Reference Guide

Security | 801

To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command.

Command Authorization

The AAA command authorization feature configures FTOS to send each configuration command to a

TACACS server for authorization before it is added to the running configuration.

By default, the AAA authorization commands configure the system to check both EXEC mode and

CONFIGURATION mode commands. Use the command

no aaa authorization config-commands to enable

only EXEC mode command checking.

If rejected by the AAA server, the command is not added to the running config, and messages similar to

Message 1 are displayed.

Protection from TCP Tiny and Overlapping Fragment

Attacks

Tiny and overlapping fragment attack is a class of attack where configured ACL entries—denying TCP

port-specific traffic—can be bypassed, and traffic can be sent to its destination although denied by the

ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured

into the line cards and enabled by default.

SCP and SSH

Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an

insecure network. FTOS is compatible with SSH versions 1.5 and 2, both the client and server modes. SSH

sessions are encrypted and use authentication. For details on command syntax, see the Security chapter in

the FTOS Command Line Interface Reference.

Message 1 Configuration Command Rejection

04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command

authorization failed for user (denyall) on vty0 ( 10.11.9.209 )

freebsd2# telnet 2200:2200:2200:2200:2200::2202

Trying 2200:2200:2200:2200:2200::2202...

Connected to 2200:2200:2200:2200:2200::2202.

Escape character is '^]'.

Password:

FTOS#