Enterasys Networks Security Router X-PeditionTM User Manual
Page 392
AAA Services
16-6 Configuring Security on the XSR
The method to perform AAA is configured globally by the
aaa method
command, which provides
additional
acct-port
,
address
,
attempts
,
auth-port
,
backup
,
client
,
enable
,
group
,
hash
enable
,
key
,
qtimeout
,
retransmit
, and
timeout
sub-commands. Although the default AAA
service is local, you can authenticate to a RADIUS server or PKI database. Alternately, you can set
the AAA method per interface with
aaa-method
, which lets the XSR authenticate requests
originating from different interfaces by different methods and overrides the global (invoked by
client
) or default AAA method. For example, if the default method has not been set for Telnet
using
client telnet
, then the default method you set for AAA service is used.
Most AAA method sub-commands are available for RADIUS service only (see “
Configuration for RADIUS Authentication and Accounting
” on page 16-33). Additional AAA
method sub-commands
acct-port
and
auth-port
set UDP ports for accounting and
authentication requests, respectively.
AAA users can be added to AAA service with the
aaa user
command, which includes
group
,
ip
address
,
password
,
privilege
,
and
policy
sub-commands to set user attributes. Also, you can
set a maximum privilege level per interface to supersede any user/group-assigned level.
While most of these parameters are self-explanatory, the
policy
value is important in specifying
which system each user will be allowed to access on the XSR. The module options are:
firewall
,
ssh
,
telnet
, and
vpn
. Their intended functions are, as follows:
•
Telnet/Console: administrators and low-level Console users who will use the standard serial
connection application
•
SSH: users who will require a more secure Telnet-type connection
•
Firewall: users who will access the firewall
•
VPN: users who will tunnel in to the XSR
AAA users can be assigned to groups with the
aaa group
top-level command, which is sub-
divided into
dns
and
wins server
,
ip pool
,
l2tp
and
pptp compression
,
pptp encrypt mppe
,
privilege
, and
policy
sub-commands to set that group’s respective parameters. Any users not
specifically assigned to a group are added to the
DEFAULT
AAA group. Policies can be set at both
the user and group level but a user-level policy overrides a user’s group-level policy.
Although AAA authentication is set by the service not the user, you can override this rule by
configuring a user to authenticate at every login with
@<method>username
. The XSR checks if the
@-configured user is configured before enabling the default authentication service. Refer to the next
section to configure SSH or Telnet with AAA authentication.
Debugging of AAA data can be provided by the
debug aaa
command. Output is directed to the
terminal where debugging information was most recently requested. Also, if multiple AAA
debugs are activated, all data will be sent to the last used terminal requesting debugging. The
sample AAA debug below displays a successful MSCHAP authentication using the local method:
Local::queue(test)
AAuthenticatePlugin::queue (alg == 0xf)
groupplugin Reply: Pool = authpool
IRMauthorizeMsg::clientLogon [test]
Connecting Remotely via SSH or Telnet with AAA Service
Perform the following commands to configure SSH or Telnet service:
1.
On the CLI, enter configure to acquire Configuration mode.