Enterasys Networks X-PeditionTM manual AAA Services

AAA Services

•If you must enable PPP on the WAN, use CHAP authentication

•Disable all unnecessary router services (e.g., HTTP, if not used)

•Write strict ACLs to limit HTTP, Telnet and SNMP access

•Write ACLs to limit the type of ICMP messages

•Create ACLs to direct services to appropriate servers only

•Enable packet filtering and attack prevention mechanisms

•All only packets with valid source addresses to exit the network

•If using SNMP, use strong community names and set read-only access

•Minimize console logging to limit unnecessary CPU cycles

•Use OSPF rather than RIP to take advantage of MD5 authentication

•Control which router interfaces can be used to manage the XSR

•Use an SNTP server on the DMZ to synchronize XSR clocks

•Use syslog to send messages to a designated syslog server

AAAServices

The XSR provides Authentication, Authorization and Accounting (AAA) services to validate and display data for AAA usergroups, users, and methods. Telnet, Console and SSH users can utilize the following two authentication mechanisms:

•CLI database authentication - This non-AAA authentication mode for Telnet and SSH users authenticates against the CLI database created by the username command. This is the base, system default user-validation method and does not authenticate via RADIUS.

•AAA user database authentication - This mechanism allows Telnet and SSH avails users of the AAA module which provides additional authentication by various AAA methods including RADIUS. The aaa client telnet command switches all Telnet users to authenticate via the AAA user database while aaa client ssh switches all SSH users to do the same.

A few restrictions apply when switching Telnet, Console and SSH users to authenticate via this mechanism, as follows:

•No pre-existing privilege-15 admin user exists in the AAA database.

•Before switching over to AAA for Telnet or SSH, at least one privilege 15 user with a Telnet/ SSH policy must exist in the AAA database.

•Deleting the only privilege-15 user with Telnet or SSH policy is disallowed to prevent any accidental loss of access to the XSR.

The XSR offers two types of default AAA methods:

•The default AAA method for AAA service. Although the local method is the factory default,

you can set this using the aaa method [local pki radius] default command.

•The default AAA method for grouped clients. This is set on a per client basis via the client

{telnet ssh console firewall vpn ppp} sub-command under aaa method. Note that PPP uses only AAA when acting as the authenticator (when validating the peer); PPP is authenticated by the peer when acting as the authenticatee (client-side).

If the latter default method is not specified for a client, the former default applies.

XSR User’s Guide 16-5