API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
● hostname—Enter the hostname of the RADIUS server.
● ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
● 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters.
● 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters.
● authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0
before the key.
● auth-port port-number—(Optional) Enter the UDP port number used on the server for authentication, from 0 to
65535, default 1812.
● authentication-key—(Optional) Enter the authentication key used to authenticate the switch on the server. A
maximum of 42 characters; default radius_secure.
Configure TACACS+ authentication response timer
Rationale: Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long
waiting, configure a lower value.
Configuration:
OS10(config)# tacacs-server timeout seconds
OS10(config)# exit
OS10# write memory
seconds—Enter the timeout period used to wait for an authentication response from a TACACS+ server, from 1 to 1000
seconds.
View what RBAC is configured
To view what RBAC is configured on the system use the following command:
OS10# show running-configuration aaa
aaa authentication login default group radius local
aaa authentication login console local
Access rules
Configure secure access rules.
Enable only SSH for remote system access
Rationale: By default, in OS10, SSH is the only protocol that is enabled for remote system access. As the Telnet protocol is not
secure, Dell EMC recommends that you do not enable the Telnet server.
NOTE:
If you have disabled the SSH server, reenable it and disable the Telnet server. Always use SSH for remote system
access.
Configuration:
OS10(config)# ip ssh server enable
OS10(config)# ip ssh server max-auth-tries 4
OS10(config)# no ip telnet server enable
OS10(config)# exit
OS10# write memory
Enable SSH access control
Rationale: Filter SSH connections to the switch using an access list.
Configuration:
OS10(config)# ip access-list permit10
OS10(config-ipv4-acl)# permit ip 172.16.0.0 255.255.0.0 any
OS10(config-ipv4-acl)# exit
OS10(config)# line vty
OS10(config-line-vty)# ip access-class permit10
OS10(config-line-vty)# exit
OS10(config)# exit
OS10# write memory
OS10 security best practices
15