- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

391

392

393

394

395

396

397

398

399

400

AAA Services

16-6 Configuring Security on the XSR

The method to perform AAA is configured globally by the aaa method command, which provides

additional

acct-port, address, attempts, auth-port, backup, client, enable, group, hash

enable, key, qtimeout, retransmit, and timeout sub-commands. Although the default AAA

service is local, you can authenticate to a RADIUS server or PKI database. Alternately, you can set

the AAA method per interface with

aaa-method, which lets the XSR authenticate requests

originating from different interfaces by different methods and overrides the global (invoked by

client) or default AAA method. For example, if the default method has not been set for Telnet

using

client telnet, then the default method you set for AAA service is used.

Most AAA method sub-commands are available for RADIUS service only (see “Firewall

Configuration for RADIUS Authentication and Accounting” on page 16-33). Additional AAA

method sub-commands

acct-port and auth-port set UDP ports for accounting and

authentication requests, respectively.

AAA users can be added to AAA service with the

aaa user command, which includes group, ip

address

, password, privilege, and policy sub-commands to set user attributes. Also, you can

set a maximum privilege level per interface to supersede any user/group-assigned level.

While most of these parameters are self-explanatory, the

policy value is important in specifying

which system each user will be allowed to access on the XSR. The module options are:

firewall,

ssh, telnet, and vpn. Their intended functions are, as follows:

• Telnet/Console: administrators and low-level Console users who will use the standard serial

connection application

• SSH: users who will require a more secure Telnet-type connection

• Firewall: users who will access the firewall

• VPN: users who will tunnel in to the XSR

AAA users can be assigned to groups with the

aaa group top-level command, which is sub-

divided into

dns and wins server, ip pool, l2tp and pptp compression, pptp encrypt mppe,

privilege, and policy sub-commands to set that group’s respective parameters. Any users not

specifically assigned to a group are added to the

DEFAULT AAA group. Policies can be set at both

the user and group level but a user-level policy overrides a user’s group-level policy.

Although AAA authentication is set by the service not the user, you can override this rule by

configuring a user to authenticate at every login with

@<method>username. The XSR checks if the

@-configured user is configured before enabling the default authentication service. Refer to the next

section to configure SSH or Telnet with AAA authentication.

Debugging of AAA data can be provided by the

debug aaa command. Output is directed to the

terminal where debugging information was most recently requested. Also, if multiple AAA

debugs are activated, all data will be sent to the last used terminal requesting debugging. The

sample AAA debug below displays a successful MSCHAP authentication using the local method:

Local::queue(test)

AAuthenticatePlugin::queue (alg == 0xf)

groupplugin Reply: Pool = authpool

IRMauthorizeMsg::clientLogon [test]

Connecting Remotely via SSH or Telnet with AAA Service

Perform the following commands to configure SSH or Telnet service:

1. On the CLI, enter configure to acquire Configuration mode.