Aaa services, Aaa services -5 – Enterasys Networks Security Router X-PeditionTM User Manual

AAA Services

XSR User’s Guide 16-5

•

If you must enable PPP on the WAN, use CHAP authentication

•

Disable all unnecessary router services (e.g., HTTP, if not used)

•

Write strict ACLs to limit HTTP, Telnet and SNMP access

•

Write ACLs to limit the type of ICMP messages

•

Create ACLs to direct services to appropriate servers only

•

Enable packet filtering and attack prevention mechanisms

•

All only packets with valid source addresses to exit the network

•

If using SNMP, use strong community names and set read-only access

•

Minimize console logging to limit unnecessary CPU cycles

•

Use OSPF rather than RIP to take advantage of MD5 authentication

•

Control which router interfaces can be used to manage the XSR

•

Use an SNTP server on the DMZ to synchronize XSR clocks

•

Use syslog to send messages to a designated syslog server

AAA Services

The XSR provides Authentication, Authorization and Accounting (AAA) services to validate and
display data for AAA usergroups, users, and methods. Telnet, Console and SSH users can utilize
the following two authentication mechanisms:

•

CLI database authentication - This non-AAA authentication mode for Telnet and SSH users
authenticates against the CLI database created by the

username

command. This is the base,

system default user-validation method and does not authenticate via RADIUS.

•

AAA user database authentication - This mechanism allows Telnet and SSH avails users of the
AAA module which provides additional authentication by various AAA methods including
RADIUS. The

aaa client telnet

command switches all Telnet users to authenticate via the

AAA user database while

aaa client ssh

switches all SSH users to do the same.

A few restrictions apply when switching Telnet, Console and SSH users to authenticate via this
mechanism, as follows:

•

No pre-existing privilege-15 admin user exists in the AAA database.

•

Before switching over to AAA for Telnet or SSH, at least one privilege 15 user with a Telnet/
SSH policy must exist in the AAA database.

•

Deleting the only privilege-15 user with Telnet or SSH policy is disallowed to prevent any
accidental loss of access to the XSR.

The XSR offers two types of default AAA methods:

•

The default AAA method for AAA service. Although the local method is the factory default,
you can set this using the

aaa method [local | pki | radius] default

command.

•

The default AAA method for grouped clients. This is set on a per client basis via the

client

{telnet | ssh | console | firewall | vpn | ppp}

sub-command under

aaa method

.

Note that PPP uses only AAA when acting as the authenticator (when validating the peer);
PPP is authenticated by the peer when acting as the authenticatee (client-side).

If the latter default method is not specified for a client, the former default applies.