Rules – Cisco Storage Security
The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in ascending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles. Note A deny-all statement is assumed as rule 0 so that no action is possible for a user role unless explicitly permitted. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface). Regardless of the read-write rule configured for a user role,…
User Roles – Cisco Storage Security
User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules, and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VSANs, VLANs, and interfaces. If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands. The Cisco MDS 9000 Series Switches…
AAA Server Monitoring – Cisco Storage Security
An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can periodically monitor an AAA server to check whether it is responding (or alive) to save time in processing AAA requests. The switch marks unresponsive AAA servers as dead and does not send AAA requests to any dead AAA servers. The switch periodically monitors dead AAA servers and brings them to the alive state when they respond. This monitoring process verifies that an AAA server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP trap is 897generated, and the MDS switch warns the administrator that a failure is taking place before it can impact performance. Figure 20-1 depicts AAA server states. Figure 20-1 AAA Server States The monitoring interval for alive servers and dead servers is different…
RADIUS – Cisco Storage Security
RADIUS is a distributed client and server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys. Example 20-1 shows the steps required to configure RADIUS on MDS Switch. Example 20-1 RADIUS Configuration on MDS Switch ! Entering configuration mode switch# configure terminal ! Configuring the host IP and the preshared key for the selected RADIUS server.In this example, the host is 10.71.58.91 and the key is RadKey. switch(config)# radius-server host 10.71.58.91 key RadKey ! Configuring the destination UDP port number to which the RADIUS authenticationmessages should be sent. In this example, the host is…
AAA Authentication and Authorization Process – Cisco Storage Security
The following steps explain the authentication and authorization process: 1. When you try to log in to the Cisco MDS 9000 Series Switches using the Telnet, SSH, DCNM or Device Manager, or console login options, the authentication process starts. 2. After you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group. If the AAA server fails to respond, the next AAA server is contacted and so on until the remote server responds to the authentication request. If all AAA servers in the server group fail to respond, the servers in the next server group are contacted. If all configured methods fail, by default, the local database is used for authentication. 3. When you are successfully authenticated through a remote AAA server, the following possible actions are taken: If the AAA server protocol is RADIUS, user roles…
LDAP – Cisco Storage Security
The LDAP provides centralized validation of users who attempt to gain access to a Cisco MDS 9000 switch. LDAP services are maintained in a database on an LDAP daemon that typically runs on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco switch are available. LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) in order to provide each service authentication and authorization independently. Each service can be tied into its own database in order to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco MDS devices provide centralized authentication with use of the LDAP protocol. Clients establish a TCP…
Authentication, Authorization, and Accounting – Cisco Storage Security
The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Series Switches use Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), or Lightweight Directory Access Protocol (LDAP) protocols to provide solutions using remote AAA servers. The AAA Services can also be provided locally by the switch. This security feature provides a centralized user account management capability for AAA servers. AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, the communication between your network access server and the RADIUS, TACACS+, or LDAP security server is through AAA. Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using an AAA server.…