Security Configuration Guide

aaa aaa introduction introduction aaa is the abbreviation of authentication, authorization and accounting, which is a security management mechanism for access control in network security, providing three kinds of security services authentication, authorization and accounting description of principle description of principle aaa provides the following three security services authentication authentication authentication the user's identity is verified to determine if he or she is a legitimate user the entire authentication is usually performed by reviewing the user's entered username and password for permissions the principle of authentication is that each user has a unique permission acquisition criteria the aaa server checks the user's criteria against the criteria of each user in the database if it matches, then the user is authenticated if not, the network connection is denied the following authentication methods are currently supported radius authentication radius authentication tacacs+ authentication tacacs+ authentication local authentication local authentication authorization authorization authorization for authenticated users, authorize which services they can use for example, after logging into the system, the user may execute some commands to complete the corresponding operations at this point, the authorization process checks whether the user has permission to execute these commands in general, the authorization process is a combination of a number of coercion policies that determine the type or quality of activity, resources, or services that the user is allowed to use the authorization process occurs in the context of authentication, and once a user is authenticated, they are granted the appropriate permissions as well the following authorization methods are currently supported radius authorization radius authorization tacacs+ authorization tacacs+ authorization local authorization local authorization accounting accounting accounting records the resources consumed by users using network services during the connection process, such as connection time or the amount of transmissions and traffic sent and received by users during the connection process the counting process can be performed based on statistical logs of the connection process, user information, authorization control, billing, trend analysis, resource utilization, and capacity planning activities the following accounting methods are currently supported tacacs+ accounting tacacs+ accounting local accounting local accounting aaa configuration aaa configuration table 1 overview of aaa configuration tasks table 1 overview of aaa configuration tasks true 220,220,221 left #4283c7 2 1 unhandled content type left #4283c7 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type left #d8e5f5 2 1 unhandled content type left #d8e5f5 1 1 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type left #d8e5f5 2 1 unhandled content type left #d8e5f5 1 1 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type aaa default setting aaa default setting the default setting of aaa is shown in the following table table 2 aaa default setting table 2 aaa default setting true 378,228center #4283c7 unhandled content type center #4283c7 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type center unhandled content type center unhandled content type center #d8e5f5 unhandled content type center #d8e5f5 unhandled content type configure authentication mode configure authentication mode configure the authentication methods used for user authentication and the order in which each authentication method takes effect to avoid authentication failures due to no response in single authentication method scenarios, local authentication is generally configured as the backup authentication method in the authentication scheme table 3 configure authentication mode table 3 configure authentication mode true 164,187,255left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type configure authorization mode configure authorization mode configure the authorization methods used for user authorization and the order in which each authorization method takes effect the use of multiple authorization methods in an authorization scheme avoids authorization failures caused by the lack of response from a single authorization method the authentication and authorization processes of radius are converged and cannot be separated, and the authorization information is included in the authentication acceptance message responded by the server therefore, there is no need to configure the authorization mode when using radius authentication table 4 configure authorization mode table 4 configure authorization mode true 162,312,132left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure accounting mode configure accounting mode configure the accounting mode to be used for user accounting table 5 configure accounting mode table 5 configure accounting mode true 166,309,131left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure radius server configure radius server table 6 configure radius server table 6 configure radius server true 163,159 5,283 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure configure tacacs+ tacacs+ server server table 6 tacacs+ server configuration table 6 tacacs+ server configuration true 158,214 93932584269663,233 06067415730337left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type display and maintenance display and maintenance table 7 display and maintenance table 7 display and maintenance true 275,165 5,165 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type typical configuration examples typical configuration examples example for configuring radius authentication for ssh login users example for configuring radius authentication for ssh login users networking requirements a radius server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use radius authentication to log in to the switch via ssh to manage the switch remotely the specific requirements are as follows the administrator must enter the correct username and password to log in to the switch via ssh after logging in to the switch via ssh, the administrator can execute all commands at level 0 to 15 topology procedure radius server \#install freeradius #edit the /etc/freeradius/clients conf to configure the client passkey ,ip client 10 250 0 0/24 { secret = radkey shortname = test } \#edit the /etc/freeradius/users to configure the username and password used by the client to log in "user" cleartext password = "admin" reply message = "hello, %{user name}", management privilege level = 15 \#turn on freeradius service sudo freeradius x switch #configure the authentication method sonic# configure terminal sonic(config)# aaa authentication mode login radius,local \#if multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled sonic(config)# aaa authentication mode failthrough enable \#configure the radius server sonic# configure terminal sonic(config)#radius server 10 250 0 243 shared secret \#enter the passkey of the radius authentication server after the command is completed, which needs to be consistent with the configuration on the radius server 4 verify the configuration #client login via ssh remotely ssh user\@10 250 0 206 connecting to 10 250 0 206 22 connection established to escape to local shell, press ctrl+alt+] warning! the remote ssh server rejected x11 forwarding request linux sonic 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 / \ | | | \ | | / \ / | / \ / || | / \\| ' || \\| || | | |\\ \\ / \ \\ \\| | | /| | | |\ || | | | ) | / / \\ \\| / \\ | \\ || | | | \\ | \\ / | / \ asterfusion network operating system help http //www asterfusion com/ user\@sonic $ example for configuring tacacs+ authentication for ssh login users example for configuring tacacs+ authentication for ssh login users networking requirements a tacacs+server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use tacacs+authentication to log in to the switch via ssh to manage the switch remotely the specific requirements are as follows the administrator must enter the correct username and password to log in to the switch via ssh after logging in to the switch via ssh, the administrator can execute all commands at level 0 to 15 topology procedure tacacs+ server #install tacacs+ edit the /etc/tacacs+/tac plus conf to configure the client passkey ,the username and password used by the client to log in key = "testkey123" user = su1 { login = cleartext "su1" pap = cleartext "su1" member = remote user su } \#restart tacacs+service systemctl stop tacacs plus service sudo tac plus c /etc/tacacs+/tac plus conf g g d 512 switch #configure the authentication method sonic# configure terminal sonic(config)# aaa authentication mode login tacacs+/tacacs+,local/local,tacacs+ \#if multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled sonic(config)# aaa authentication mode failthrough enable \#configure the tacacs+server sonic# configure terminal sonic(config)#tacacs+ server 10 250 0 243 timeout 30 key auth type pap enter the passkey of the tacacs+ authentication server after the command is completed, which needs to be consistent with the configuration on the tacacs+ server verify the configuration \#client login via ssh remotely ssh su1\@10 250 0 206 connecting to 10 250 0 206 22 connection established to escape to local shell, press ctrl+alt+] warning! the remote ssh server rejected x11 forwarding request linux sonic 4 9 0 14 2 amd64 #1 smp debian 4 9 246 2 (2020 12 17) x86 64 / \ | | | \ | | / \ / | / \ / || | / \\| ' || \\| || | | |\\ \\ / \ \\ \\| | | /| | | |\ || | | | ) | / / \\ \\| / \\ | \\ || | | | \\ | \\ / | / \ asterfusion network operating system help http //www asterfusion com/ su1\@sonic $ management vrf management vrf introduction introduction by separating service port traffic from management port traffic, the security of the management network can be improved configure management vrf configure management vrf table 8 configrue management vrf table 8 configrue management vrf true 307,162 12925170068027,136 87074829931973left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type display and maintenance display and maintenance table 9 table 9 management vrf management vrf display and maintenance display and maintenance true 247,214 5,144 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type storm control storm control introduction introduction storm control, the storm suppression function, should be configured on the traffic ingress after broadcast/unknown unicast/multicast storm suppression is configured on the interface, when the corresponding traffic on the interface exceeds the threshold set by the user, the system will automatically drop the messages that exceed the traffic limit, preventing bum messages from affecting normal network service traffic forwarding configure storm control configure storm control currently storm control only supports configuration on physical interfaces when the interface needs to modify the parameters of storm control, you do not need to delete the previous configuration, and the repeated configuration will automatically overwrite the previous operation you can set the speed limit in bps (bytes per second) or pps (packets per second) the actual speed limit in packets may not be accurate due to different chip implementations for example, some chips implement speed limits in packets by using a fixed message length that translates into a speed limit in bytes, in which case the suppression threshold configured on the port may not be consistent with the actual effective suppression threshold table 10 configure storm control profile table 10 configure storm control profile true 144,164 69931662870158,297 3006833712984left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type display and maintenance display and maintenance table 11 display and maintenance table 11 display and maintenance true 224,226 76923076923077,155 23076923076923left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type