Chapter 15 Configuring Security for the ML-Series Card

RADIUS Stand Alone Mode

To remove the specified RADIUS server, use the no radius-server host hostname ip-addressglobal configuration command. To remove a server group from the configuration list, use the no aaa group server radius group-nameglobal configuration command. To remove the IP address of a RADIUS server, use the no server ip-addressserver group configuration command.

In this example, the ML-Series card is configured to recognize two different RADIUS group servers

(group1 and group2). Group1 has two different host entries on the same RADIUS server configured for the same services. The second host entry acts as a fail-over backup to the first entry.

Switch(config)# radius-server host 172.20.0.1 auth-port 1000 acct-port 1001

Switch(config)# radius-server host 172.10.0.1 auth-port 1645 acct-port 1646

Switch(config)# aaa new-model

Switch(config)# aaa group server radius group1

Switch(config-sg-radius)#server 172.20.0.1 auth-port 1000 acct-port 1001

Switch(config-sg-radius)# exit

Switch(config)# aaa group server radius group2

Switch(config-sg-radius)#server 172.20.0.1 auth-port 2000 acct-port 2001

Switch(config-sg-radius)# exit

Configuring RADIUS Authorization for User Privileged Access and Network Services

AAAauthorization limits the services available to a user. When AAA authorization is enabled, the ML-Series card uses information retrieved from the user’s profile, which is in the local user database or on the security server, to configure the user’s session. The user is granted access to a requested service only if the information in the user profile allows it.

There is no support for setting the privilege level on the ML-Series card or using the priv-lvlcommand. A user authenticating with a RADIUS server will only access the ML-Series card with a privilege level of 1, which is the default login privilege level. Because of this, a priv-lvl configured on the RADIUS server should have the priv-lvl of 0 or 1. Once a user is authenticated and gains access to the ML-Series card, they can use the enable password to gain privileged EXEC authorization and become a super user with a privilege level of 15, which is the default privilege level of enable mode.

This example of an ML-Series card user record is from the output of the RADIUS server and shows the privilege level:

CISCO15 Auth-Type := Local, User-Password == "otbu+1"

Service-Type = Login,

Session-Timeout = 100000,

Cisco-AVPair = "shell:priv-lvl=1"

You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user’s network access to privileged EXEC mode.

The aaa authorization exec radius local command sets these authorization parameters:

Use RADIUS for privileged EXEC access authorization if authentication was performed by using

RADIUS.

Use the local database if authentication was not performed by using RADIUS.

Note Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured.

Beginning in privileged EXEC mode, follow these steps to specify RADIUS authorization for privileged EXEC access and network services:

 

 

Cisco ONS 15310-CL and Cisco ONS 15310-MA Ethernet Card Software Feature and Configuration Guide R8.5

 

 

 

 

 

 

78-18133-01

 

 

15-15

 

 

 

 

 

Page 209
Image 209
Cisco Systems 15310-CL, 15310-MA manual Radius, 15-15

15310-CL, 15310-MA specifications

Cisco Systems has established itself as a leader in the networking domain, offering a wide array of solutions to meet the needs of modern businesses. Among its impressive product lineup are the Cisco 15310-CL and 15310-MA routers, designed to provide advanced network performance and reliability.

The Cisco 15310-CL is a versatile platform that primarily serves as a carrier-class router aimed at supporting high-speed data and voice services. It is built to handle the demands of large enterprises and service providers, offering a robust design that ensures maximum uptime and performance. One of its standout features is its modular architecture, which enables users to customize their configurations based on specific application needs. This scalability allows for future expansion without the need for a complete hardware overhaul.

Key technologies integrated into the Cisco 15310-CL include high-density Ethernet interfaces and a comprehensive suite of Layer 2 and Layer 3 protocol support. The device is capable of supporting multiple types of connections, including TDM, ATM, and Ethernet. This flexibility makes it an ideal choice for organizations that require seamless migration between various service types. Moreover, with features such as MPLS (Multiprotocol Label Switching) support and advanced Quality of Service (QoS) mechanisms, the router ensures that critical applications receive the necessary bandwidth and low latency required for optimal performance.

In contrast, the Cisco 15310-MA focuses on access solutions, providing a cost-effective entry point for businesses looking to enhance their network capabilities. It is well-suited for smaller offices or branch locations that need reliable connectivity without the expense and complexity associated with larger systems. The device supports a range of access methods and provides essential features like firewall capabilities, VPN support, and comprehensive security measures to protect sensitive data.

Both models benefit from Cisco's commitment to security and manageability, offering features like enhanced encryption protocols and user authentication mechanisms that help safeguard networks against threats. Additionally, they can be managed through Cisco’s intuitive software tools, simplifying configuration and monitoring tasks for IT administrators.

The Cisco 15310-CL and 15310-MA are ideal solutions for businesses seeking to enhance their network infrastructure, ensuring firms can keep pace with evolving technology demands while maintaining a focus on security and performance. Their combination of advanced features, modular capabilities, and robust support makes them valuable assets in the networking landscape.