Blog

The rule is the basic element of a role. A rule defines what operations the role allows the user to perform. Up to 16 rules can be configured for each role. The user-specified rule number determines the order in which the rules are applied. Rules are applied in ascending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the network-admin role cannot perform commands related to roles. Note A deny-all statement is assumed as rule 0 so that no action is possible for a user role unless explicitly permitted. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec, debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface). Regardless of the read-write rule configured for a user role,…

Read more

User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules, and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VSANs, VLANs, and interfaces. If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands. The Cisco MDS 9000 Series Switches…

Read more

Configuration for RADIUS and TACACS+ AAA on a Cisco MDS switch can be distributed using the Cisco Fabric Services (CFS). The distribution is disabled by default. After the distribution is enabled, the first server or global configuration starts an implicit session. All server configuration commands entered thereafter are stored in a temporary database and applied to all switches in the fabric (including the originating one) when you explicitly commit the database. The various server and global parameters are distributed, except the server and global keys. These keys are unique secrets to a switch and should not be shared with other switches. Only switches where distribution is enabled can participate in the distribution activity. A distribution session starts the moment you begin a RADIUS/TACACS+ server or global configuration. Radius configuration distribution can be configured using the radius distribute command, and TACACS+ server distribution can be configured using the tacacs+ distribute command.…

Read more

An unresponsive AAA server introduces a delay in the processing of AAA requests. An MDS switch can periodically monitor an AAA server to check whether it is responding (or alive) to save time in processing AAA requests. The switch marks unresponsive AAA servers as dead and does not send AAA requests to any dead AAA servers. The switch periodically monitors dead AAA servers and brings them to the alive state when they respond. This monitoring process verifies that an AAA server is in a working state before real AAA requests are sent its way. Whenever an AAA server changes to the dead or alive state, an SNMP trap is 897generated, and the MDS switch warns the administrator that a failure is taking place before it can impact performance. Figure 20-1 depicts AAA server states. Figure 20-1 AAA Server States The monitoring interval for alive servers and dead servers is different…

Read more

RADIUS is a distributed client and server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco switches and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. You can add up to 64 RADIUS servers. RADIUS keys are always stored in encrypted form in persistent storage. The running configuration also displays encrypted keys. Example 20-1 shows the steps required to configure RADIUS on MDS Switch. Example 20-1 RADIUS Configuration on MDS Switch ! Entering configuration mode switch# configure terminal ! Configuring the host IP and the preshared key for the selected RADIUS server.In this example, the host is 10.71.58.91 and the key is RadKey. switch(config)# radius-server host 10.71.58.91 key RadKey ! Configuring the destination UDP port number to which the RADIUS authenticationmessages should be sent. In this example, the host is…

Read more

The following steps explain the authentication and authorization process: 1. When you try to log in to the Cisco MDS 9000 Series Switches using the Telnet, SSH, DCNM or Device Manager, or console login options, the authentication process starts. 2. After you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group.  If the AAA server fails to respond, the next AAA server is contacted and so on until the remote server responds to the authentication request. If all AAA servers in the server group fail to respond, the servers in the next server group are contacted. If all configured methods fail, by default, the local database is used for authentication. 3. When you are successfully authenticated through a remote AAA server, the following possible actions are taken: If the AAA server protocol is RADIUS, user roles…

Read more

The LDAP provides centralized validation of users who attempt to gain access to a Cisco MDS 9000 switch. LDAP services are maintained in a database on an LDAP daemon that typically runs on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco switch are available. LDAP provides for separate authentication and authorization facilities. LDAP allows for a single access control server (the LDAP daemon) in order to provide each service authentication and authorization independently. Each service can be tied into its own database in order to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The LDAP client/server protocol uses TCP (TCP port 389) for transport requirements. Cisco MDS devices provide centralized authentication with use of the LDAP protocol. Clients establish a TCP…

Read more

The authentication, authorization, and accounting (AAA) feature verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Series Switches use Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System Plus (TACACS+), or Lightweight Directory Access Protocol (LDAP) protocols to provide solutions using remote AAA servers. The AAA Services can also be provided locally by the switch. This security feature provides a centralized user account management capability for AAA servers. AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, the communication between your network access server and the RADIUS, TACACS+, or LDAP security server is through AAA. Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using an AAA server.…

Read more

The accounting feature tracks and maintains a log of every management configuration used to access the switch. This information can be used to generate reports for troubleshooting and auditing purposes. Accounting logs can be stored locally or sent to remote AAA servers. The default maximum size of the accounting log is 250,000 bytes and cannot be changed. Configuration operations are automatically recorded in the accounting log if they are performed in configuration mode. Additionally, important system events (for example, configuration save and system switchover) are also recorded in the accounting log. Server Groups You can specify remote AAA servers for authentication, authorization, and accounting using server groups. A server group is a set of remote AAA servers implementing the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the…

Read more

Authorization provides access control. It is the process of assembling a set of attributes that describe what the user is authorized to perform. Based on the user ID and password combination, the user is authenticated and authorized to access the network as per the assigned role. We discuss user roles later in this chapter. You can configure parameters that can prevent unauthorized access by a user, provided the switches use the TACACS+ protocol. AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS, TACACS+, and LDAP, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. The following authorization roles exist in all Cisco MDS switches: Network operator (network-operator): Has…

Read more

30/30