Rules – Cisco Storage Security
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in ascending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles. Note A deny-all statement is assumed as rule 0 so that no action is possible for a user role unless explicitly permitted. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface). Regardless of the read-write rule configured for a user role,…
LDAP – Cisco Storage Security
The LDAP provides centralized validation of users who attempt to gain access to a Cisco MDS 9000 switch. LDAP services are maintained in a database on an LDAP daemon that typically runs on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco switch are available. LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) in order to provide each service authentication and authorization independently. Each service can be tied into its own database in order to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco MDS devices provide centralized authentication with use of the LDAP protocol. Clients establish a TCP…
Authentication, Authorization, and Accounting – Cisco Storage Security
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Series Switches use Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), or Lightweight Directory Access Protocol (LDAP) protocols to provide solutions using remote AAA servers. The AAA Services can also be provided locally by the switch. This security feature provides a centralized user account management capability for AAA servers. AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, the communication between your network access server and the RADIUS, TACACS+, or LDAP security server is through AAA. Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using an AAA server.…