Manuals / Cisco Systems / Computer Equipment / Switch

Cisco Systems 15310-MA manual Security Radius Security

Models: 15310-MA

1 352

Download 352 pages 59.1 Kb

Page 115

Chapter 5 Security

RADIUS Security

For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server.

Shared secrets are used to:

•Verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret.

•Verify that the RADIUS message has not been modified in transit (message integrity).

•Encrypt some RADIUS attributes, such as User-Password and Tunnel-Password.

When creating and using a shared secret:

•Use the same case-sensitive shared secret on both RADIUS devices.

•Use a different shared secret for each RADIUS server-RADIUS client pair.

•Generate a random sequence at least 22 characters long to ensure a random shared secret.

•Use any standard alphanumeric and special characters.

•Use a shared secret of up to 128 characters in length. To protect your server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).

•Make the shared secret a random sequence from each of the following three categories: letters (upper or lower case), numbers, and punctuation.

•Change the shared secret often to protect your server and your RADIUS clients from dictionary attacks. An example of a strong shared secret is 8d#>9fq4bV)H7%a3-zE13sW$hIa32M#m<PqAa72(.

Cisco ONS 15310-MA SDH Reference Manual, Release 9.1 and Release 9.2

	78-19417-01	5-9

Image 115

Cisco Systems 15310-MA manual Security Radius Security

Contents

Americas Headquarters Cisco ONS 15310-MA SDH Reference ManualCisco ONS 15310-MA SDH Reference Manual, Release 9.1 Iii N T E N T SFan-Tray Assembly CTC Software Installed on the 15310E-CTX-K9 Card Timing Vii Rolls WindowViii IP-Over-CLNS Tunnel Scenario 2 ONS Node to RouterPerformance Monitoring Snmp Specifications A-1 Xii Threshold Defaults C-425-PR 24-GA CORR-SHIELD Outdoor Cable Assembly Xiv Configurations 12-3 XviJ22 Link Icons Color Codes for Alarm and Condition Severities ONS 15310-MA SDH Card Service State Transitions B-3 Date Revision HistoryXxi Xxii Document ObjectivesAudience Related DocumentationConvention Application Document ConventionsXxiii Xxiv Warnung Wichtige SicherheitshinweiseAviso Instruções Importantes DE Segurança Avvertenza Importanti Istruzioni Sulla SicurezzaXxv Xxvi Xxvii GEM Disse AnvisningerXxviii Xxix Where to Find Safety and Warning InformationObtaining Optical Networking Information Cisco Optical Networking Product Documentation CD-ROMXxx Installation Overview Cisco ONS 15310-MA SDH Shelf Assembly HardwareRack Installation Mounting Brackets ONS 15310-MA SDH Shelf Assembly DimensionsMounting a Single ONS 15310-MA SDH in a Rack Mounting a Single NodeMounting Multiple Nodes Electrical Interface AssembliesFront Door Cisco ONS 15310-MA SDH Shelf Assembly Hardware Front DoorRear Cover Power and Ground DescriptionGround holes 144707 Ground holes Cable Description and Installation Shelf TemperatureCabling Types ACS Cable T015654 PCAM90SPA3MC001 ACS Part Numbers Length DescriptionPCAM90SPA0PC001 PCAM90SPA1OC001Fiber Cable Installation 10 Shelf Assembly with Fiber Guide Installed Coaxial Cable InstallationSignal Pin 4 E1 Cable InstallationRing Port Tip Port Connectors J23 and J24 Not used Ring Port Tip Port Alarm Cable Installation Function DB-25 Pin Number FunctionOut 1+ Out 2+ Out 3+ Out 4+ Out 5+ Out 6+ Out 7+ UDC Cable Installation Bits Cable InstallationDB-9 Pin Number Function TX + RJ-45 Pin RS-232/64K Number ModeCable Routing and Management Standard Cable Management BracketExtended Cable Management Bracket 12 Installing the Standard Cable Management Bracket13 Installing the Extended Cable Management Bracket Fan-Tray AssemblyAir Filter Fan Speed and Power RequirementsOrderwire Fan FailureRJ-11 Pin Number Description Cards and Slots 14 RJ-11 Cable ConnectorSTM1/STM4/STM16 BNCCopper SFP-RJ4 LC SFPCard Summary and Compatibility Card ReferenceCard Platforms Description For Additional Information Card SummaryMA SDH Card CompatibilityCard 15310E-CTX-K9 Card 2shows the 15310E-CTX-K9 card faceplate and block diagram3 15310E-CTX-K9 Optical Interfaces 2 15310E-CTX-K9 Card Side Switches4 15310E-CTX-K9 Card-Level Indicators System Cross-ConnectGreen/Amber It is amber if the card is the standby card 5 15310E-CTX-K9 Port-Level IndicatorsCE-100T-8 Card ACT/STBY LED3shows the CE-100T-8 card faceplate and block diagram 2 CE-100T-8 Port-Level Indicators 1 CE-100T-8 Card-Level IndicatorsCE-MR-6 Card Port-Level Indicators DescriptionOFF Card Reference CE-MR-6 Card 4shows the CE-MR-6 card faceplate and block diagram CE-MR-6 Port-Level Indicators CE-MR-6 Card-Level IndicatorsML-100T-8 Card ML-Series Cisco IOS CLI Console Port 1 ML-100T-8 Card Description6shows the ML-100T-8 card faceplate and block diagram 4 ML-100T-8 Port-Level Indicators 3 ML-100T-8 Card-Level IndicatorsE121E3DS33 and E163E3DS33 Cards E121E3DS33 and E163E3DS33 Card Faceplates and Block DiagramBIC Configuration on WBE Cards 1 E121E3DS33 and E163E3DS33 Card-Level IndicatorsFiller Cards Card-Level Indicators DescriptionSFP Modules 15310E-CTX-K9 Compatibility by CardONS-SI-2G-I1 ONS-SI-2G-L1 ONS-SI-2G-S1 ONS-SI-2G-L2 CE-MR-6 SFP Description12 Actuator/Button SFP PPM ProvisioningONS 15310-MA SDH Card and Port Protection OverviewONS 15310-MA SDH Chassis Card Layout 1 11 Electrical Card ProtectionCard Protection ONS 15310-MA SDH Card and Port Protection 3 .15310E-CTX-K9 Card Equipment Protection Lmsp Optical Port ProtectionExternal Switching Commands Automatic Protection SwitchingPage CTC Software Delivery Methods CTC Software Installed on the 15310E-CTX-K9 CardCTC Software Versions in an ONS 15310-MA SDH Node View CTC Software Installed on the PC or Unix WorkstationPC, Unix and Mac Workstation Requirements CTC Installation OverviewRAM Area RequirementsONS 15310-MA SDH Connection SDH CTC LoginMethod Description Requirements LANCTC Window ONS 15310-MA SDH Node View Default Login ViewCTC Card Colors Node ViewCard and Slot Color Status Port Color Service State Description Tab Description Subtabs Node View Card ShortcutsNode View Tabs Card Status DescriptionNetwork View Appendix B, Administrative and Service States8lists the tabs and subtabs available in the network view Color Alarm StatusCTC Node Colors Network View TabsDCC icon GCC icon OTS icon PPC icon Server Trail icon DCC LinksLink Consolidation Icon DescriptionCTC Card View of an E121E3DS33 Card Card ViewPrint and Export CTC Data Cisco ONS 15310-MA SDH Procedure Guide for specifics Static IP-Over-CLNS Tunnels Static Category IP-Over-CLNS TL1 Tunnel Comments Traffic Card Reset Common Control Card ResetSoftware Revert Database BackupUsers IDs and Security Levels SecurityUser Privileges by CTC Action User Privileges and PoliciesOSI Snmp CTC Tab Subtab Subtab Actions Maintenance Provisioning SuperuserAPC Run APC/Disable APC RefreshSecurity Policies Vlan DBIdle Time Idle User TimeoutUser Password, Login, and Access Policies Superuser Privileges for Provisioning UsersAudit Trail Log Entries Audit TrailShared Secrets Radius AuthenticationRadius Security Audit Trail CapacitiesSecurity Radius Security Page Timing Parameters TimingSynchronization Status Messaging Network TimingMessage Quality Description Page Circuits and Tunnels Circuit Properties Status Definition/Activity Circuit StatusDroppending Information about in-service topology upgrades, see , SDHCircuit States PendingmergeProtection Type Description Circuit Protection TypesLmsp Description Circuit Information in the Edit Circuits WindowTerminal Loopback in the Edit Circuits Window Port Color StateVC Low-order Path Tunnels and Aggregation Points VC-12 BandwidthDCC Tunnels SDH Layer SDH Bytes Subnetwork Connection Protection CircuitsTraditional DCC Tunnels IP-Encapsulated TunnelsGo-and-Return Subnetwork Connection Protection Routing Open-Ended Subnetwork Connection Protection CircuitsVcat Circuit States Virtual Concatenated CircuitsVcat Common Fiber Routing Vcat Member RoutingFor CE100T-8 card For CE-MR-6 card Link Capacity AdjustmentVC3 VC4 Vcat Circuit SizeCard Circuit Rate Number of Members VC3Add a Delete a Card Mode Member UtOfGroupOpen-Ended Vcat SupportOpen-Ended Vcat Protection Routing Preferences Routing Mode Protection OptionsJ1 or J2 Cards/Ports Routing Preferences Routing Mode Protection OptionsSection and Path Trace PCA DRIRolls Window Bridge and RollState Description Roll StatusSingle Destination Roll Single and Dual Rolls11illustrates a dual roll on the same circuit Two-Circuit Bridge and Roll Merged CircuitsProtected Circuits Server Trails Reconfigured CircuitsVcat Circuit Routing over Server Trails Server Trail Protection TypesShared Resource Link Group Page Management Network Connectivity IP Addressing Scenarios IP Networking OverviewWhat to Check Scenario 1 CTC and ONS 15310-MA SDH Nodes on the Same Subnet LAN B Scenario 3 Using Proxy ARP SDH Scenario 4 Default Gateway on CTC ComputerScenario 4 Default Gateway on a CTC Computer Scenario 5 Using Static Routes to Connect to LANs271793 Scenario 5 Static Route with Multiple LAN Destinations Scenario 6 Using Ospf8shows a network enabled for Ospf Scenario 7 Provisioning the ONS 15310-MA SDH Proxy Server Scenario 6 Ospf Not EnabledManagement Network Connectivity IP Addressing Scenarios Ospf SettingGNE ONS 15310-MA SDH 86.1.1.1 Scenario 7 Proxy Server with ENEs on Multiple Rings Packets Arrive At Accepts Rejects Routing TableOSPF, Icmp Entry Destination Mask Gateway Interface Port Function Action1 External FirewallsIs 683 and the TCC Corba Default is TCC Fixed 10240-12287 Proxy client 57790 Default TCC listener portPort Function Action Open GNE 13 Proxy and Firewall Tunnels for Foreign Terminations 14 Foreign Node Connection to an ENE Ethernet Port TCP/IP and OSI NetworkingOSI Model IP Protocols OSI Protocols IP-OSI Tunnels Point-to-Point ProtocolOSI Connectionless Network Service Link Access Protocol on the D ChannelField Definition Description SEL OSI Routing Intermediate System-to-Intermediate System Protocol End System-to-Intermediate System ProtocolField TarpSize bytes Description PDU Type Description ProcedureTarp Processing Field Abbreviation Size bytes DescriptionTarp Loop Detection Buffer Default Range Timer Description SecondsProcess General Tarp Flow Manual Tarp Adjacencies OSI Virtual RoutersManual TID to Nsap Provisioning EMS IP-over-CLNS TunnelsIP Over Clns Tunnel Scenario 1 ONS Node to Other Vendor GNE Provisioning IP-over-CLNS TunnelsStep Purpose 19 IP Over Clns Tunnel Scenario 1 ONS NE to Other Vender GNE IP-Over-CLNS Tunnel Scenario 2 ONS Node to RouterManagement Network Connectivity TCP/IP and OSI Networking IP-Over-CLNS Tunnel Scenario 2 ONS Node to Router CTC 1 10.10.10.100/24 Tab Actions Provisioning OSI in CTCIPv6 Native Support IPv6 Network Compatibility2 IPv6 Disabled Mode 1 IPv6 Enabled ModeIPv6 Node IPv4 Node 5 IPv6 Limitations FTP Support for ENE Database Backup3 IPv6 in Non-secure Mode 4 IPv6 in Secure ModeSubnetwork Connection Protection Configurations SDH Topologies and UpgradesSubnetwork Connection Protection Application Example Subnetwork Connection Protection BandwidthTerminal Point-to-Point and Linear ADM Configurations Subtending Rings InteroperabilityONS 15310-MA SDH Linear ConnectionsPath-Protected Mesh Network for ONS 15310-MA SDH Nodes Path-Protected Mesh NetworksNode Protect traffic Stmn Speed Upgrades Four Node ConfigurationsManual Span Upgrades Span Upgrade WizardOverlay Ring Circuits Overlay Ring Circuit 10-1 Viewing Alarms10-2 Column Information RecordedRight-click a column and choose Show Column Ref Color DescriptionDS3/E3 VC Viewing Alarms With Each Node’s Time ZoneSTM1/STM4 VC Term Object Electrical Syntax and ExamplesButton/Check box/Tool Action Controlling Alarm DisplayFiltering Alarms Viewing Alarm-Affected CircuitsControlling the Conditions Display Conditions Tab10-5 Retrieve Filter Retrieving and Displaying ConditionsConditions Column Descriptions Button10-7 Viewing HistoryFiltering Conditions Description Description of the conditionHistory Column Descriptions Retrieving and Displaying Alarm and Condition History10-8 10-9 Alarm SeveritiesAlarm Profiles Alarm History and Log Buffer Capacities10-10 Creating and Modifying Alarm ProfilesAlarm Profile Buttons Button DescriptionAlarm Severity Options Alarm Profile Editing10-11 10-12 Alarm SuppressionApplying Alarm Profiles Row Display OptionsExternal Alarm Input External Alarms and ControlsAlarms Suppressed for Maintenance Alarms Suppressed by User Command10-14 External Control Output11-1 Threshold Performance MonitoringYES Port Line Path Near End Far End11-2 11-3 Intermediate-Path Performance MonitoringParameter Definition Performance Monitoring Parameter Definitions11-4 11-5 11-6 11-7 11-8 One or more errored blocks or at least one defectMS-ESR MS-PSC-S11-9 11-10 11-11 11-12 11-13 Performance Monitoring for Electrical Ports11-14 11.5.1 E1 Port Performance Monitoring ParametersLine NE PM parameters for the E1 ports are listed in Table11-15 11-16 11.5.2 E3 Port Performance Monitoring Parameters11-17 11.5.3 DS3 Port Performance Monitoring ParametersLine NE Path NE VC4 HP Path NE/FE11-18 Monitored Signal Types for the DS3 PortLine NE Path NE 1 Path FE 1 Performance Monitoring for Ethernet Cards11-19 11-20 Parameter Definition11-21 Time Interval Number of Intervals Displayed MaxBaseRate11-22 11-23 11-24 11.7.1 STM1 Port Performance Monitoring Parameters Performance Monitoring for Optical Ports11-25 Lmsp NE 1 PJC NE Path NE/FE4 4 MS NE/FE 1+111-26 11-27 11.7.2 STM4 Port Performance Monitoring Parameters11-28 VC4 and VC4-XcMS NE/FE 1+1 HP Path Lmsp NE 1 PJC NE NE/FE4 411-29 Monitored Signal Types for the STM16 Ports13 PM Parameter Read Points on the STM16 Ports 11-3011-31 11-32 12-1 Snmp Overview12-2 Snmp Basic ComponentsExample of the Primary Snmp Components 12-312-4 Snmp Version SupportSnmp Message Types SNMPv3 SupportNumber Module Name Title/Comments Snmp Management Information BasesIETF-Standard MIBs for the ONS 15310-MA SDH Operation Description12-6 Proprietary ONS 15310-MA SDH MIBs12-7 Number Module Name12-8 CISCO-ENTITY-VENDORTYPE-OID-MI12-9 CISCO-VLAN-IFTABLE-RELATIONSHI12-10 12-11 Snmp Trap ContentGeneric and Ietf Traps From RFC No TrapVariable Trap Bindings SNMPv1/v2 Community Names12-12 SNMPv1/v2 Proxy Support Over Firewalls SNMPv3 Proxy Configuration12-13 12-14 Snmp Remote MonitoringEthernet Statistics Group Row Creation in etherStatsTable12.10.1.4 64-Bit etherStatsHighCapacity Table History Control GroupGet Requests and GetNext Requests Row Deletion in etherStatsTable12.10.3.1 64-Bit etherHistoryHighCapacityTable Ethernet History Rmon GroupRow Creation in historyControlTable Row Deletion in historyControl TableColumn Name Alarm Rmon GroupAlarm Table Row Creation in alarmTable12-18 Log Table Row Deletion in alarmTableEvent Rmon Group Event Table12-20 Alarm Interface Cisco ONS 15310-MA SDH Shelf Specifications4 TL1 Craft Interface ConfigurationsUDC Interface Cisco Transport Controller LAN InterfaceSystem Timing LEDsPush Buttons Bits InterfaceShelf Dimensions Power SpecificationsEnvironmental Specifications Fan-Tray Assembly Specifications1 15310E-CTX-K9 Card Card Specifications3 CE-100T-8 and ML-100T-8 Cards Nonvolatile Memory5 E121E3DS33 and E163E3DS33 Cards CE-MR-6 CardAppendix a Specifications Card Specifications Filler Cards SFP SpecificationsSTM1 Transmitter OutputMin/Max dBm ONS-SE-Z1=Wavelength Fiber Type Cable Distance ONS-SE-ZE-ELONS-SI-2G-I1 ONS-SI-2G-S1 Purcell FLX25GT Cabinet SpecificationsPower Specifications ONS 15310-MA SDH OSP Statements Turn off or on AC power in Purcell FLX25GT OSP cabinet ONS 15310-MA OSP configurationStop. You have completed this procedure State Qualifier Definition Service StatesFLT Administrative StatesFault The entity has a raised alarm or condition Secondary State DefinitionTable B-4lists card service state transitions Service State TransitionsCard Service State Transitions Administrative StateTable B-4 ONS 15310-MA SDH Card Service State Transitions Current Service State Action Next Service State Port and Cross-Connect Service State Transitions Current Service State Action Next Service State Current Service State Action Next Service State Current Service State Action Next Service State Current Service State Action Next Service State Current Service State Action Next Service State Current Service State Action Next Service State Pluggable Equipment Service State Transitions Current Service State Action Next Service State Network Element Defaults Description Network Element DefaultsDefault Domain CTC Default SettingsCisco ONS 15310-MA SDH Card Default Settings Default NameConfiguration Defaults Defaults by Card Threshold DefaultsDefault Name Default Value Default Domain 3.1 15310E-CTX-K9 Card Default SettingsTable C-2 15310E-CTX-K9 Card Default Settings Default Name Default Value Default Domain CTX-2500.STM16-PORT.config.line.SendAISOnTerminalLoopback CTX-2500.STM16-PORT.config.line.SendAISOnFacilityLoopbackCTX-2500.STM16-PORT.config.line.SendDoNotUse CTX-2500.STM16-PORT.config.vclo.IPPMEnabled CTX-2500.STM16-PORT.config.vc4.IPPMEnabledDefault Name Default Value Default Domain Default Name Default Value Default Domain CTX-2500.STM4-PORT.config.vc4.IPPMEnabled CTX-2500.STM4-PORT.config.line.SendAISOnFacilityLoopbackCTX-2500.STM4-PORT.config.line.SendAISOnTerminalLoopback CTX-2500.STM4-PORT.config.line.SendDoNotUseDefault Name Default Value Default Domain Default Name Default Value Default Domain BIT 3.2 E121E3DS33 Card Default SettingsE3-PORT DS3-PORT E3-PORT Unframed M13 CBPV BIPHDB3 E1-21-E3-DS3-3.E1-PORT.config.LineTypeE1MF E1MF E1CRCMF Unframed E1-21-E3-DS3-3.E1-PORT.config.TreatLOFAsDefect E1-21-E3-DS3-3.E1-PORT.config.SendAISOnTerminalLoopbackE1-21-E3-DS3-3.E1-PORT.config.SendAISVOnDefects E1-21-E3-DS3-3.E1-PORT.config.SendDoNotUseTable C-3 E121E3DS33 Card Default Settings E1-21-E3-DS3-3.E3-PORT.config.SendAISOnTerminalLoopback E1-63-E3-DS3-3.Broadband.portAssignment 3.3 E163E3DS33 Card Default SettingsTable C-4lists the E163E3DS33 card default settings E1-63-E3-DS3-3.DS3-PORT.config.SendAISOnTerminalLoopbackTable C-4 78-19417-01 E1-63-E3-DS3-3.E1-PORT.config.SendAISOnTerminalLoopback E1-63-E3-DS3-3.E1-PORT.config.LineCodingE1-63-E3-DS3-3.E1-PORT.config.LineType E1-63-E3-DS3-3.E1-PORT.config.RetimingEnabledDefault Name Default Value Default Domain E1-63-E3-DS3-3.E3-PORT.config.SendAISOnTerminalLoopback Default Name Default Value Default Domain Ethernet Card Default Settings ML100T.ios.radiusServerAccess Cisco ONS 15310-MA SDH Node Default Settings78-19417-01 NODE.network.general.GatewaySettings None None ENE NODE.circuits.sncp.SwitchOnPDIPNODE.general.AllowServiceAffectingPortChangeToDisabled NODE.network.general.AlarmMissingBackplaneLANNODE.osi.tarp.PDUsOrigination Aits Aits UitsNODE.osi.tarp.LANStormSuppression NODE.osi.tarp.LDBSupported NotDefault Name NODE.security.serialCraftAccess.EnableCraftPortB NODE.security.other.PreventInactiveSuperuserDisableNODE.security.passwordAging.EnforcePasswordAging NODE.security.serialCraftAccess.EnableCraftPortAHDB3 HDB3 AMI Sets DUSFAS+CAS+ CRC FAS+CAS+CRC FAS+CRCNODE.timing.bits-2.FramingOut NODE.timing.bits-2.CodingOutGMT Time ZonesGMT Greenwich Mean Time Default Value 78-19417-01 78-19417-01 IN-1 Bits ONS 15310-MA SDH BitsIN-2 CTC ClnsIN-3 IN-4 DCCIN-5 IN-6 IN-7 Lcas LDPIN-8 MIBIN-9 IN-10 OSI Clnp ClnsPCM IppmIN-11 PpmnDhcp IS-IS LAP-D RadiusIN-12 IN-13 SFPRmon SocksIN-14 TL1 Unix UDCIN-15 IN-16 See also circuits