Manuals / Cisco Systems / Computer Equipment / Switch

Cisco Systems OL-5650-02 manual Configuring Console Authentication

Models: OL-5650-02

1 122

Download 122 pages 20.34 Kb

Page 32

Chapter 1 Controlling CSS Access

Controlling Remote User Access to the CSS

To remove users currently logged in to the CSS, use the disconnect command.

To define the TACACS+ server as the primary virtual authentication method, enter:

#(config) virtual authentication primary tacacs

To define local user database as the secondary virtual authentication method, enter:

#(config) virtual authentication secondary local

Configuring Console Authentication

Console authentication allows users to log in to the CSS through a terminal connected to the console port with or without requiring a username and password. The CSS cannot disallow user access as a primary authentication method; however, it can disallow user access as a secondary or tertiary authentication method.

You can configure the CSS to authenticate users by using the local database, RADIUS server, or TACACS+ server. By default, the CSS uses the local database as the primary method to authenticate users and disallows user access for the secondary and tertiary method.

Use the console authentication command to configure the primary, secondary, or tertiary console authentication method. The syntax for this global configuration command is:

console authentication [primary [localradiustacacsnone] secondarytertiary [localradiustacacsnonedisallowed]]

The options for this command are as follows:

•primary - Defines the first authentication method that the CSS uses. The default primary console authentication method is the local user database.

•local - The CSS uses the local user database for authentication.

•radius - The CSS uses the configured RADIUS server for authentication.

•tacacs - The CSS uses the configured TACACS+ server for authentication.

•none - The CSS uses no authentication method. All users can access the CSS.

	Cisco Content Services Switch Security Configuration Guide
1-8	OL-5650-02

Image 32

Cisco Systems OL-5650-02 manual Configuring Console Authentication, #config virtual authentication primary tacacs

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide N T E N T S IiiACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Example of Fwlb ViiViii B L E S OL-5650-02 Preface Xii How to Use This GuideAudience Related Documentation XiiiRmon XivDocument Title Description Symbols and Conventions XviXvii Obtaining DocumentationCisco.com Documentation Feedback Documentation DVDOrdering Documentation XviiiXix Reporting Security Problems in Cisco ProductsCisco Product Security Overview Obtaining Technical Assistance Cisco Technical Support WebsiteSubmitting a Service Request XxiDefinitions of Service Request Severity XxiiXxiii Xxiv Controlling CSS Access Changing the Administrative Username and Password Config# username-offdm bobo password secretCreating Usernames and Passwords Config# username picard password captain superuserControlling CSS Access Creating Usernames and Passwords Config# username picard password flute superuser Config# username picard password captain superuser NwbnnnrConfig# no username picard Controlling Remote User Access to the CSS Configuring Virtual Authentication #config virtual authentication secondary local Configuring Console Authentication#config virtual authentication primary tacacs #config no console authentication #config console authentication primary tacacs#config console authentication secondary local Controlling Administrative Access to the CSS Enabling Administrative Access to the CSSDisabling Administrative Access to the CSS Config# no restrict web-mgmtControlling CSS Network Traffic Through Access Control Lists Config# restrict telnetACL Overview ACL ACL Configuration Quick Start Config-acl7#apply circuit-VLAN1 Config-acl7#clause 10 deny any any destination range 20Config-acl7#clause 15 permit any any destination any Creating an ACL Deleting an ACL Config# acl disableConfig-acl7#remove circuit-VLAN1 Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Variables Options Parameters Show group ?Adding a Clause When ACLs are Globally Enabled PreferDeleting a Clause Config-acl7remove circuit-VLAN1Config-acl7apply circuit-VLAN1 Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Disabling ACLs on the CSS Showing ACLsField Description Setting the Show ACL Counters to Zero Logging ACL ActivityConfig-acl7#clause 1 log enable Config-acl7#clause 1 log disableConfig# no logging subsystem acl ACL ExampleConfiguring Network Qualifier Lists for ACLs Adding Networks to an NQL Creating an NQLDescribing an NQL Config# logging subsystem nql level debug-7 Config-nqlbypassnql#no ip address 192.168.0.0/16Showing NQL Configurations Adding an NQL to an ACL ClauseConfiguring the Secure Shell Daemon Protocol Enabling SSH # licenseConfiguring SSH Access Configuring Sshd in the CSSConfiguring Sshd Keepalive Config# no restrict sshConfiguring Sshd Port Configuring Sshd Server-KeybitsConfiguring Sshd Version Config# sshd server-keybitsConfig# no sshd server-keybits Config# sshd versionConfiguring Telnet Access When Using Sshd Showing Sshd ConfigurationsConfig# no restrict telnet # show sshd config# show sshd sessions Ptyfd # show sshd versionRadius Server Configuring the CSS as a Client of a Radius Server Config# radius-server secondary 172.27.56.79 secret Hello Radius Configuration Quick StartConfig# radius-server primary 172.27.56.76 secret Hello Configuring a Radius Server for Use with the CSS #config virtual authentication primary radiusConfiguring Authentication Settings Configuring Authorization SettingsSpecifying a Primary Radius Server Specifying a Secondary Radius Server Config# no radius-server primaryConfig# no radius-server secondary Configuring the Radius Server Timeouts Configuring the Radius Server RetransmitsConfig# radius-server timeout Config# no radius-server timeoutConfiguring the Radius Server Dead-Time Config# no radius-server retransmitConfig# radius-server dead-time Config# no radius-server dead-timeConfig# show radius statistics secondary DOWN, Unknown3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes #config no tacacs-server timeout Setting the Global CSS TACACS+ Timeout Period#config tacacs-server timeout Setting the Global TACACS+ Keepalive Frequency #config tacacs-server key market#config tacacs-server key acskefterefesdtx #config no tacacs-server keyConfig# no tacacs-server frequency Defining a TACACS+ ServerOL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config tacacs-server authorize config #config tacacs-server authorize non-config#config no tacacs-server authorize config #config no tacacs-server authorize non-configSetting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Configuring Fwlb Firewall SynchronizationConfig# no ip firewall Configuring a Keepalive Timeout for a FirewallConfig# ip firewall 1 192.168.27.1 192.168.28.1 Config# no ip firewall timeout Configuring an IP Static Route for a FirewallConfig# ip firewall timeout Configuring Ospf to Advertise Firewall Routes Config# ip route 192.168.2.0/24 firewall 1Config# no ip route 192.168.2.0/24 firewall Config# ospf redistribute firewall metric 3 type1Configuring RIP to Advertise Firewall Routes Example of Fwlb Static Route ConfigurationConfig# no ospf redistribute firewall Config# rip redistribute firewallConfig# ip firewall 1 192.168.28.1 192.168.27.1 Config# ip route 192.168.2.0/24 firewallConfig# ip firewall 2 192.168.28.2 192.168.27.2 Config# ip route 0.0.0.0/0 firewallExample of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide Example of Firewall and Route Configurations CSS-OUT-L ConfigurationCSS-IN-L Configuration Displaying Firewall Flow Summaries Config# show flows 192.165.22.1Config# show flows Config# show ip routes firewall Displaying Firewall IP RoutesConfig# show ip firewall Displaying Firewall IP InformationOL-5650-02 D E IN-1IN-2 FTP IN-3Radius IN-4XML IN-5IN-6