AAA Services

The method to perform AAA is configured globally by the aaa method command, which provides additional acct-port, address, attempts, auth-port, backup, client, enable, group, hash enable, key, qtimeout, retransmit, and timeout sub-commands. Although the default AAA service is local, you can authenticate to a RADIUS server or PKI database. Alternately, you can set the AAA method per interface with aaa-method, which lets the XSR authenticate requests originating from different interfaces by different methods and overrides the global (invoked by client) or default AAA method. For example, if the default method has not been set for Telnet using client telnet, then the default method you set for AAA service is used.

Most AAA method sub-commands are available for RADIUS service only (see Firewall Configuration for RADIUS Authentication and Accounting” on page 16-33). Additional AAA method sub-commands acct-portand auth-portset UDP ports for accounting and authentication requests, respectively.

AAAusers can be added to AAA service with the aaa user command, which includes group, ip address, password, privilege, and policy sub-commands to set user attributes. Also, you can set a maximum privilege level per interface to supersede any user/group-assigned level.

While most of these parameters are self-explanatory, the policy value is important in specifying which system each user will be allowed to access on the XSR. The module options are: firewall, ssh, telnet, and vpn. Their intended functions are, as follows:

Telnet/Console: administrators and low-level Console users who will use the standard serial connection application

SSH: users who will require a more secure Telnet-type connection

Firewall: users who will access the firewall

VPN: users who will tunnel in to the XSR

AAAusers can be assigned to groups with the aaa group top-level command, which is sub- divided into dns and wins server, ip pool, l2tp and pptp compression, pptp encrypt mppe, privilege, and policy sub-commands to set that group’s respective parameters. Any users not specifically assigned to a group are added to the DEFAULT AAA group. Policies can be set at both the user and group level but a user-level policy overrides a user’s group-level policy.

Although AAA authentication is set by the service not the user, you can override this rule by configuring a user to authenticate at every login with @<method>username. The XSR checks if the @-configureduser is configured before enabling the default authentication service. Refer to the next section to configure SSH or Telnet with AAA authentication.

Debugging of AAA data can be provided by the debug aaa command. Output is directed to the terminal where debugging information was most recently requested. Also, if multiple AAA debugs are activated, all data will be sent to the last used terminal requesting debugging. The sample AAA debug below displays a successful MSCHAP authentication using the local method:

Local::queue(test)

AAuthenticatePlugin::queue (alg == 0xf)

groupplugin Reply: Pool

= authpool

IRMauthorizeMsg::clientLogon [test]

Connecting Remotely via SSH or Telnet with AAA Service

Perform the following commands to configure SSH or Telnet service:

1.On the CLI, enter configure to acquire Configuration mode.

16-6 Configuring Security on the XSR

Page 392
Image 392
Enterasys Networks X-PeditionTM manual Connecting Remotely via SSH or Telnet with AAA Service