Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

191

192

193

194

195

196

197

198

199

200

140 FastIron Configuration Guide

53-1002494-02

TACACS and TACACS+ security

If you are using TACACS+, Brocade recommends that you also configure authorization, in which the

Brocade device consults a TACACS+ server to determine which management privilege level (and

which associated set of commands) an authenticated user is allowed to use. You can also

optionally configure accounting, which causes the Brocade device to log information on the

TACACS+ server when specified events occur on the device.

NOTE

By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level.

The user can enter the enable command to get to the Privileged EXEC level.

A user that is successfully authenticated can be automatically placed at the Privileged EXEC level

after login. Refer to “Entering privileged EXEC mode after a Telnet or SSH login” on page 150.

Configuring TACACS/TACACS+ for devices in a Brocade IronStack

Because devices operating in a Brocade IronStack topology present multiple console ports, you

must take additional steps to secure these ports when configuring TACACS/TACACS+.

The following is a sample AAA console configuration using TACACS+.

aaa authentication login default tacacs+ enable

aaa authentication login privilege-mode

aaa authorization commands 0 default tacacs+

aaa authorization exec default tacacs+

aaa accounting commands 0 default start-stop tacacs+

aaa accounting exec default start-stop tacacs+

aaa accounting system default start-stop tacacs+

enable aaa console

hostname Fred

ip address 144.10.6.56/255

tacacs-server host 255.253.255

tacacs-server key 1 $Gsig@U\

kill console

Syntax: kill console [all | unit]

• all - logs out all console port on stack units that are not the Active Controller

• unit - logs out the console port on a specified unit

Once AAA console is enabled, you should log out any open console ports on your IronStack using

the kill console command:

Brocade(config)#kill console all

In case a user forgets to log out or a console is left unattended, you can also configure the console

timeout (in minutes) on all stack units (including the Active Controller).

Brocade(config)#stack unit 3

Brocade(config-unit-3)#console timeout 5

Brocade(config-unit-3)#exit

Brocade(config)#stack unit 4

Brocade(config-unit-4)#console timeout 5

Use the show who and the show telnet commands to confirm the status of console sessions.