Brocade Communications Systems 6650

266 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Example port authentication configurations

Since there is no profile for the PC MAC address on the RADIUS server, multi-device port

authentication for this MAC address fails. Ordinarily, this would mean that the PVID for the port

would be changed to that of the restricted VLAN, or traffic from this MAC would be blocked in

hardware. However, the device is configured to perform 802.1X authentication when a device fails

multi-device port authentication, so when User 1 attempts to connect to the network from the PC,

he is subject to 802.1X authentication. If User 1 is successfully authenticated, the PVID for port e

1/1/4 is changed to the VLAN named “User-VLAN”.

NOTE

This example assumes that the IP phone initially transmits untagged packets (for example, CDP or

DHCP packets), which trigger the authentication process on the Brocade device and client lookup

on the RADIUS server. If the phone sends only tagged packets and the port (e 1/1/4) is not a

member of that VLAN, authentication would not occur. In this case, port e 1/1/4 must be added to

that VLAN prior to authentication.

To configure the device to perform 802.1X authentication when a device fails multi-device port

authentication, enter the following command.

Brocade(config)# mac-authentication auth-fail-dot1x-override

Syntax: [no] mac-authentication auth-fail-dot1x-override

Contents

Main Brocade Communications Systems, Incorporated Document History September 2012 Title Publication number Summary of changes Date Brocade ICX 6650 Security Configuration Guide Contents About This Document Chapter 1 Security Access Page Chapter 2 SSH2 and SCP Chapter 3 Rule-Based IP ACLs Page Chapter 4 IPv6 ACLs Chapter 5 ACL-based Rate Limiting Chapter 6 802.1X Port Security Chapter 7 MAC Port Security Chapter 8 MAC-based VLANs Chapter 9 Multi-Device Port Authentication Chapter 10 DoS Attack Protection Chapter 11 Rate Limiting and Rate Shaping Chapter 12 DHCP Page Page About This Document Audience Supported hardware and software Brocade ICX 6650 slot and port numbering How this document is organized Document conventions Text formatting Command syntax conventions Notes, cautions, and warnings Notice to the reader Related publications Additional information Brocade resources Other industry resources Getting technical help Page Security Access Securing access methods TABLE 1 TABLE 2 TABLE 2 Ways to secure the access method Access method How the access method is secured by default Remote access to management function restrictions ACL usage to restrict remote access TABLE 2 Using an ACL to restrict Telnet access Using an ACL to restrict SSH access Using ACLs to restrict SNMP access Defining the console idle time Remote access restrictions Restricting Telnet access to a specific IP address Restricting SSH access to a specific IP address Restricting SNMP access to a specific IP address Restricting all remote management access to a specific IP address Restricting access to the device based on IP or MAC address Restricting Telnet connection Restricting SSH connection Restricting HTTP and HTTPS connection Defining the Telnet idle time Changing the login timeout period for Telnet sessions Specifying the maximum number of login attempts for Telnet access Changing the login timeout period for Telnet sessions Restricting remote access to the device to specific VLAN IDs Restricting Telnet access to a specific VLAN Restricting SNMP access to a specific VLAN Designated VLAN for Telnet management sessions to a Layer 2 switch Device management security Allowing SSHv2 access to the Brocade device Allowing SNMP access to the Brocade device Disabling specific access methods Disabling Telnet access Disabling SNMP access Disabling TFTP access Passwords used to secure access Setting a Telnet password Suppressing Telnet connection rejection messages Setting passwords for management privilege levels Augmenting management privilege levels Recovering from a lost password Displaying the SNMP community string Specifying a minimum password length Local user accounts - - Enhancements to username and password Enabling enhanced user password combination requirements Enabling user password masking Enabling user password aging Configuring password history Enhanced login lockout Setting passwords to expire Requirement to accept the message of the day Local user account configuration Local user accounts with no passwords Local user accounts with unencrypted passwords Local accounts with encrypted passwords Creating a password option Changing a local user password TACACS and TACACS+ security How TACACS+ differs from TACACS TACACS/TACACS+ authentication, authorization, and accounting Configuring TACACS/TACACS+ for devices in a Brocade IronStack TACACS and TACACS+ security kill console Syntax: kill console [all | unit] Use the show who and the show telnet commands to confirm the status of console sessions. TACACS authentication TACACS+ authentication TACACS+ authorization TACACS+ accounting TACACS and TACACS+ security AAA operations for TACACS/TACACS+ AAA security for commands pasted into the running-config TABLE 3 User action Applicable AAA operations [no] aaa accounting system default TACACS/TACACS+ configuration considerations Configuring TACACS Configuring TACACS+ Enabling TACACS Identifying the TACACS/TACACS+ servers Specifying different servers for individual AAA functions Setting optional TACACS and TACACS+ parameters Setting the TACACS+ key Setting the retransmission limit Setting the timeout parameter Configuring authentication-method lists for TACACS and TACACS+ TABLE 4 Entering privileged EXEC mode after a Telnet or SSH login Configuring enable authentication to prompt for password only Telnet and SSH prompts when the TACACS+ server is unavailable TABLE 4 Configuring TACACS+ authorization Configuring EXEC authorization TABLE 5 Configuring command authorization TACACS+ accounting configuration Configuring TACACS+ accounting for Telnet/SSH (Shell) access Configuring TACACS+ accounting for CLI commands Configuring TACACS+ accounting for system events Configuring an interface as the source for all TACACS and TACACS+ packets Displaying TACACS/TACACS+ statistics and configuration information RADIUS security RADIUS authentication, authorization, and accounting RADIUS authentication RADIUS authorization RADIUS accounting AAA operations for RADIUS TABLE 7 AAA security for commands pasted Into the running-config RADIUS configuration considerations TABLE 7 Configuring RADIUS Brocade-specific attributes on the RADIUS server RADIUS security TABLE 8 Enabling SNMP to configure RADIUS Identifying the RADIUS server to the Brocade device TABLE 8 Specifying different servers for individual AAA functions RADIUS server per port RADIUS server per port configuration notes RADIUS configuration example and command syntax RADIUS server to individual ports mapping RADIUS server-to-ports configuration notes RADIUS server-to-ports configuration example and command syntax RADIUS parameters Setting the RADIUS key Setting the retransmission limit Setting the timeout parameter Setting RADIUS over IPv6 Setting authentication-method lists for RADIUS TABLE 9 Entering privileged EXEC mode after a Telnet or SSH login Configuring enable authentication to prompt for password only RADIUS authorization Configuring EXEC authorization Configuring command authorization Command authorization and accounting for console commands RADIUS accounting Configuring RADIUS accounting for Telnet/SSH (Shell) access Configuring RADIUS accounting for CLI commands Configuring RADIUS accounting for system events Configuring an interface as the source for all RADIUS packets Displaying RADIUS configuration information Page Authentication-method lists Examples of authentication-method lists TCP Flags - edge port security TABLE 11 Using TCP Flags in combination with other ACL features Page SSH2 and SCP SSH version 2 overview TABLE 12 Tested SSH2 clients SSH2 supported features SSH2 unsupported features SSH2 authentication types Configuring SSH2 Enabling and disabling SSH by generating and deleting host keys Setting the CPU priority for key generation Generating and deleting a DSA key pair Generating and deleting an RSA key pair Deleting DSA and RSA key pairs Providing the public key to clients Configuring DSA or RSA challenge-response authentication Importing authorized public keys into the Brocade device Enabling DSA or RSA challenge-response authentication Optional SSH parameters Setting the number of SSH authentication retries Deactivating user authentication Enabling empty password logins Setting the SSH port number Setting the SSH login timeout value Designating an interface as the source for all SSH packets Configuring the maximum idle time for SSH sessions Filtering SSH access using ACLs Terminating an active SSH connection Displaying SSH information Displaying SSH connection information Displaying SSH configuration information To display SSH configuration information, use the show ip ssh config command: Syntax: show ip ssh config This display shows the following information. TABLE 13 TABLE 14 Displaying additional SSH connection information show who [begin expression | exclude expression | include expression] The show who command also displays information about SSH connections: TABLE 14 Secure copy with SSH2 Enabling and disabling SCP Secure copy configuration notes Example file transfers using SCP Copying a file to the running configuration Copying a file to the startup configuration Copying the running config uration file to an SCP-enabled client Copying the startup configuration file to an SCP-enabled client Copying a software image file to flash memory Copying a software image file from flash memory Importing a digital certificate using SCP Importing an RSA private key Importing a DSA or RSA public key SSH2 client Enabling SSH2 client Configuring SSH2 client public key authentication Generating and deleting a client DSA key pair Generating and deleting a client RSA key pair Using SSH2 client Displaying SSH2 client information Rule-Based IP ACLs TABLE 15 TABLE 16 ACL overview TABLE 16 Types of IP ACLs ACL IDs and entries Numbered and named ACLs Default ACL action How hardware-based ACLs work How fragmented packets are processed Hardware aging of Layer 4 CAM entries ACL configuration considerations Configuring standard numbered ACLs Standard numbered ACL syntax Configuration example for standard numbered ACLs Standard named ACL configuration Standard named ACL syntax Page Configuration example for standard named ACLs Extended numbered ACL configuration Extended numbered ACL syntax Page Page - Configuration examples for extended numbered ACLs Extended named ACL configuration Extended named ACL syntax Page Page - Applying egress ACLs to Control (CPU) traffic Preserving user input for ACL TCP/UDP port numbers ACL comment text management Adding a comment to an entry in a numbered ACL Adding a comment to an entry in a named ACL Deleting a comment from an ACL entry Viewing comments in an ACL Applying an ACL to a virtual interface in a protocol- or subnet-based VLAN ACL logging Configuration notes for ACL logging Configuration tasks for ACL logging Example ACL logging configuration Displaying ACL Log Entries Enabling strict control of ACL filtering of fragmented packets Enabling ACL support for switched traffic in the router image Enabling ACL filtering based on VLAN membership or VE port membership Configuration notes for ACL filtering Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only) Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only) ACLs to filter ARP packets Configuration considerations for filtering ARP packets Configuring ACLs for ARP filtering Displaying ACL filters for ARP Clearing the filter count Filtering on IP precedence and ToS values TCP flags - edge port security QoS options for IP ACLs Configuration notes for QoS options on Brocade ICX 6650 Using an IP ACL to mark DSCP values (DSCP marking) Combined ACL for 802.1p marking Using an ACL to change the forwarding queue DSCP matching ACL-based rate limiting ACL statistics ACLs to control multicast features Enabling and viewing hardware usage statistics for an ACL Displaying ACL information Troubleshooting ACLs Policy Based Routing Configuration considerations for policy-based routing Configuring a PBR policy Configuring the ACLs Configuring the route map Enabling PBR Configuration examples for PBR Basic example of PBR Setting the next hop Setting the output interface to the null interface Trunk formation with PBR policy IPv6 ACLs IPv6 ACL overview TABLE 17 IPv6 ACL traffic filtering criteria IPv6 ACL configuration notes Configuring an IPv6 ACL Example IPv6 configurations Page Default and implicit IPv6 ACL action Creating an IPv6 ACL Syntax for creating an IPv6 ACL For IPv6 and supported protocols other than ICMP, TCP, or UDP For ICMP For TCP For UDP Creating an IPv6 ACL Table 1 8 lists the syntax elements. TABLE 18 IPv6 ACL arguments Description Creating an IPv6 ACL TABLE 18 IPv6 ACL arguments Description ICMP message configurations Enabling IPv6 on an interface to which an ACL will be applied Applying an IPv6 ACL to an interface Syntax for applying an IPv6 ACL Applying an IPv6 ACL to a trunk group Applying an IPv6 ACL to a virtual interface in a protocol-based or subnet-based VLAN Adding a comment to an IPv6 ACL entry Deleting a comment from an IPv6 ACL entry Support for ACL logging Displaying IPv6 ACLs Displaying IPv6 ACLs ACL-based Rate Limiting ACL-based rate limiting overview Types of ACL-based rate limiting TABLE 19 Traffic policies overview Traffic policy structure - - ACL statistics Configuration notes for traffic policies Configuring fixed rate limiting Configuring adaptive rate limiting Marking Class of Service parameters in adaptive rate limiting TABLE 20 TABLE 21 Inspecting the 802.1p bit in the ACL for adaptive rate limiting Handling packets that exceed the rate limit Dropping packets Permitting packets at low priority Enabling and using ACL statistics Enabling ACL statistics Enabling ACL statistics with rate limiting traffic policies Viewing ACL and rate limit counters Clearing ACL and rate limit counters TABLE 22 Viewing traffic policies TABLE 23 802.1X Port Security IETF RFC support TABLE 24 How 802.1X port security works Device roles in an 802.1X configuration FIGURE 1 Communication between the devices FIGURE 2 Controlled and uncontrolled ports FIGURE 3 Message exchange during authentication FIGURE 4 Setting the IP MTU size EAP pass-through support Support for RADIUS user-name attribute in access-accept messages Authenticating multiple hosts connected to the same port TABLE 25 FIGURE 5 How 802.1X multiple-host authentication works Page - - - - Configurable hardware aging period for denied client dot1x-mac-sessions 802.1X port security and sFlow 802.1X accounting 802.1X port security configuration Configuring an authentication method list for 802.1X Setting RADIUS parameters Supported RADIUS attributes Specifying the RADIUS timeout action Allow user access to a restricted VLAN after a RADIUS timeout Dynamic VLAN assignment for 802.1X port configuration Automatic removal of dynamic VLAN assignments for 802.1X ports TABLE 26 Dynamic multiple VLAN assignment for 802.1X ports Saving dynamic VLAN assignments to the running-config file Considerations for dynamic VLAN assignment in an 802.1X multiple-host configuration Dynamically applying IP ACLs and MAC address filters to 802.1X ports Configuration considerations for applying IP ACLs and MAC address filters to 802.1x ports Disabling and enabling strict security mode for dynamic filter assignment Disabled strict security mode Disabling strict security mode globally Dynamically applying existing ACLs or MAC address filters TABLE 27 TABLE 28 Notes for dynamically applying ACLs or MAC address filters Configuring per-user IP ACLs or MAC address filters TABLE 29 TABLE 30 Enabling 802.1X port security Setting the port control Configuring periodic re-authentication Re-authenticating a port manually Setting the quiet period Setting the wait interval for EAP frame retransmissions Setting the maximum number of EAP frame retransmissions Wait interval and number of EAP-request/ identity frame retransmissions from the RADIUS server Setting the wait interval for EAP frame retransmissions Setting the maximum number of EAP frame retransmissions Specifying a timeout for retransmission of messages to the authentication server Initializing 802.1X on a port Allowing access to multiple hosts Configuring 802.1X multiple-host authentication Page Page MAC address filters for EAP frames Creating MAC address filters for EAP on most devices Configuring VLAN access for non-EAP-capable clients 802.1X accounting configuration 802.1X accounting attributes for RADIUS Enabling 802.1X accounting TABLE 31 Displaying 802.1X information Displaying 802.1X configuration information TABLE 32 Syntax: show dot1x config ethernet port TABLE 32 TABLE 33 Displaying 802.1X statistics To display 802.1X statistics for an individual port, enter the show dot1x statistics command. Syntax: show dot1x statistics ethernet port TABLE 34 Field Statistics Clearing 802.1X statistics Displaying dynamically assigned VLAN information Displaying information about dynamically applied MAC address filters and IP ACLs Displaying user-defined MAC address filters and IP ACLs Displaying dynamically applied MAC address filters and IP ACLs Displaying the status of strict security mode Displaying 802.1X multiple-host authentication information Displaying 802.1X multiple-host configuration information TABLE 35 Syntax: show dot1x config ethernet port The following table lists the fields in the display. Displaying information about the dot1x MAC sessions on each port TABLE 36 Example Syntax: show dot1x mac-session Table 37 lists the new fields in the display. TABLE 37 Displaying information about the ports in an 802.1X multiple-host configuration TABLE 38 Sample 802.1X configurations Point-to-point configuration FIGURE 6 Same point-to-point 802.1x configuration Hub configuration FIGURE 7 Sample 802.1x configuration using a hub 802.1X authentication with dynamic VLAN assignment FIGURE 8 Multi-device port authentication and 802.1X security on the same port Page MAC Port Security TABLE 39 MAC port security overview Local and global resources used for MAC port security Configuration notes and feature limitations for MAC port security MAC port security configuration Enabling the MAC port security feature Setting the maximum number of secure MAC addresses for an interface Setting the port security age timer Specifying secure MAC addresses On an untagged interface On a tagged interface Autosaving secure MAC addresses to the startup configuration Specifying the action taken when a security violation occurs Dropping packets from a violating address Disabling the port for a specified amount of time Clearing port security statistics Clearing restricted MAC addresses Clearing violation statistics Displaying port security information Displaying port security settings Displaying the secure MAC addresses TABLE 40 Displaying port security statistics TABLE 41 TABLE 42 Displaying restricted MAC addresses on a port TABLE 43 MAC-based VLANs MAC-based VLAN overview Static and dynamic hosts TABLE 44 MAC-based VLAN feature structure Source MAC address authentication Policy-based classification and forwarding Dynamic MAC-based VLAN Configuration notes and feature limitations for dynamic MAC-based VLAN Dynamic MAC-based VLAN CLI commands Dynamic MAC-based VLAN Dynamic MAC-based VLAN configuration example The following example shows a MAC-based VLAN configuration. TABLE 45 CLI command Description CLI level MAC-based VLAN configuration Using MAC-based VLANs and 802.1X security on the same port Configuring generic and Brocade vendor-specific attributes on the RADIUS server TABLE 46 Aging for MAC-based VLAN For permitted hosts For blocked hosts TABLE 47 For MAC-based dynamic activation Disabling aging for MAC-based VLAN sessions Globally disabling aging Disabling the aging on interfaces Configuring the maximum MAC addresses per port Configuring a MAC-based VLAN for a static host Configuring MAC-based VLAN for a dynamic host Configuring dynamic MAC-based VLAN Configuring MAC-based VLANs using SNMP Displaying information about MAC-based VLANs Displaying the MAC-VLAN table TABLE 48 Displaying the MAC-VLAN table for a specific MAC address Displaying allowed MAC addresses TABLE 49 TABLE 50 Displaying denied MAC addresses TABLE 51 TABLE 50 Displaying detailed MAC-VLAN data Displaying MAC-VLAN information for a specific interface The following table describes the information in this output. TABLE 52 Displaying MAC addresses in a MAC-based VLAN Enter the show mac-address command to display a list of MAC addresses in a MAC-based VLAN. TABLE 53 TABLE 52 Displaying MAC-based VLAN logging Clearing MAC-VLAN information Sample MAC-based VLAN application Sample MAC-based VLAN application FIGURE 9 Sample MAC-based VLAN application The show table-mac-vlan command returns the following results for all ports in this configuration. Page Multi-Device Port Authentication How multi-device port authentication works TABLE 54 RADIUS authentication Authentication-failure actions Supported RADIUS attributes Support for dynamic VLAN assignment Support for dynamic ACLs Support for authenticating multiple MAC addresses on an interface Support for dynamic ARP inspection with dynamic ACLs Support for DHCP snooping with dynamic ACLs Multi-device port authentication and 802.1X security on the same port Configuring Brocade-specific attributes on the RADIUS server Multi-device port authentication configuration TABLE 55 Enabling multi-device port authentication Globally enabling multi-device port authentication Enabling multi-device port authentication on an interface Specifying the format of the MAC addresses sent to the RADIUS server Specifying the authentication-failure action Generating traps for multi-device port authentication Defining MAC address filters Configuring dynamic VLAN assignment Configuring a port to remain in the restricted VLAN after a successful authentication attempt Configuration notes for configuring a port to remain in the restricted VLAN Configuring the RADIUS server to support dynamic VLAN assignment Enabling dynamic VLAN support for tagged packets on non-member VLAN ports TABLE 56 Specifying to which VLAN a port is moved after its RADIUS-specified VLAN assignment expires Automatic removal of dynamic VLAN assignments for MAC authenticated ports Saving dynamic VLAN assignments to the running-config file Dynamically applying IP ACLs to authenticated MAC addresses Multi-device port authentication with dynamic IP ACLs and ACL-per-port-per-VLAN Configuration considerations and guidelines for multi-device port authentication - - - - - Configuring the RADIUS server to support dynamic IP ACLs Enabling denial of service attack protection TABLE 57 TABLE 58 Enabling source guard protection Viewing the assigned ACL for ports on which source guard protection is enabled Clearing authenticated MAC addresses Disabling aging for authenticated MAC addresses Globally disabling aging of MAC addresses Disabling the aging of MAC addresses on interfaces Changing the hardware aging period for blocked MAC addresses Specifying the aging time for blocked MAC addresses Specifying the RADIUS timeout action Permit user access to the network after a RADIUS timeout Deny user access to the network after a RADIUS timeout Allow user access to a restricted VLAN after a RADIUS timeout Multi-device port authentication password override Limiting the number of authenticated MAC addresses Displaying multi-device port authentication information Displaying authenticated MAC address information Displaying multi-device port authentication configuration information TABLE 59 Displaying multi-device port authentication information for a specific MAC address or port TABLE 60 TABLE 61 Displaying the authenticated MAC addresses TABLE 61 Displaying the non-authenticated MAC addresses Displaying multi-device port authentication information for a port TABLE 62 Displaying multi-device port authentication settings and authenticated MAC addresses TABLE 62 Displaying multi-device port authentication information TABLE 63 Displaying multi-device port authentication information Example port authentication configurations Multi-device port authentication with dynamic VLAN assignment TABLE 63 FIGURE 10 Example 1 Multi-device port authentication with dynamic VLAN assignment FIGURE 11 Example 1 Multi-device port authentication and 802.1x authentication on the same port FIGURE 12 Example 2 Creating a profile on the RADIUS server for each MAC address FIGURE 13 Page DoS Attack Protection Smurf attacks FIGURE 14 TABLE 64 Avoiding being an intermediary in a Smurf attack Avoiding being a victim in a Smurf attack TCP SYN attacks TCP security enhancement Protecting against a blind TCP reset attack using the RST bit Protecting against a blind TCP reset attack using the SYN bit Protecting against a blind injection attack Displaying statistics about packets dropped because of DoS attacks Page Rate Limiting and Rate Shaping Port-based rate limiting TABLE 65 How port-based fixed rate limiting works FIGURE 15 Rate limiting in hardware Configuration notes for port-based fixed rate limiting Configuring a port-based fixed rate limiting policy Displaying the port-based fixed rate limiting configuration TABLE 66 Rate shaping Configuration notes for rate shaping Configuring outbound rate shaping for a port TABLE 67 Configuring outbound rate shaping for a specific priority CPU rate-limiting TABLE 68 DHCP Dynamic ARP inspection ARP poisoning TABLE 69 Dynamic ARP Inspection FIGURE 16 ARP entries Configuration notes and feature limitations for DAI Dynamic ARP inspection configuration Configuring an inspection ARP entry Enabling DAI on a VLAN TABLE 70 Enabling trust on a port DHCP snooping How DHCP snooping works FIGURE 17 FIGURE 18 DHCP binding database Client IP-to-MAC address mappings System reboot and the binding database Configuration notes and feature limitations for DHCP snooping Configuring DHCP snooping Enabling DHCP snooping on a VLAN Enabling trust on a port Disabling the learning of DHCP clients on a port TABLE 71 Clearing the DHCP binding database Displaying DHCP snooping status and ports Displaying the DHCP snooping binding database Displaying DHCP binding entry and status DHCP snooping configuration example DHCP relay agent information FIGURE 19 FIGURE 20 Configuration notes for DHCP option 82 DHCP option 82 sub-options + Sub-option 1 Circuit ID FIGURE 21 Sub-option 2 Remote ID FIGURE 22 Sub-option 6 - Subscriber ID DHCP option 82 configuration Disabling and re-enabling DHCP option 82 processing on an individual interface Changing the forwarding policy Enabling and disabling subscriber ID processing Viewing information about DHCP option 82 processing Viewing the circuit ID, remote ID, and forwarding policy Viewing the ports on which DHCP option 82 is disabled TABLE 72 IP source guard TABLE 73 Configuration notes and feature limitations for IP source guard Enabling IP source guard on a port Defining static IP source bindings Enabling IP source guard per-port-per-VLAN Enabling IP source guard on a VE Displaying learned IP addresses Page Limiting Broadcast, Multicast, and Unknown Unicast Traffic Broadcast, unknown Unicast, and Multicast rate limiting Configuring rate limiting for BUM traffic Viewing rate limits set on BUM traffic Broadcast, unknown Unicast, and Multicast rate limiting Syntax: show rate-limit broadcast Example Page Index Numerics A B C D F G I L M P Q R S T U V