- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

391

392

393

394

395

396

397

398

399

400

AAA Services

XSR User’s Guide 16-5

• If you must enable PPP on the WAN, use CHAP authentication

• Disable all unnecessary router services (e.g., HTTP, if not used)

• Write strict ACLs to limit HTTP, Telnet and SNMP access

• Write ACLs to limit the type of ICMP messages

• Create ACLs to direct services to appropriate servers only

• Enable packet filtering and attack prevention mechanisms

• All only packets with valid source addresses to exit the network

• If using SNMP, use strong community names and set read-only access

• Minimize console logging to limit unnecessary CPU cycles

• Use OSPF rather than RIP to take advantage of MD5 authentication

• Control which router interfaces can be used to manage the XSR

• Use an SNTP server on the DMZ to synchronize XSR clocks

• Use syslog to send messages to a designated syslog server

AAA Services

The XSR provides Authentication, Authorization and Accounting (AAA) services to validate and

display data for AAA usergroups, users, and methods. Telnet, Console and SSH users can utilize

the following two authentication mechanisms:

• CLI database authentication - This non-AAA authentication mode for Telnet and SSH users

authenticates against the CLI database created by the

username command. This is the base,

system default user-validation method and does not authenticate via RADIUS.

• AAA user database authentication - This mechanism allows Telnet and SSH avails users of the

AAA module which provides additional authentication by various AAA methods including

RADIUS. The

aaa client telnet command switches all Telnet users to authenticate via the

AAA user database while

aaa client ssh switches all SSH users to do the same.

A few restrictions apply when switching Telnet, Console and SSH users to authenticate via this

mechanism, as follows:

• No pre-existing privilege-15 admin user exists in the AAA database.

• Before switching over to AAA for Telnet or SSH, at least one privilege 15 user with a Telnet/

SSH policy must exist in the AAA database.

• Deleting the only privilege-15 user with Telnet or SSH policy is disallowed to prevent any

accidental loss of access to the XSR.

The XSR offers two types of default AAA methods:

•The default AAA method for AAA service. Although the local method is the factory default,

you can set this using the

aaa method [local | pki | radius] default command.

• The default AAA method for grouped clients. This is set on a per client basis via the

client

{telnet | ssh | console | firewall | vpn | ppp}

sub-command under aaa method.

Note that PPP uses only AAA when acting as the authenticator (when validating the peer);

PPP is authenticated by the peer when acting as the authenticatee (client-side).

If the latter default method is not specified for a client, the former default applies.