters
user-profile-name

Specifies the user profile name, up to 32 characters.

new-password-at-login
Syntax

[no] new-password-at-login

Context

config>system>security>user>console

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command forces the user to change a password at the next console login. The new password applies to FTP but the change can be enforced only by the console, SSH, or Telnet login.

The no form of this command does not force the user to change passwords.

Default

no new-password-at-login

password
Syntax

password [password] [hash | hash2]

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the user password for console and FTP access.

The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the specific password was hashed using hashing algorithm version 1.

The password is stored in an encrypted format in the configuration file when specified. Passwords should be encased in double quotes (" ") at the time of the password creation. The double quote character (") is not accepted inside a password. It is interpreted as the start or stop delimiter of a string.

The use of the hash2 keyword specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.

The following output is an example of user syntax.

config>system>security# user testuser1
config>system>security>user$ password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
config>system>security>user# exit

config>system>security# info
-------------------------------------
...
            user "testuser1"
                password "zx/Uhcn6ReMOZ3BVrWcvk." hash2
            exit
...
-------------------------------------
config>system>security# 
Parameters
password

Specifies the password that the user must be entered during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length can be up to 20 characters if unhashed and 32 characters if hashed.

All password special characters (#, $, spaces, and so on) must be enclosed within double quotes.

For example: config>system>security>user# password ‟south#bay?”

The question mark character (?) cannot be directly inserted as input during a Telnet connection because the character is bound to the help command during a normal Telnet/console connection.

To insert a # or ? character, they must be entered inside a notepad or clipboard program and cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password.

If a password is entered without any parameters, a password length of zero is implied: (carriage return).

hash

Specifies that the specific password is already hashed using hashing algorithm version 1. A semantic check is performed on the specific password field to verify if it is a valid hash 1 key to store in the database.

hash2

Specifies that the specific password is already hashed using hashing algorithm version 2. A semantic check is performed on the specific password field to verify if it is a valid hash 2 key to store in the database.

restricted-to-home
Syntax

[no] restricted-to-home

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command prevents users from navigating above their home directories for file access. A user is not allowed to navigate to a directory higher in the directory tree on the home directory device. The user is allowed to create and access subdirectories below their home directory.

If a home-directory is not configured or the home directory is not available, the user has no file access.

The no form of this command allows the user access to navigate to directories above their home directory.

Default

no restricted-to-home

save-when-restricted
Syntax

[no] save-when-restricted

Context

config>system>security>user

config>system>security>user-template

Platforms

Supported on all 7210 SAS platforms as described in this document, except the 7210 SAS-D

Description

This command specifies whether the system allows all configuration save operations (such as admin save) using any management interface (such as CLI and NETCONF) even if restricted-to-home is enabled.

The no form of this command disables all configuration save operations using any management interface even if restricted-to-home is enabled.

Default

no save-when-restricted

snmp
Syntax

snmp

Context

config>system>security>user

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure SNMP group membership for a specific user and defines encryption and authentication parameters.

All SNMPv3 users must be configured with the commands available in this CLI node.

The 7210 SAS always uses the configured SNMPv3 username as the security username.

user-template
Syntax

user-template {tacplus_default | radius_default}

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures default security user template parameters.

Parameters
tacplus_default

Specifies that the default TACACS+ user template is actively applied to the TACACS+ user.

radius_default

Specifies that the default RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server.

users
Syntax

users

Context

show

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command creates a local user and a context to edit the user configuration.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, no password is required. The user can log in to the system and <ENTER> at the password prompt. The user is logged in.

Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.

user
Syntax

user user-name

Context

admin

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables a local user and a context to edit the user configuration.

If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.

When creating a new user and entering the info command, the system displays a password in the output. This is expected behavior in the hash2 scenario. However, when using that username, no password is required. The user can log in to the system and <ENTER> at the password prompt; the user is logged in.

Unless an administrator explicitly changes the password, it is null. The hashed value displayed uses the username and null password field, so when the username is changed, the displayed hashed value changes.

The no form of this command deletes the user and all configuration data. Users cannot delete themselves.

Parameters
user-name

Specifies the name of the user, up to 16 characters.

RADIUS client commands
accounting
Syntax

[no] accounting

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables RADIUS accounting.

The no form of this command disables RADIUS accounting.

Default

no accounting

accounting-port
Syntax

accounting-port port

no accounting-port

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.

Parameters
port

Specifies the UDP port number.

Values

1 to 65535

Default

1813

authorization
Syntax

[no] authorization

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures RADIUS authorization parameters for the system.

Default

no authorization

port
Syntax

port port

no port

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the TCP port number to contact the RADIUS server.

The no form of this command reverts to the default value.

Default

port 1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS))

Parameters
port

Specifies the TCP port number to contact the RADIUS server.

Values

1 to 65535

radius
Syntax

[no] radius

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure RADIUS authentication on the 7210 SAS router.

Implement redundancy by configuring multiple server addresses for each 7210 SAS series router.

The no form of this command removes the RADIUS configuration.

retry
Syntax

retry count

no retry

Context

config>system>security>radius

config>system>security>dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

Default

retry 3

Parameters
count

Specifies the retry count.

Values

1 to 10

server
Syntax

server index address ip-address secret key [hash|hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]

no server index

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values.

Up to five RADIUS servers can be configured at one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other RADIUS servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for RADIUS servers.

The no form of the command removes the server from the configuration.

Parameters
index

Specifies the index for the RADIUS server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address — a.b.c.d (host bits must be 0)

ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d
  • x — [0..FFFF]H
  • d — [0..255]D
secret key

Specifies the secret key, up to 20 characters, to access the RADIUS server. This secret key must match the password on the RADIUS server.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

shutdown
Syntax

[no] shutdown

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the RADIUS protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol.

Default

no shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of this command reverts to the default value.

Default

timeout 3

Parameters
seconds

Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.

Values

1 to 90

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies whether the RADIUS user template is actively applied to the RADIUS user if no VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server.

The no form of this command disables the command.

TACACS+ client commands
tacplus
Syntax

[no] tacplus

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure TACACS+ authentication on the router.

Configure multiple server addresses for each router for redundancy.

The no form of this command removes the TACACS+ configuration.

accounting
Syntax

accounting [record-type {start-stop | stop-only}]

no accounting

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

record-type stop-only

Parameters
record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command.

record-type stop-only

Specifies that a stop packet is sent whenever the command execution is complete.

authorization
Syntax

[no] authorization

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures TACACS+ authorization parameters for the system.

Default

no authorization

server
Syntax

server index address ip-address secret key [hash | hash2]

no server index

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for TACACS+ servers.

The no form of the command removes the server from the configuration.

Parameters
index

Specifies the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address — a.b.c.d (host bits must be 0)

ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:x:x:d.d.d.d
  • x — [0..FFFF]H
  • d — [0..255]D
secret key

Specifies the secret key, up to 128 characters, to access the RADIUS server. This secret key must match the password on the RADIUS server.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

shutdown
Syntax

[no] shutdown

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol.

Default

no shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

Default

timeout 3

Parameters
seconds

Specifies the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer.

Values

1 to 90

shutdown
Syntax

[no] shutdown

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol which is the default state.

Default

no shutdown

use-default-template
Syntax

[no] use-default-template

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.

Generic 802.1x commands
dot1x
Syntax

[no] dot1x

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure 802.1x network access control on the 7210 SAS router.

The no form of this command removes the 802.1x configuration.

radius-plcy
Syntax

[no] radius-plcy name [create]

Context

config>system>security>dot1x

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures RADIUS server parameters for 802.1x network access control on the 7210 SAS router.

Note:

The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7210 SAS as opposed to the RADIUS server configured under the config>system>radius context which authenticates CLI login users who get access to the management plane of the 7210 SAS.

The no form of this command removes the RADIUS server configuration for 802.1x.

Parameters
name

Specifies the name of the RADIUS policy, up to 32 characters.

create

This keyword is mandatory to create a RADIUS policy.

retry
Syntax

retry count

no retry

Context

config>system>security>dot1x

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server.

The no form of this command reverts to the default value.

Default

retry 3

Parameters
count

Specifies the retry count.

Values

1 to 10

server
Syntax

server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]

no server index

Context

config>system>security> dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command adds a dot1x server and configures the dot1x server IP address, index, and key values.

Up to five dot1x servers can be configured at any one time. Dot1x servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available). If a response from a server is received, no other dot1x servers are queried. It is assumed that there are multiple identical servers configured as backups and that the servers do not have redundant data.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for dot1x servers.

The no form of the command removes the server from the configuration.

Parameters
server-index

Specifies the index for the dot1x server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from lowest to highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the dot1x server. Two dot1x servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

secret key

Specifies the secret key, up to 128 characters, to access the dot1x server. This secret key must match the password on the dot1x server.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

acct-port acct-port

Specifies the UDP port number on which to contact the RADIUS server for accounting requests.

auth-port auth-port

Specifies a UDP port number to be used as a match criteria.

Values

1 to 65535

type server-type

Specifies the server type.

Values

authorization, accounting, combined

source-address
Syntax

source-address ip-address

no source-address

Context

config>system>security> dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the NAS IP address to be sent in the RADIUS packet.

By default the System IP address is used in the NAS field.

The no form of the command reverts to the default value.

Parameters
ip-address

Specifies the IP prefix for the IP match criterion in dotted decimal notation.

Values

a.b.c.d

shutdown
Syntax

[no] shutdown

Context

config>system>security>dot1x

config>system>security>dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the 802.1x protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within.

The no form of the command administratively enables the protocol which is the default state.

Default

shutdown

timeout
Syntax

timeout seconds

no timeout

Context

config>system>security>dot1x>radius-plcy

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of seconds the router waits for a response from a RADIUS server.

The no form of the command reverts to the default value.

Default

timeout 3

Parameters
seconds

Specifies the number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer.

Values

1 to 90

TCP Enhanced Authentication commands
keychain
Syntax

[no] keychain keychain-name

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure keychain parameters. A keychain must be configured on the system before it can be applied to a session.

The no form of this command removes the keychain nodal context and everything under it from the configuration. If the keychain to be removed is in use when the no keychain command is entered, the command is not accepted and an error indicating that the keychain is in use is printed.

Parameters
keychain-name

Specifies a keychain name, up to 32 characters, that identifies this particular keychain entry.

direction
Syntax

direction

Context

config>system>security>keychain

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the data type that indicates the TCP stream direction to apply the keychain.

bi
Syntax

bi

Context

config>system>security>keychain>direction

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures keys for both send and receive stream directions.

uni
Syntax

uni

Context

config>system>security>keychain>direction

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures keys for send or receive stream directions.

receive
Syntax

receive

Context

config>system>security>keychain>direction>uni

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router.

send
Syntax

send

Context

config>system>security>keychain>direction>uni

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the send nodal context to sign TCP segments that are being sent by the router to another device.

entry
Syntax

entry entry-id key [authentication-key | hash-key | hash2-key] [hash | hash2] algorithm algorithm

no entry entry-id

Context

config>system>security>keychain>direction>bi

config>system>security>keychain>direction>uni>receive

config>system>security>keychain>direction>uni>send

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command defines a particular key in the keychain. Entries are defined by an entry-id. A keychain must have valid entries for the TCP enhanced authentication mechanism to work.

The no form of this command removes the entry from the keychain. If the entry is the active entry for sending, this causes a new active key to be selected (if one is available using the youngest key rule). If it is the only possible send key, the system rejects the command with an error indicating that the configured key is the only available send key.

If the key is one of the eligible keys for receiving, it is removed. If the key is the only possible eligible key, the command is not accepted, and an error message indicating that this is the only eligible key is displayed.

Parameters
entry-id

Specifies an entry that represents a key configuration to be applied to a keychain.

Values

0 to 63

key

Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.

authentication-key

Specifies the authentication-key that will be used by the encryption algorithm. The key is used to sign and authenticate a protocol packet.

The authentication-key can be any combination of letters or numbers.

Values

A key must be 160 bits for algorithm hmac-sha-1-96 and must be 128 bits for algorithm aes-128-cmac-96. If the key specified with the entry command amounts to less than this number of bits, it is padded internally with zero bits up to the appropriate length.

algorithm-algorithm

Specifies an enumerated integer that indicates the encryption algorithm to be used by the key defined in the keychain.

Values

aes-128-cmac-96 — Specifies an algorithm based on the AES standard.

hmac-sha-1-96 — Specifies an algorithm based on SHA-1.

hash-key | hash2-key

Specifies the hash key. The key can be any combination of ASCII characters up to 33 for the hash-key and 96 characters for the hash2-key in length (encrypted). If spaces are used in the string, enclose the entire string in quotation marks (‟ ”).

This is useful when a user must configure the parameter, but, for security purposes, the actual unencrypted key value is not provided.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form.

begin-time
Syntax

begin-time [date] [hours-minutes] [UTC] [now] [forever]

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the calendar date and time after which the key specified by the keychain authentication key is used to sign and authenticate the protocol stream.

If no date and time is set, the begin-time is represented by a date and time string with all nulls and the key is not valid by default.

Parameters
date hours-minutes

Specifies the date and time for the key to become active.

Values

date: YYYY/MM/DD hours-minutes: hh:mm[:ss]

now

Specifies that the key should become active immediately.

forever

Specifies that the key should always be active.

end-time
Syntax

end-time [date] [hours-minutes] [UTC] [now] [forever]

Context

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the calendar date and time after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream.

Default

end-time forever

Parameters
date

Specifies the calendar date after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream in the YYYY/MM/DD format. When no year is specified the system assumes the current year.

hours-minutes

Specifies the time after which the key specified by the authentication key is no longer eligible to sign and authenticate the protocol stream in the hh:mm[:ss] format. Seconds are optional, and if not included, assumed to be 0.

UTC

Indicates that time is specified with reference to Coordinated Universal Time in the input.

now

Specifies a time equal to the current system time.

forever

Specifies a time beyond the current epoch.

tolerance
Syntax

tolerance [seconds | forever]

Context

config>system>security>keychain>direction>bi>entry

config>system>security>keychain>direction>uni>receive>entry

config>system>security>keychain>direction>uni>send>entry

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire.

Parameters
seconds

Specifies the duration that an eligible receive key overlaps with the active send key.

Values

0 to 4294967294 seconds

forever

Specifies that an eligible receive key overlaps with the active send key forever.

tcp-option-number
Syntax

tcp-option-number

Context

config>system>security>keychain

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure the TCP option number to be placed in the TCP packet header.

receive
Syntax

receive option-number

Context

config>system>security>keychain>tcp-option-number

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the TCP option number accepted in TCP packets received.

Default

receive 254

Parameters
option-number

Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.

Values

253, 254, 253, 254

send
Syntax

send option-number

Context

config>system>security>keychain>tcp-option-number

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the TCP option number accepted in TCP packets sent.

Default

send 254

Parameters
option-number

Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header.

Values

253, 254

dst-port
Syntax

dst-port [tcp/udp port-number] [mask]

no dst-port

Context

config>sys>sec>cpm>entry>match

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the TCP/UDP port to match the destination port of the packet. An entry containing L4 match criteria do not match non-initial (2nd, 3rd, and so on) fragments of a fragmented packet because only the first fragment contains the L4 information.

The no form of this command removes the destination port match criterion.

Parameters
dst-port-number

Specifies the destination port number to be used as a match criteria expressed as a decimal integer.

Values

0 to 65535 (accepted in decimal hex or binary)

mask

Specifies the 16 bit mask to be applied when matching the destination port.

lockout
Syntax

lockout all

lockout user user-name

Context

admin>clear

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command clears any lockouts for a specific user.

Parameters
all

Specifies to clear the lockout for all users.

user-name

Specifies the locked username, up to 32 characters.

IPsec commands
ipsec
Syntax

ipsec

Context

config

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

Commands in this context configure Internet Protocol security (IPsec) parameters. IPsec is a structure of open standards that uses cryptographic security services to ensure private, secure communications over IP networks.

static-sa
Syntax

static-sa sa-name [create]

no static-sa

Context

config>ipsec

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command configures an IPsec static security association (SA).

The no form of this command removes the configuration.

Parameters
sa-name

Specifies the SA name, up to 32 characters.

create

Mandatory keyword to create an SA instance.

authentication
Syntax

authentication auth-algorithm ascii-key ascii-string

authentication auth-algorithm hex-key hex-string [hash | hash2]

no authentication

Context

config>ipsec>static-sa

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command configures the authentication algorithm to use for an IPsec manual SA.

The no form of this command removes the configuration.

Default

no authentication

Parameters
auth-algorithm

Specifies the authentication algorithm.

Values

sha1 — The authentication protocol can be either HMAC-MD5-96 or HMAC-SHA-96.

md5 — The authentication protocol can either be HMAC-MD5-96 or HMAC-SHA-96.

ascii-string

Specifies the ASCII key, up to 16 characters for md5 and 20 characters for sha1.

The authentication key is stored an encrypted format. The minimum key length is configured using the config>system>security>password>minimum-length command.

The complexity of the key is configured using the commands in the config>system>security>password>complexity-rules context.

hex-string

Specifies the hexadecimal key, up to 32 hexadecimal nibbles for md5 and up to 40 hexadecimal nibbles for sha1.

hash

Keyword that stores all specified keys in encrypted format in the configuration file. The password must be entered in encrypted form when this keyword is configured. If this keyword is not configured, the key is assumed to be in a non-encrypted form.

hash2

Keyword to store the key in a more complex encrypted form. If this keyword is not used, the less encrypted hash form is assumed.

description
Syntax

description description-string

no description

Context

config>ipsec>static-sa

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command creates a text description, which is stored in the configuration file, to help identify the content of the entity.The no form of this command removes the string from the configuration.

Parameters
description-string

Specifies the description character string. Allowed values are any string up to 80 characters composed of printable, 7-bit ASCII characters. It the string contains special characters (#, $, spaces, and so on), the entire string must be enclosed in double quotes.

direction
Syntax

direction ipsec-direction

no direction

Context

config>ipsec>static-sa

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command configures the direction for an IPsec manual SA.

The no form of this command reverts to the default value.

Default

direction bidirectional

Parameters
ipsec-direction

Specifies the direction.

Values

inbound, outbound, bidirectional

protocol
Syntax

protocol ipsec-protocol

no protocol

Context

config>ipsec>static-sa

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command configures the security protocol to use for an IPsec manual SA.

The no form of this command reverts to the default value.

Default

protocol esp

Parameters
ipsec-protocol

Specifies the security protocol.

Values

ah — Configures to Authentication Header Protocol.

esp — Configures the Encapsulation Security Payload Protocol.

spi
Syntax

spi spi

no spi

Context

config>ipsec>static-sa

Platforms

7210 SAS-K 2F6C4T and 7210 SAS-K 3SFP+ 8C

Description

This command configures the security parameter index (SPI) key value for an IPsec manual SA.

The no form of this command removes the configured SPI key value.

Parameters
spi

Specifies the SPI value.

Values

256 to 16383

Show commands

Security commands
access-group
Syntax

access-group [group-name]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays SNMP access group information.

Parameters
group-name

Displays information for the specified access group.

Output

The following output is an example of SNMP access group information, and Output fields: access group describes the output fields.

Sample output
A:ALA-4# show system security access-group
===============================================================================
Access Groups                                                                  
===============================================================================
group name        security  security  read          write         notify       
                  model     level     view          view          view         
-------------------------------------------------------------------------------
snmp-ro           snmpv1    none      no-security                 no-security  
snmp-ro           snmpv2c   none      no-security                 no-security  
snmp-rw           snmpv1    none      no-security   no-security   no-security  
snmp-rw           snmpv2c   none      no-security   no-security   no-security  
snmp-rwa          snmpv1    none      iso           iso           iso          
snmp-rwa          snmpv2c   none      iso           iso           iso          
snmp-trap         snmpv1    none                                  iso          
snmp-trap         snmpv2c   none                                  iso          
===============================================================================
A:ALA-7#
Table 13. Output fields: access group

Label

Description

Group name

Displays the access group name

Security model

Displays the security model required to access the views configured in this node

Security level

Specifies the required authentication and privacy levels to access the views configured in this node

Read view

Specifies the variable of the view to read the MIB objects

Write view

Specifies the variable of the view to configure the contents of the agent

Notify view

Specifies the variable of the view to send a trap about MIB objects

authentication
Syntax

authentication [statistics]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays system login authentication configuration and statistics.

Parameters
statistics

Appends login and accounting statistics to the display.

Output

The following output is an example of system login authentication information, and Output fields: security authentication describes the output fields.

Sample output
A:ALA-4# show system security authentication
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
server address   status  type    timeout(secs)  single connection  retry count
-------------------------------------------------------------------------------
10.10.10.103     up      radius  5              n/a                5
10.10.0.1        up      radius  5              n/a                5
10.10.0.2        up      radius  5              n/a                5
10.10.0.3        up      radius  5              n/a                5
-------------------------------------------------------------------------------
radius admin status  : down
tacplus admin status : up
health check         : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
A:ALA-4#


A:ALA-7>show>system>security# authentication statistics
===============================================================================
Authentication                  sequence : radius tacplus local
===============================================================================
server address   status  type    timeout(secs)  single connection  retry count
-------------------------------------------------------------------------------
10.10.10.103     up      radius  5              n/a                5
10.10.0.1        up      radius  5              n/a                5
10.10.0.2        up      radius  5              n/a                5
10.10.0.3        up      radius  5              n/a                5
-------------------------------------------------------------------------------
radius admin status  : down
tacplus admin status : up
health check         : enabled
-------------------------------------------------------------------------------
No. of Servers: 4
===============================================================================
Login Statistics
===============================================================================
server address      connection errors   accepted logins     rejected logins
-------------------------------------------------------------------------------
10.10.10.103        0                   0                   0
10.10.0.1           0                   0                   0
10.10.0.2           0                   0                   0
10.10.0.3           0                   0                   0
local               n/a                 1                   0
===============================================================================
Authorization Statistics (TACACS+)
===============================================================================
server address      connection errors   sent packets        rejected packets
-------------------------------------------------------------------------------
===============================================================================
Accounting Statistics
===============================================================================
server address      connection errors   sent packets        rejected packets
-------------------------------------------------------------------------------
10.10.10.103        0                   0                   0
10.10.0.1           0                   0                   0
10.10.0.2           0                   0                   0
10.10.0.3           0                   0                   0
===============================================================================
A:ALA-7#
Table 14. Output fields: security authentication

Label

Description

Sequence

Displays the sequence in which authentication is processed

Server address

Displays the IP address of the RADIUS server

Status

Displays the current status of the RADIUS server

Type

Displays the authentication type

Timeout (secs)

Displays the number of seconds the router waits for a response from a RADIUS server

Single connection

Enabled — Specifies a single connection to the TACACS+ server and validates everything via that connection.

Disabled — Specifies the TACACS+ protocol operation is disabled.

Retry count

Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server

Connection errors

Displays the number of times a user has attempted to login irrespective of whether the login succeeded or failed

Accepted logins

Displays the number of times the user has successfully logged in

Rejected logins

Displays the number of unsuccessful login attempts

Sent packets

Displays the number of packets sent

Rejected packets

Displays the number of packets rejected

keychain
Syntax

keychain [key-chain] [detail]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays keychain information.

Parameters
key-chain

Specifies the keychain name to display.

detail

Displays detailed keychain information.

Output

The following output is an example of keychain information, and Output fields: keychain describes the output fields.

Sample output
*A:ALA-A# show system security keychain test
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send     : 254                    Admin state   : Up
TCP-Option number receive  : 254                    Oper state    : Up
===============================================================================
*A:ALA-A# 


*A:ALA-A#  show system security keychain test detail
===============================================================================
Key chain:test
===============================================================================
TCP-Option number send     : 254                    Admin state   : Up
TCP-Option number receive  : 254                    Oper state    : Up
===============================================================================
Key entries for key chain: test
===============================================================================
Id               : 0
Direction        : send-receive         Algorithm        : hmac-sha-1-96
Admin State      : Up                   Valid            : Yes
Active           : Yes                  Tolerance        : 300
Begin Time       : 2007/02/15 18:28:37  Begin Time (UTC) : 2007/02/15 17:28:37
End Time         : N/A                  End Time (UTC)   : N/A
===============================================================================
Id               : 1
Direction        : send-receive         Algorithm        : aes-128-cmac-96
Admin State      : Up                   Valid            : Yes
Active           : No                   Tolerance        : 300
Begin Time       : 2007/02/15 18:27:57  Begin Time (UTC) : 2007/02/15 17:27:57
End Time         : 2007/02/15 18:28:13  End Time (UTC)   : 2007/02/15 17:28:13
===============================================================================
Id               : 2
Direction        : send-receive         Algorithm        : aes-128-cmac-96
Admin State      : Up                   Valid            : Yes
Active           : No                   Tolerance        : 500
Begin Time       : 2007/02/15 18:28:13  Begin Time (UTC) : 2007/02/15 17:28:13
End Time         : 2007/02/15 18:28:37  End Time (UTC)   : 2007/02/15 17:28:37
===============================================================================
*A:ALA-A# 
Table 15. Output fields: keychain

Label

Description

TCP-Option number send

Displays the TCP option number to be inserted in the header of sent TCP packets

Admin state

Displays the administrative state of the keychain: up or down

TCP-Option number receive

Displays the TCP option number that is accepted in the header of received TCP packets

Oper state

Displays the operational state of the keychain: up or down

Key entries for key chain: test

Id

Displays the ID of the key entry

Direction

Displays the stream direction on which keys are applied for this entry: send, receive, or send-receive

Algorithm

Displays the encryption algorithm to be used by this key entry

Option

Indicates the configured IS-IS encoding standard (indicates ‟none” if the associated protocol is not IS-IS)

Admin State

Displays the administrative state of the key entry: up or down

Valid

Indicates if the receive key is valid

Active

Indicates if the transmit (sent) key is active

Tolerance

Displays the tolerance time configured for support of both currently active and new keys

Begin Time

Displays the time at which the new key is used to sign and/or authenticate protocol packets

Begin Time (UTC)

Displays the begin time in UTC time

End Time

Displays the time at which the key is no longer eligible to authenticate protocol packets

End Time (UTC)

Displays the end time in UTC time

management-access-filter
Syntax

management-access-filter

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays management access filter information for IP filters.

ip-filter
Syntax

ip-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays management-access IP filters.

Parameters
entry-id

Displays information for the specified entry.

Values

1 to 9999

Output

The following output is an example of management access IP filter information, and Output fields: IP filter describes the output fields.

Sample output
*7210-SAS>show>system>security>management-access-filter# ip-filter entry 1

===============================================================================
IPv4 Management Access Filter
===============================================================================
filter type   : ip
Def. Action   : permit
Admin Status  : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry         : 1
Description   : (Not Specified)
Src IP        : undefined
Src interface : undefined
Dest port     : undefined
L4 Src port   : undefined
Fragment      : off
Protocol      : undefined
Router        : undefined
Action        : none
Log           : disabled
Matches       : 0
===============================================================================
*7210-SAS>show>system>security>management-access-filter# 
Table 16. Output fields: IP filter

Label

Description

Def. action

Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted

Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that an ICMP host unreachable message will be issued

Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied

Entry

Displays the entry ID in a policy or filter table

Description

Displays a text string describing the filter

Src IP

Displays the source IP address used for management access filter match criteria

Src Interface

Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry

Dest port

Displays the destination port

Match

Displays the number of times a management packet has matched this filter entry

Protocol

Displays the IP protocol to match

Action

Displays the action to take for packets that match this filter entry

Flow label

Displays the flow label value to match

Next-header

Displays the IPv6 next header value to match

L4 Src port

Displays the TCP/UDP source port number to match

Fragment

Indicates whether the entry should match a fragment

Router

Displays the router instance ID to match

Log

Indicates if packet matching this entry must be logged or not. On 7210 SAS, platforms logging is not supported.

ipv6-filter
Syntax

ipv6-filter [entry entry-id]

Context

show>system>security>mgmt-access-filter

Platforms

Supported on all 7210 SAS platforms as described in this document, except 7210 SAS-K 2F1C2T

Description

This command displays management-access IPv6 filters.

Parameters
entry-id

Displays information for the specified entry.

Values

1 to 9999

Output

The following output is an example of management access IPV6 filter information, and Output fields: IPv6 filter describes the output fields.

Sample output
A:7210SAS# show system security management-access-filter ipv6-filter 

===============================================================================
IPv6 Management Access Filter
===============================================================================
filter type : ipv6
Def. Action : permit
Admin Status : enabled (no shutdown)
-------------------------------------------------------------------------------
Entry : 1
Description : (Not Specified)
Src IP : undefined
Flow label : undefined
Src interface : 1/1/1
Dest port : undefined
L4 Src port : undefined
Next-header : undefined
Router : undefined
Action : permit
Log : disabled
Matches : 0
===============================================================================
*A:7210SAS# 
Table 17. Output fields: IPv6 filter

Label

Description

Def. action

Permit — Specifies that packets not matching the configured selection criteria in any of the filter entries are permitted

Deny — Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will be issued

Deny-host-unreachable — Specifies that packets not matching the configured selection criteria in the filter entries are denied

Entry

Displays the entry ID in a policy or filter table

Description

Displays a text string describing the filter

Src IP

Displays the source IPv6 address used for management access filter match criteria

Src Interface

Displays the interface name for the next-hop to which the packet should be forwarded if it hits this filter entry

Dest port

Displays the destination port

Flow label

Displays the flow label value to match

Protocol

Displays the IPv6 protocol to match

Action

Displays the action to take for packets that match this filter entry

Next-header

Displays the IPv6 next header value to match

L4 Src port

Displays the TCP/UDP source port number to match

Router

Displays the router instance ID to match

Log

Indicates if packet matching this entry must be logged or not. On 7210 SAS platforms, logging is not supported.

password-options
Syntax

password-options

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays configured password options.

Output

The following output is an example of configured password options information, and Output fields: password options describes the output fields.

Sample output
A:ALA-7# show system security password-options
===============================================================================
Password Options                                                               
===============================================================================
Password aging in days                           : none                        
Number of invalid attempts permitted per login   : 3                           
Time in minutes per login attempt                : 5                           
Lockout period (when threshold breached)         : 10                          
Authentication order                             : radius tacplus local        
Configured complexity options                    :                             
Minimum password length                          : 6                           
===============================================================================
A:ALA-7#
Table 18. Output fields: password options

Label

Description

Password aging in days

Displays the number of days a user password is valid before the user must change their password

Number of invalid attempts permitted per login

Displays the number of unsuccessful login attempts allowed for the specified time

Time in minutes per login attempt

Displays the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out

Lockout period (when threshold breached)

Displays the lockout period in minutes where the user is not allowed to login

Authentication order

Displays the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords

Configured complexity options

Displays the complexity requirements of locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the authentication section

Minimum password length

Displays the minimum number of characters required for locally administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES-keys configured in the system security section

profile
Syntax

profile [profile-name]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays user profile information.

If the profile-name is not specified, then information for all profiles are displayed.

Parameters
profile-name

Displays information for the specified user profile.

Output

The following output is an example of user profile information, and Output fields: security profile describes the output fields.

Sample output
A:ALA-7# show system security profile administrative
=============================================================================== 
User Profile                                                                    
=============================================================================== 
User Profile : administrative                                                   
Def. Action  : permit-all                                                       
------------------------------------------------------------------------------- 
Entry        : 10                                                               
Description  :                                                                  
Match Command: configure system security                                        
Action       : permit                                                           
------------------------------------------------------------------------------- 
Entry        : 20                                                               
Description  :                                                                  
Match Command: show system security                                             
Action       : permit                                                           
-------------------------------------------------------------------------------
No. of profiles: 
===============================================================================
A:ALA-7#
Table 19. Output fields: security profile

Label

Description

User Profile

Displays the profile name used to deny or permit user console access to a hierarchical branch or to specific commands

Def. action

Permit all — Permits access to all commands

Deny — Denies access to all commands

None — No action is taken

Entry

Displays the entry ID in a policy or filter table

Description

Displays the text string describing the entry

Match Command

Displays the command or subtree commands in subordinate command levels

Action

Permit all — Commands matching the entry command match criteria are permitted

Deny — Commands not matching the entry command match criteria are not permitted

No. of profiles

Displays the total number of profiles listed

source-address
Syntax

source-address

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays the source address configured for applications.

The 7210 SAS-K 2F1C2T does not support IPv6 source addresses.

Output

The following output is an example of source address information, and Output fields: source address describes the output fields.

Sample output
A:SR-7# show system security source-address
===============================================================================
Source-Address applications
===============================================================================
Application         IP address/Interface Name                    Oper status
-------------------------------------------------------------------------------
telnet              10.20.1.7                                    Up
radius              loopback1                                    Up
===============================================================================
A:SR-7# 
Table 20. Output fields: source address

Label

Description

Application

Displays the source-address application

IP address

Interface Name

Displays the source address IP address or interface name

Oper status

Up — The source address is operationally up

Down — The source address is operationally down

ssh
Syntax

ssh

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays all SSH sessions as well as the SSH status and fingerprint.

Output

The following output is an example of SSH information, and Output fields: SSH describes the output fields.

Sample output
ALA-7# show system security ssh 
SSH is enabled
SSH preserve key: Enabled
SSH protocol version 1: Enabled
RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34

SSH protocol version 2: Enabled
DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79 
=======================================================
Connection Encryption Username
=======================================================
192.168.5.218 3des admin
-------------------------------------------------------
Number of SSH sessions : 1
======================================================= 
ALA-7# 
A:ALA-49>config>system>security# show system security ssh
SSH is disabled
A:ALA-49>config>system>security#
Table 21. Output fields: SSH

Label

Description

SSH status

SSH is enabled — Displays that SSH server is enabled

SSH is disabled — Displays that SSH server is disabled

SSH Preserve Key

Enabled — Displays that preserve-key is enabled

Disabled — Displays that preserve-key is disabled

SSH protocol version 1

Enabled — Displays that SSH1 is enabled

Disabled — Displays that SSH1 is disabled

SSH protocol version 2

Enabled — Displays that SSH2 is enabled

Disabled — Displays that SSH2 is disabled

Key fingerprint

Displays the key fingerprint, which is the server identity. Clients trying to connect to the server verify the server fingerprint. If the server fingerprint is not known, the client may not continue with the SSH session because the server may be spoofed.

Connection

Displays the IP address of the connected routers (remote client)

Encryption

des — Data encryption using a private (secret) key

3des — An encryption method that allows proprietary information to be transmitted over untrusted networks

Username

Displays the name of the user

Number of SSH sessions

Displays the total number of SSH sessions

user
Syntax

user [user-id] [detail]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays user registration information.

By default, if no command line options are specified, summary information for all users displays.

Parameters
user-id

Displays information for the specified user, up to 32 characters.

detail

Displays detailed user information to the summary output.

Output

The following output is an example of user registration information, and Output fields: security user describes the output fields.

Sample output
A:ALA-7# show system security user
===============================================================================
Users                                                                          
===============================================================================
user id           need    user permissions  password    attempted failed  local
                  new pwd console ftp snmp  expires     logins    logins  conf 
-------------------------------------------------------------------------------
                                                                               
admin             n       y       n   n     never       21        0       y    
===============================================================================
A:ALA-7# 

A:
ALA-7# show system security user detail
===============================================================================
Users                                                                          
===============================================================================
user id           need    user permissions  password    attempted failed  local
                  new pwd console ftp snmp  expires     logins    logins  conf 
-------------------------------------------------------------------------------
                                                                               
admin             n       y       n   n     never       21        0       y    
===============================================================================
                                                                               
===============================================================================
User Configuration Detail                                                      
===============================================================================
user id            : admin                                                     
-------------------------------------------------------------------------------
console parameters                                                             
-------------------------------------------------------------------------------
new pw required    : no                 cannot change pw   : no                
home directory     : cf1:\ 
restricted to home : no                                                        
login exec file    :                                                           
profile            : administrative                                            
-------------------------------------------------------------------------------
snmp parameters                                                                
===============================================================================
A:ALA-7# 
Table 22. Output fields: security user

Label

Description

User ID

Displays the name of a system user

Need new pwd

Y — The user must change their password at the next login

N — The user is not forced to change their password at the next login

Cannot change pw

Y — The user has the ability to change the login password

N — The user does not have the ability to change the login password

User permissions

Console

Y — The user is authorized for console access

N — The user is not authorized for console access

FTP

Y — The user is authorized for FTP access

N — The user is not authorized for FTP access

SNMP

Y — The user is authorized for SNMP access

N — The user is not authorized for SNMP access

Password expires

Displays the number of days in which the user must change their login password

Attempted logins

Displays the number of times the user has attempted to log in regardless of whether the login succeeded or failed

Failed logins

Displays the number of unsuccessful login attempts

Local conf

Y — Password authentication is based on the local password database

N — Password authentication is not based on the local password database

Home directory

Specifies the local home directory for the user for both console and FTP access

Restricted to home

Yes — The user is not allowed to navigate to a directory higher in the directory tree on the home directory device

No — The user is allowed to navigate to a directory higher in the directory tree on the home directory device

Login exec file

Displays the user login exec file, which executes whenever the user successfully logs in to a console session

view
Syntax

view [view-name] [detail]

Context

show>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays the SNMP MIB views.

Parameters
view-name

Specifies the name of the view to display output, up to 32 characters. If no view name is specified, the complete list of views displays.

detail

Displays detailed view information.

Output

The following output is an example of SNMP MIB view information, and Output fields: security view describes the output fields.

Sample output
A:ALA-48# show system security view
===============================================================================
Views
===============================================================================
view name         oid tree                        mask              permission
-------------------------------------------------------------------------------
iso               1                                                 included
read1             1.1.1.1                         11111111          included
write1            2.2.2.2                         11111111          included
testview          1                               11111111          included
testview          1.3.6.1.2                       11111111          excluded
mgmt-view         1.3.6.1.2.1.2                                     included
mgmt-view         1.3.6.1.2.1.4                                     included
mgmt-view         1.3.6.1.2.1.5                                     included
mgmt-view         1.3.6.1.2.1.6                                     included
mgmt-view         1.3.6.1.2.1.7                                     included
mgmt-view         1.3.6.1.2.1.31                                    included
mgmt-view         1.3.6.1.2.1.77                                    included
mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.7                        included
mgmt-view         1.3.6.1.4.1.6527.3.1.2.3.11                       included
no-security       1                                                 included
no-security       1.3.6.1.6.3                                       excluded
no-security       1.3.6.1.6.3.10.2.1                                included
no-security       1.3.6.1.6.3.11.2.1                                included
no-security       1.3.6.1.6.3.15.1.1                                included
on-security       2                               00000000          included
-------------------------------------------------------------------------------
No. of Views: 
===============================================================================
A:ALA-48#
Table 23. Output fields: security view

Label

Description

view name

Displays the name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree.

oid tree

Displays the object identifier of the ASN.1 subtree

mask

Displays the bit mask that defines a family of view subtrees

permission

Indicates whether each view is included or excluded

No. of Views

Displays the total number of views

Login control
users
Syntax

users

Context

show

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command displays console user login and connection information.

Output

The following output is an example of console user login and connection information, and Output fields: users describes the output fields.

Sample output
A:ALA-7# show users
===============================================================================
User              Type    From              Login time          Idle time
===============================================================================
testuser          Console     --            21FEB2007 04:58:55  0d 00:00:00  A
-------------------------------------------------------------------------------
Number of users : 1
'A' indicates user is in admin mode
===============================================================================
A:ALA-7#
Table 24. Output fields: users

Label

Description

User

Displays the username

Type

Displays the access type that the user is authorized

From

Displays the originating IP address

Login time

Displays the time the user logged in

Idle time

Displays the amount of idle time for a specific login

Number of users

Displays the total number of users logged in

Debug commands

radius
Syntax

radius

no radius

Context

debug>router

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command enables debugging for RADIUS connections.

The no form of this command disables RADIUS debugging.

Default

no radius

detail-level
Syntax

detail-level {low | medium | high}

no detail-level

Context

debug>router>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the RADIUS debugging output detail level.

The no form of this command reverts to the default value.

Default

detail-level medium

Parameters
low

Specifies that the output include the packet type, server address, length, and RADIUS server policy name.

medium

Specifies that the output include the RADIUS attributes in the packets, in addition to all information included in low detail output.

high

Specifies that the output include hexadecimal packet dumps, in addition to all information included in medium and low detail output.

packet-type
Syntax

packet-type [authentication] [accounting] [coa]

no packet-type

Context

debug>router>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the RADIUS packet types to include in the RADIUS debugging output.

The no form of this command reverts to the default values.

Default

packet-type authentication accounting coa

Parameters
authentication

Specifies that RADIUS authentication packets should be included.

accounting

Specifies that RADIUS accounting packets should be included.

coa

Specifies that RADIUS change-of-authorization packets should be included.

radius-attr
Syntax

radius-attr type attribute-type [transaction]

radius-attr type attribute-type [transaction] {address | hex | integer | string} value attribute-value

radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type]

radius-attr vendor vendor-id type attribute-type [transaction] [encoding encoding-type] {address | hex | integer | string} value attribute-value

no radius-attr type attribute-type

no radius-attr type attribute-type {address | hex | integer | string} value attribute-value

no radius-attr vendor vendor-id type attribute-type

no radius-attr vendor vendor-id type attribute-type {address | hex | integer | string} value attribute-value

Context

debug>router>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the RADIUS attributes to include in medium or high detail RADIUS debugging output.

The no form of this command disables the inclusion of the specified attributes.

Parameters
address

Specifies that the attribute-value is an IPv4 or IPv6 address, prefix, or subnet.

attribute-type

Specifies the RADIUS attribute type.

Values

1 to 255

attribute-value

Specifies the value of the RADIUS attribute.

Values

addressipv4-address, ipv6-address, ipv6-prefix/prefix-length

ipv4-address — a.b.c.d

ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces)

ipv6-prefix — x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:d.d.d.d
  • x — 0 to FFFF (hexadecimal)
  • d — 0 to 255 (decimal)

prefix-length — 0 to 128 (7210 SAS-D, 7210 SAS-K 2F1C2T, 7210 SAS-K 2F6C4T, 7210 SAS-K 3SFP+ 8C)

0 to 64 (7210 SAS-Dxp)

hex — 0x0 to 0xFFFFFFFF (up to 506 hexadecimal nibbles)

integer — 0 to 4294967295

string — ASCII string up to 253 characters

encoding-type

Specifies the size of the vendor-type and vendor-length in bytes. The information is configured in the format xy, where x is the size of the vendor-type and y is the size of the vendor-length.

Values

vendor-type — 1 to 4

vendor-length — 0 to 2

Default

11

hex

Specifies that the attribute-value is a binary string in hexadecimal format.

integer

Specifies that the attribute-value is an integer.

string

Specifies that the attribute-value is an ASCII string.

transaction

Specifies that the system outputs both request and response packets in the same session, even if the response packet does not include the filtered attributes.

vendor-id

Specifies the vendor ID for the vendor-specific attributes.

Values

0 to 16777215

server-address
Syntax

server-address ip-address

no server-address ip-address

Context

debug>router>radius

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies the RADIUS server information to include in the RADIUS debugging output.

The no form of this command removes the specified RADIUS server from the RADIUS debugging output.

Parameters
ip-address

Specifies the IPv4 or IPv6 address of the RADIUS server.

Values

ipv4-address — a.b.c.d

ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces)

  • x:x:x:x:d.d.d.d
  • x — 0 to FFFF (hexadecimal)
  • d — 0 to 255 (decimal)
1 Local commands always perform account logging using the config log command.