- About this Guide
- Chapter 1, ML-Series Card Overview
- Chapter 2, CTC Operations
- Chapter 3, Initial Configuration
- Chapter 4, Configuring Interfaces
- Chapter 5, Configuring POS
- Chapter 6, Configuring Bridges
- Chapter 7, Configuring STP and RSTP
- Chapter 8, Configuring VLANs
- Chapter 9, Configuring IEEE 802.1Q Tunneling and Layer 2 Protocol Tunneling
- Chapter 10, Configuring Link Aggregation
- Chapter 11, Configuring Network Protocols
- Chapter 12, Configuring IRB
- Chapter 13, Configuring VRF Lite
- Chapter 14, Configuring Quality of Service
- Chapter 15, Configuring the Switching Database Manager
- Chapter 16, Configuring Access Control Lists
- Chapter 17, Configuring Resilient Packet Ring
- Chapter 18, Configuring Ethernet over MPLS
- Chapter 19, Configuring Security for the ML-Series Card
- Chapter 20, POS on ONS Ethernet Cards
- Chapter 21, Configuring RMON
- Chapter 22, Configuring SNMP
- Chapter 23, E-Series and G-Series Ethernet Operation
- Chapter 24, CE-100T-8 Ethernet Operation
- Chapter 25, CE-1000-4 Ethernet Operation
- Chapter 26, Configuring 802.17 Resilient Packet Ring
- Appendix A, Command Reference
- Appendix B, Unsupported CLI Commands
- Appendix C, Using Technical Support
- Understanding Security
- Disabling the Console Port on the ML-Series Card
- Secure Login on the ML-Series Card
- Secure Shell on the ML-Series Card
- RADIUS on the ML-Series Card
- RADIUS Relay Mode
- RADIUS Stand Alone Mode
- Understanding RADIUS
- Configuring RADIUS
- Default RADIUS Configuration
- Identifying the RADIUS Server Host
- Configuring AAA Login Authentication
- Defining AAA Server Groups
- Configuring RADIUS Authorization for User Privileged Access and Network Services
- Starting RADIUS Accounting
- Configuring a nas-ip-address in the RADIUS Packet
- Configuring Settings for All RADIUS Servers
- Configuring the ML-Series Card to Use Vendor-Specific RADIUS Attributes
- Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication
- Displaying the RADIUS Configuration
Configuring Security for the ML-Series Card
This chapter describes the security features of the ML-Series card.
This chapter includes the following major sections:
•Disabling the Console Port on the ML-Series Card
•Secure Login on the ML-Series Card
•Secure Shell on the ML-Series Card
Understanding Security
The ML-Series card includes several security features. Some of these features operate independently from the ONS node where the ML-Series card is installed. Others are configured using the Cisco Transport Controller (CTC) or Transaction Language One (TL1).
Security features configured with Cisco IOS include:
•Cisco IOS login enhancements
•Secure Shell ( SSH) connection
•authentication, authorization, and accounting/Remote Authentication Dial-In User Service (AAA/RADIUS) stand alone mode
•Cisco IOS basic password (For information on basic Cisco IOS password configuration, see the "Passwords" section)
Security features configured with CTC or TL1 include:
•disabled console port
•AAA/RADIUS relay mode
Disabling the Console Port on the ML-Series Card
There are several ways to access the Cisco IOS running on the ML-Series card, including a direct connection to the console port, which is the RJ-11 serial port on the front of the card. Users can increase security by disabling this direct connection, which is enabled by default. This prevents console port input without preventing any console port output, such as Cisco IOS error messages.
You can disable console port access through CTC or TL1. To disable it with CTC, at the card-level view of the ML-Series card, click under the IOS tab and uncheck the Enable Console Port Access box and click Apply. The user must be logged in at the Superuser level to complete this task.
To disable it using TL1, refer to the Cisco ONS SONET TL1 Command Guide.
Secure Login on the ML-Series Card
The ML-Series card supports the Cisco IOS login enhancements integrated into Cisco IOS Release 12.2(25)S and introduced in Cisco IOS Release 12.3(4)T. The enhancements allow users to better secure the ML-Series card when creating a virtual connection, such as Telnet, SSH, or HTTP. The secure login feature records successful and failed login attempts for vty sessions (audit trail) on the ML-Series card. These features are configured using the Cisco IOS command-line interface (CLI.)
For more information, including step-by-step configuration examples, refer to the Cisco IOS Release 12.2(25)S feature guide module Cisco IOS Login Enhancements at http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guides_list.html.
Secure Shell on the ML-Series Card
This section describes how to configure the SSH feature.
These sections contain this information:
•Displaying the SSH Configuration and Status
For other SSH configuration examples, see the "SSH Configuration Examples" section in the "Configuring Secure Shell" chapter of the Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf.htm
Note For complete syntax and usage information for the commands used in this section, see the command reference for Cisco IOS Release 12.2 at the URL: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html.
Understanding SSH
The ML-Series card supports SSH, both version 1 (SSHv1) and version 2 (SSHv2). SSHv2 offers security improvements over SSHv1 and is the default choice on the ML-Series card.
SSH has two applications, an SSH server and SSH client. The ML-Series card only supports the SSH server and does not support the SSH client. The SSH server in Cisco IOS software works with publicly and commercially available SSH clients.
The SSH server enables a connection into the ML-Series card, similar to an inbound Telnet connection, but with stronger security. Before SSH, security was limited to the native security in Telnet. SSH improves on this by allowing the use of Cisco IOS software authentication.
The ONS node also supports SSH. When SSH is enabled on the ONS node, you use SSH to connect to the ML-Series card for Cisco IOS CLI sessions.
Note Telnet access to the ML-Series card is not automatically disabled when SSH is enabled. The user can disable Telnet access with the vty line configuration command transport input ssh.
Configuring SSH
This section has this configuration information:
•Setting Up the ML-Series Card to Run SSH (required)
•Configuring the SSH Server (required)
Configuration Guidelines
Follow these guidelines when configuring the ML-Series card as an SSH server:
•The new model of AAA and a AAA login method must be enabled. If not previously enabled, complete the "Configuring AAA Login Authentication" section.
•A Rivest, Shamir, and Adelman (RSA) key pair generated by a SSHv1 server can be used by an SSHv2 server, and the reverse.
•If you get CLI error messages after entering the crypto key generate rsa global configuration command, an RSA key pair has not been generated. Reconfigure the hostname and domain, and then enter the crypto key generate rsa command. For more information, see the "Setting Up the ML-Series Card to Run SSH" section.
•When generating the RSA key pair, the message No host name specified
might appear. If it does, you must configure a hostname by using the hostname global configuration command.
•When generating the RSA key pair, the message No domain specified
might appear. If it does, you must configure an IP domain name by using the ip domain-name global configuration command.
Setting Up the ML-Series Card to Run SSH
Follow these steps to set up your ML-Series card to run as an SSH server:
1. Configure a hostname and IP domain name for the ML-Series card.
2. Generate an RSA key pair for the ML-Series card, which automatically enables SSH.
3. Configure user authentication for local or remote access. This step is required.
Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.
To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
Configuring the SSH Server
Beginning in privileged EXEC mode, follow these steps to configure the SSH server:
To return to the default SSH control parameters, use the no ip ssh {timeout | authentication-retries} global configuration command.
Displaying the SSH Configuration and Status
To display the SSH server configuration and status, use one or more of the privileged EXEC commands in Table 19-1.
For more information about these commands, see the "Secure Shell Commands" section in the "Other Security Features" chapter of the Cisco IOS Security Command Reference, Cisco IOS Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/fothercr.htm.
RADIUS on the ML-Series Card
RADIUS is a distributed client/server system that secures networks against unauthorized access. Clients send authentication requests to a central RADIUS server, which contains all user authentication and network service access information. The RADIUS host is normally a multiuser system running RADIUS server software from Cisco or another software provider.
Many Cisco products offer RADIUS support, including the ONS 15454, ONS 15454 SDH, ONS 15327, ONS 15310-CL, and ONS 15600. The ML-Series card also supports RADIUS.
The ML-Series card can operate either in RADIUS relay mode or in RADIUS stand alone mode (default). In either mode, the RADIUS messages from the ML-Series card are passed to a RADIUS server that is on the data communications network (DCN) used to manage the ONS node.
RADIUS Relay Mode
In RADIUS relay mode, RADIUS on the ML-Series card is configured by CTC or TL1 and uses the AAA/RADIUS features of the ONS 15454 or ONS 15454 SDH node, which contains the ML-Series card. There is no interaction between RADIUS relay mode and RADIUS standalone mode. For information on ONS node security, refer to the "Security" chapter of the ONS node's reference manual.
An ML-Series card operating in RADIUS relay mode does need to be specified as a client in the RADIUS server entries. The RADIUS server uses the client entry for the ONS node as a proxy for the ML-Series card.
Enabling relay mode disables the Cisco IOS CLI commands used to configure AAA/RADIUS. The user can still use the Cisco IOS CLI commands not related to AAA/RADIUS.
In relay mode, the ML-Series card shows a RADIUS server host with an IP address that is really the internal IP address of the active timing, communications, and control card (TCC2/TCC2P). When the ML-Series card actually sends RADIUS packets to this internal address, the TCC2/TCC2P converts the RADIUS packet destination into the real IP address of the RADIUS server. In stand alone mode, the ML-Series card shows the true IP addresses of the RADIUS servers.
When in relay mode with multiple RADIUS server hosts, the ML-Series card IOS CLI show run output also shows the internal IP address of the active TCC2/TCCP card. But since the single IP address now represents multiple hosts, different port numbers are paired with the IP address to distinguish the individual hosts. These ports are from 1860 to 1869, one for each authentication server host configured, and from 1870 to 1879, one for each accounting server host configured.
The single IP address will not match the host IP addresses shown in CTC, which uses the true addresses of the RADIUS server hosts. These same true IP addresses appear in the ML-Series card IOS CLI show run output, when the ML-Series card is in stand alone mode.
Note A user can configure up to 10 servers for either authentication or accounting application, and one server host can perform both authentication and accounting applications.
Configuring RADIUS Relay Mode
This feature is turned on with CTC or TL1. To enable RADIUS Relay Mode through CTC, go to the card-level view of the ML-Series card, check the Enable RADIUS Relay box and click Apply. The user must be logged in at the Superuser level to complete this task.
To enable it using TL1, refer to the Cisco ONS SONET TL1 Command Guide.
RADIUS Stand Alone Mode
In stand alone mode, RADIUS on the ML-Series card is configured with the Cisco IOS CLI in the same general manner as RADIUS on a Cisco Catalyst switch.
This section describes how to enable and configure RADIUS in the stand alone mode on the ML-Series card. RADIUS in stand alone mode is facilitated through AAA and enabled through AAA commands.
Note For the remainder of the chapter, RADIUS refers to the Cisco IOS RADIUS available when the ML-Series card is in stand alone mode. It does not refer to RADIUS relay mode.
Note For complete syntax and usage information for the commands used in this section, see the Cisco IOS Security Command Reference, Release 12.2.
These sections contain this configuration information:
•Displaying the RADIUS Configuration
Understanding RADIUS
When a user attempts to log in and authenticate to an ML-Series card with access controlled by a RADIUS server, these events occur:
1. The user is prompted to enter a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of these responses from the RADIUS server:
a. ACCEPT—The user is authenticated.
b. REJECT—The user is either not authenticated and is prompted to reenter the username and password, or access is denied.
The ACCEPT and REJECT responses are bundled with additional data that is used for privileged EXEC or network authorization. Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled. The additional data included with the ACCEPT and REJECT packets includes these items:
•Telnet, SSH, rlogin, or privileged EXEC services
•Connection parameters, including the host or client IP address, access list, and user timeouts
Configuring RADIUS
This section describes how to configure your ML-Series card to support RADIUS. At a minimum, you must identify the host or hosts that run the RADIUS server software and define the method lists for RADIUS authentication. You must also apply the method list to the interface on which you want authentication to occur. For the ML-Series card, this is the vty ports. You can optionally define method lists for RADIUS authorization and accounting.
You should have access to and should configure a RADIUS server before configuring RADIUS features on your ML-Series card.
These sections contain this configuration information:
•Identifying the RADIUS Server Host (required)
•Configuring AAA Login Authentication (required)
•Defining AAA Server Groups (optional)
•Configuring RADIUS Authorization for User Privileged Access and Network Services (optional)
•Starting RADIUS Accounting (optional)
•Configuring a nas-ip-address in the RADIUS Packet (optional)
•Configuring Settings for All RADIUS Servers (optional)
•Configuring the ML-Series Card to Use Vendor-Specific RADIUS Attributes (optional)
•Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication (optional)
Default RADIUS Configuration
RADIUS and AAA are disabled by default. To prevent a lapse in security, you cannot configure RADIUS through a network management application. When enabled, RADIUS can authenticate users accessing the ML-Series card through the Cisco IOS CLI.
Identifying the RADIUS Server Host
ML-Series-card-to-RADIUS-server communication involves several components:
•Hostname or IP address
•Authentication destination port
•Accounting destination port
•Key string
•Timeout period
•Retransmission value
You identify RADIUS security servers by their hostname or IP address, their hostname and specific UDP port numbers, or their IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be sent to multiple UDP ports on a server at the same IP address.
If two different host entries on the same RADIUS server are configured for the same service—for example, accounting—the second host entry configured acts as a fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the ML-Series card tries the second host entry configured on the same device for accounting services.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the ML-Series card. A RADIUS server, the ONS node, and the ML-Series card use a shared secret text string to encrypt passwords and exchange responses. The system ensures that the ML-Series cards' shared secret matches the shared secret in the NE.
Note If you configure both global and per-server functions (timeout, retransmission, and key commands) on the switch, the per-server timer, retransmission, and key value commands override global timer, retransmission, and key value commands. For information on configuring these settings on all RADIUS servers, see the "Configuring Settings for All RADIUS Servers" section.
Note Retransmission and timeout period values are configureable on the ML-Series card in stand alone mode. These values are not configureable on the ML-Series card in relay mode.
You can configure the ML-Series card to use AAA server groups to group existing server hosts for authentication. For more information, see the "Defining AAA Server Groups" section.
Beginning in privileged EXEC mode, follow these steps to configure per-server RADIUS server communication. This procedure is required.
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command.
This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting:
Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1
Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2
This example shows how to configure host1 as the RADIUS server and to use the default ports for both authentication and accounting:
Switch(config)# radius-server host host1
Note You also need to configure some settings on the RADIUS server. These settings include the IP address of the switch and the key string to be shared by both the server and the switch. For more information, see the RADIUS server documentation.
Configuring AAA Login Authentication
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list, which is named default. The default method list is automatically applied to all ports except those that have a named method list explicitly defined.
A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.
For additional information on AAA login, refer to the "Authentication, Authorization, and Accounting (AAA)" chapter of the Cisco IOS Security Configuration Guide, Release 12.2 at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_installation_and_configuration_guides_list.html
Beginning in privileged EXEC mode, follow these steps to configure login authentication. This procedure is required.
|
|
|
---|---|---|
Step 1 |
Router# configure terminal |
Enter global configuration mode. |
Step 2 |
Router (config)# aaa new-model |
Enable AAA. |
Step 3 |
Router (config)# aaa authentication login {default | list-name} method1 [method2...] |
Create a login authentication method list. •To create a default list that is used when a named list is not specified in the login authentication command, use the default keyword followed by the methods that are to be used in default situations. The default method list is automatically applied to all ports. •For list-name, specify a character string to name the list you are creating. •For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Select one of these methods: –enable—Use the enable password for authentication. Before you can use this authentication method, you must define an enable password by using the enable password global configuration command. –group radius—Use RADIUS authentication. Before you can use this authentication method, you must configure the RADIUS server. For more information, see the "Identifying the RADIUS Server Host" section. –line—Use the line password for authentication. Before you can use this authentication method, you must define a line password. Use the password password line configuration command. –local—Use the local username database for authentication. You must enter username information in the database. Use the username name password global configuration command. –local-case—Use a case-sensitive local username database for authentication. You must enter username information in the database by using the username password global configuration command. –none—Do not use any authentication for login. |
Step 4 |
Router (config)# line [console | tty | vty] line-number [ending-line-number] |
Enter line configuration mode, and configure the lines to which you want to apply the authentication list. |
Step 5 |
Router (config-line)# login authentication {default | list-name} |
Apply the authentication list to a line or set of lines. •If you specify default, use the default list created with the aaa authentication login command. •For list-name, specify the list created with the aaa authentication login command. |
Step 6 |
Router (config)# end |
Return to privileged EXEC mode. |
Step 7 |
Router# show running-config |
Verify your entries. |
Step 8 |
Router# copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
To disable AAA, use the no aaa new-model global configuration command. To disable AAA authentication, use the no aaa authentication login {default | list-name} method1 [method2...] global configuration command. To either disable RADIUS authentication for logins or to return to the default value, use the no login authentication {default | list-name} line configuration command.
Defining AAA Server Groups
You can configure the ML-Series card to use AAA server groups to group existing server hosts for authentication. You select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list, which lists the IP addresses of the selected server hosts.
Server groups also can include multiple host entries for the same server if each entry has a unique identifier (the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service, such as accounting. If you configure two different host entries on the same RADIUS server for the same service, the second configured host entry acts as a fail-over backup to the first one.
You use the server group server configuration command to associate a particular server with a defined group server. You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords.
Beginning in privileged EXEC mode, follow these steps to define the AAA server group and associate a particular RADIUS server with it:
|
|
|
---|---|---|
Step 1 |
Router# configure terminal |
Enter global configuration mode. |
Step 2 |
Router (config)# aaa new-model |
Enable AAA. |
Step 3 |
Router (config)# radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string]
|
Specify the IP address or hostname of the remote RADIUS server host. •(Optional) For auth-port port-number, specify the UDP destination port for authentication requests. •(Optional) For acct-port port-number, specify the UDP destination port for accounting requests. •(Optional) For timeout seconds, specify the time interval that the switch waits for the RADIUS server to reply before resending. The range is 1 to 1000. This setting overrides the radius-server timeout global configuration command setting. If no timeout is set with the radius-server host command, the setting of the radius-server timeout command is used. •(Optional) For retransmit retries, specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly. The range is 1 to 1000. If no retransmit value is set with the radius-server host command, the setting of the radius-server retransmit global configuration command is used. •(Optional) For key string, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. Note The key is a text string that must match the encryption key used on the RADIUS server. Always configure the key as the last item in the radius-server host command. Leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. To configure the switch to recognize more than one host entry associated with a single IP address, enter this command as many times as necessary, making sure that each UDP port number is different. The switch software searches for hosts in the order in which you specify them. Set the timeout, retransmit, and encryption key values to use with the specific RADIUS host. |
Step 4 |
Router (config)# aaa group server radius group-name |
Define the AAA server-group with a group name. This command puts the ML-Series card in a server group configuration mode. |
Step 5 |
Router (config-sg-radius)# server ip-address |
Associate a particular RADIUS server with the defined server group. Repeat this step for each RADIUS server in the AAA server group. Each server in the group must be previously defined in Step 2. |
Step 6 |
Router (config-sg-radius)# end |
Return to privileged EXEC mode. |
Step 7 |
Router # show running-config |
Verify your entries. |
Step 8 |
Router # copy running-config startup-config |
(Optional) Save your entries in the configuration file. |
Step 9 |
Enable RADIUS login authentication. See the "Configuring AAA Login Authentication" section. |
To remove the specified RADIUS server, use the no radius-server host hostname | ip-address global configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-name global configuration command. To remove the IP address of a RADIUS server, use the no server ip-address server group configuration command.
In this example, the ML-Series card is configured to recognize two different RADIUS group servers (group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.
Switch(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001
Switch(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646
Switch(config)# aaa new-model
Switch(config)# aaa group server radius group1
Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001
Switch(config-sg-radius)# exit
Switch(config)# aaa group server radius group2
Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001
Switch(config-sg-radius)# exit
Configuring RADIUS Authorization for User Privileged Access and Network Services
AAA authorization limits the services available to a user. When AAA authorization is enabled, the ML-Series card uses information retrieved from the user's profile, which is in the local user database or on the security server, to configure the user's session. The user is granted access to a requested service only if the information in the user profile allows it.
There is no support for setting the privilege level on the ML-Series card or using the priv-lvl command. A user authenticating with a RADIUS server will only access the ML-Series card with a privilege level of 1, which is the default login privilege level. Because of this, a priv-lvl configured on the RADIUS server should have the priv-lvl of 0 or 1. Once a user is authenticated and gains access to the ML-Series card, they can use the enable password to gain privileged EXEC authorization and become a super user with a privilege level of 15, which is the default privilege level of enable mode.
This example of an ML-Series card user record is from the output of the RADIUS server and shows the privilege level:
CISCO15 Auth-Type := Local, User-Password == "otbu+1" Service-Type = Login, Session-Timeout = 100000, Cisco-AVPair = "shell:priv-lvl=1"
You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user's network access to privileged EXEC mode.
The aaa authorization exec radius local command sets these authorization parameters:
•Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS.
•Use the local database if authentication was not performed by using RADIUS.
Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.
Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services:
To disable authorization, use the no aaa authorization {network | exec} method1 global configuration command.
Starting RADIUS Accounting
The AAA accounting feature tracks the services that users are accessing and the amount of network resources that they are consuming. When AAA accounting is enabled, the ML-Series card reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. This data can then be analyzed for network management, client billing, or auditing.
Beginning in privileged EXEC mode, follow these steps to enable RADIUS accounting for each Cisco IOS privilege level and for network services:
To disable accounting, use the no aaa accounting {network | exec} start-stop method1... global configuration command.
Configuring a nas-ip-address in the RADIUS Packet
The ML-Series card in RADIUS relay mode allows the user to configure a separate nas-ip-address for each ML-Series card. In RADIUS standalone mode, this command is hidden in the Cisco IOS CLI. This allows the RADIUS server to distinguish among individual ML-Series card in the same ONS node. Identifying the specific ML-Series card that sent the request to the server can be useful in debugging from the server. The nas-ip-address is primarily used for validation of the RADIUS authorization and accounting requests.
If this value is not configured, the nas-ip-address is filled in by the normal Cisco IOS mechanism using the value configured by the ip radius-source command. If no value is specified then the best IP address routable to the server is used. If no routable address is available, the IP address of the server is used.
Beginning in privileged EXEC mode, follow these steps to configure the nas-ip-address:
Configuring Settings for All RADIUS Servers
Beginning in privileged EXEC mode, follow these steps to configure global communication settings between the ML-Series card and all RADIUS servers:
To return to the default setting for the retransmit, timeout, and deadtime, use the no forms of these commands.
Configuring the ML-Series Card to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the ML-Series card and the RADIUS server by using the vendor-specific attribute (attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option by using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named cisco-avpair. The value is a string with this format:
protocol : attribute sep value *
Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attribute-value (AV) pair defined in the Cisco Terminal Access Controller Access Control System Plus (TACACS+) specification, and sep is the character = for mandatory attributes and the character * for optional attributes. The full set of features available for TACACS+ authorization can then be used for RADIUS.
For example, this AV pair activates Cisco's multiple named ip address pools feature during IP authorization (during point-to-point protocol [PPP] internet protocol control protocol (IPCP) address assignment):
cisco-avpair= "ip:addr-pool=first"
This example shows how to specify an authorized VLAN in the RADIUS server database:
cisco-avpair= "tunnel-type(#64)=VLAN(13)"
cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
This example shows how to apply an input access control list (ACL) in ASCII format to an interface for the duration of this connection:
cisco-avpair= "ip:inacl#1=deny ip 10.10.10.10 0.0.255.255 20.20.20.20 255.255.0.0"
cisco-avpair= "ip:inacl#2=deny ip 10.10.10.10 0.0.255.255 any"
cisco-avpair= "mac:inacl#3=deny any any decnet-iv"
This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection:
cisco-avpair= "ip:outacl#2=deny ip 10.10.10.10 0.0.255.255 any"
Other vendors have their own unique vendor-IDs, options, and associated VSAs. For more information about vendor-IDs and VSAs, see RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)."
Beginning in privileged EXEC mode, follow these steps to configure the ML-Series card to recognize and use VSAs:
For a complete list of RADIUS attributes or more information about vendor-specific attribute 26, see the "RADIUS Attributes" appendix in the Cisco IOS Security Configuration Guide, Release 12.2.
Configuring the ML-Series Card for Vendor-Proprietary RADIUS Server Communication
Although an IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the ML-Series card and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the ML-Series card. You specify the RADIUS host and secret text string by using the radius-server global configuration commands.
Beginning in privileged EXEC mode, follow these steps to specify a vendor-proprietary RADIUS server host and a shared secret text string:
To delete the vendor-proprietary RADIUS host, use the no radius-server host {hostname | ip-address} non-standard global configuration command. To disable the key, use the no radius-server key global configuration command.
This example shows how to specify a vendor-proprietary RADIUS host and to use a secret key of rad124 between the ML-Series card and the server:
Switch(config)# radius-server host 172.20.30.15 nonstandard
Switch(config)# radius-server key rad124
Displaying the RADIUS Configuration
To display the RADIUS configuration, use the show running-config privileged EXEC command.