Manuals / Cisco Systems / Computer Equipment / Switch

Cisco Systems OL-5650-02 manual Configuring Virtual Authentication

Models: OL-5650-02

1 122

Download 122 pages 20.34 Kb

Page 31

Chapter 1 Controlling CSS Access

Controlling Remote User Access to the CSS

Configuring Virtual Authentication

Virtual authentication allows remote users to log in to the CSS when they are using FTP, Telnet, SSHD, or the Device Management user interface with or without requiring a username and password. The CSS can also deny access to all remote users.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users and disallows user access for the secondary and tertiary method.

Use the virtual authentication command to configure the primary, secondary, or tertiary virtual authentication method. The syntax for this global configuration command is:

virtual authentication [primarysecondarytertiary [localradiustacacsdisallowed]]

The options for this command are as follows:

•primary - Defines the first authentication method that the CSS uses. The default primary virtual authentication method is the local user database.

•secondary - Defines the second authentication method that the CSS uses if the first method fails. The default secondary virtual authentication method is to disallow all user access.

Note If you are configuring a TACACS+ server as the primary authentication method, define a secondary authentication method, such as local.

•tertiary - Defines the third authentication method that the CSS uses if the second method fails. The default tertiary virtual authentication method is to disallow all user access.

•local - The CSS uses the local user database for authentication.

•radius - The CSS uses the configured RADIUS server for authentication.

•tacacs - The CSS uses the configured TACACS+ server for authentication.

•disallowed - The CSS disallows access by all remote users. Entering this option does not terminate existing connections.

		Cisco Content Services Switch Security Configuration Guide
		Cisco Content Services Switch Security Configuration Guide
	OL-5650-02			1-7
	OL-5650-02			1-7

Image 31

Cisco Systems OL-5650-02 manual Configuring Virtual Authentication

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide Iii N T E N T SACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Vii Example of FwlbViii B L E S OL-5650-02 Preface Audience How to Use This GuideXii Xiii Related DocumentationXiv RmonDocument Title Description Xvi Symbols and ConventionsCisco.com Obtaining DocumentationXvii Xviii Documentation FeedbackDocumentation DVD Ordering DocumentationCisco Product Security Overview Reporting Security Problems in Cisco ProductsXix Cisco Technical Support Website Obtaining Technical AssistanceXxi Submitting a Service RequestXxii Definitions of Service Request SeverityXxiii Xxiv Controlling CSS Access Config# username-offdm bobo password secret Changing the Administrative Username and PasswordConfig# username picard password captain superuser Creating Usernames and PasswordsControlling CSS Access Creating Usernames and Passwords Config# no username picard Config# username picard password captain superuser NwbnnnrConfig# username picard password flute superuser Controlling Remote User Access to the CSS Configuring Virtual Authentication #config virtual authentication primary tacacs Configuring Console Authentication#config virtual authentication secondary local #config console authentication secondary local #config console authentication primary tacacs#config no console authentication Enabling Administrative Access to the CSS Controlling Administrative Access to the CSSConfig# no restrict web-mgmt Disabling Administrative Access to the CSSConfig# restrict telnet Controlling CSS Network Traffic Through Access Control ListsACL Overview ACL ACL Configuration Quick Start Config-acl7#clause 15 permit any any destination any Config-acl7#clause 10 deny any any destination range 20Config-acl7#apply circuit-VLAN1 Creating an ACL Config-acl7#remove circuit-VLAN1 Config# acl disableDeleting an ACL Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Show group ? Variables Options ParametersPrefer Adding a Clause When ACLs are Globally EnabledConfig-acl7apply circuit-VLAN1 Config-acl7remove circuit-VLAN1Deleting a Clause Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Showing ACLs Disabling ACLs on the CSSField Description Logging ACL Activity Setting the Show ACL Counters to ZeroConfig-acl7#clause 1 log disable Config-acl7#clause 1 log enableACL Example Config# no logging subsystem aclConfiguring Network Qualifier Lists for ACLs Describing an NQL Creating an NQLAdding Networks to an NQL Config-nqlbypassnql#no ip address 192.168.0.0/16 Config# logging subsystem nql level debug-7Adding an NQL to an ACL Clause Showing NQL ConfigurationsConfiguring the Secure Shell Daemon Protocol # license Enabling SSHConfig# no restrict ssh Configuring SSH AccessConfiguring Sshd in the CSS Configuring Sshd KeepaliveConfiguring Sshd Server-Keybits Configuring Sshd PortConfig# sshd version Configuring Sshd VersionConfig# sshd server-keybits Config# no sshd server-keybits# show sshd config Configuring Telnet Access When Using SshdShowing Sshd Configurations Config# no restrict telnet# show sshd sessions # show sshd version PtyfdRadius Server Configuring the CSS as a Client of a Radius Server Config# radius-server primary 172.27.56.76 secret Hello Radius Configuration Quick StartConfig# radius-server secondary 172.27.56.79 secret Hello #config virtual authentication primary radius Configuring a Radius Server for Use with the CSSConfiguring Authorization Settings Configuring Authentication SettingsSpecifying a Primary Radius Server Config# no radius-server secondary Config# no radius-server primarySpecifying a Secondary Radius Server Config# no radius-server timeout Configuring the Radius Server TimeoutsConfiguring the Radius Server Retransmits Config# radius-server timeoutConfig# no radius-server dead-time Configuring the Radius Server Dead-TimeConfig# no radius-server retransmit Config# radius-server dead-timeDOWN, Unknown Config# show radius statistics secondary3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes #config tacacs-server timeout Setting the Global CSS TACACS+ Timeout Period#config no tacacs-server timeout #config no tacacs-server key Setting the Global TACACS+ Keepalive Frequency#config tacacs-server key market #config tacacs-server key acskefterefesdtxDefining a TACACS+ Server Config# no tacacs-server frequencyOL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config no tacacs-server authorize non-config #config tacacs-server authorize config#config tacacs-server authorize non-config #config no tacacs-server authorize configSetting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Firewall Synchronization Configuring FwlbConfig# ip firewall 1 192.168.27.1 192.168.28.1 Configuring a Keepalive Timeout for a FirewallConfig# no ip firewall Config# ip firewall timeout Configuring an IP Static Route for a FirewallConfig# no ip firewall timeout Config# ospf redistribute firewall metric 3 type1 Configuring Ospf to Advertise Firewall RoutesConfig# ip route 192.168.2.0/24 firewall 1 Config# no ip route 192.168.2.0/24 firewallConfig# rip redistribute firewall Configuring RIP to Advertise Firewall RoutesExample of Fwlb Static Route Configuration Config# no ospf redistribute firewallConfig# ip route 0.0.0.0/0 firewall Config# ip firewall 1 192.168.28.1 192.168.27.1Config# ip route 192.168.2.0/24 firewall Config# ip firewall 2 192.168.28.2 192.168.27.2Example of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide CSS-OUT-L Configuration Example of Firewall and Route ConfigurationsCSS-IN-L Configuration Config# show flows Config# show flows 192.165.22.1Displaying Firewall Flow Summaries Displaying Firewall IP Routes Config# show ip routes firewallDisplaying Firewall IP Information Config# show ip firewallOL-5650-02 IN-1 D EIN-2 IN-3 FTPIN-4 RadiusIN-5 XMLIN-6