Rules – Cisco Storage Security
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in ascending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles. Note A deny-all statement is assumed as rule 0 so that no action is possible for a user role unless explicitly permitted. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface). Regardless of the read-write rule configured for a user role,…
AAA Server Monitoring – Cisco Storage Security
An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can periodically monitor an AAA server to check whether it is responding (or alive) to save time in processing AAA requests. The switch marks unresponsive AAA servers as dead and does not send AAA requests to any dead AAA servers. The switch periodically monitors dead AAA servers and brings them to the alive state when they respond. This monitoring process verifies that an AAA server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP trap is 897generated, and the MDS switch warns the administrator that a failure is taking place before it can impact performance. Figure 20-1 depicts AAA server states. Figure 20-1 AAA Server States The monitoring interval for alive servers and dead servers is different…
RADIUS – Cisco Storage Security
RADIUS is a distributed client and server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys. Example 20-1 shows the steps required to configure RADIUS on MDS Switch. Example 20-1 RADIUS Configuration on MDS Switch ! Entering configuration mode switch# configure terminal ! Configuring the host IP and the preshared key for the selected RADIUS server.In this example, the host is 10.71.58.91 and the key is RadKey. switch(config)# radius-server host 10.71.58.91 key RadKey ! Configuring the destination UDP port number to which the RADIUS authenticationmessages should be sent. In this example, the host is…
AAA Authentication and Authorization Process – Cisco Storage Security
The following steps explain the authentication and authorization process: 1. When you try to log in to the Cisco MDS 9000 Series Switches using the Telnet, SSH, DCNM or Device Manager, or console login options, the authentication process starts. 2. After you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group. If the AAA server fails to respond, the next AAA server is contacted and so on until the remote server responds to the authentication request. If all AAA servers in the server group fail to respond, the servers in the next server group are contacted. If all configured methods fail, by default, the local database is used for authentication. 3. When you are successfully authenticated through a remote AAA server, the following possible actions are taken: If the AAA server protocol is RADIUS, user roles…
LDAP – Cisco Storage Security
The LDAP provides centralized validation of users who attempt to gain access to a Cisco MDS 9000 switch. LDAP services are maintained in a database on an LDAP daemon that typically runs on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco switch are available. LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) in order to provide each service authentication and authorization independently. Each service can be tied into its own database in order to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco MDS devices provide centralized authentication with use of the LDAP protocol. Clients establish a TCP…
Authorization – Cisco Storage Security
Authorization provides access control. It is the process of assembling a set of attributes that describe what the user is authorized to perform. Based on the user ID and password combination, the user is authenticated and authorized to access the network as per the assigned role. We discuss user roles later in this chapter. You can configure parameters that can prevent unauthorized access by a user, provided the switches use the TACACS+ protocol. AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS, TACACS+, and LDAP, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. The following authorization roles exist in all Cisco MDS switches: Network operator (network-operator): Has…