Security Configuration Guide

此内容尚不支持你的语言。

Introduction

AAA is the abbreviation of Authentication, Authorization and Accounting, which is a security management mechanism for access control in network security, providing three kinds of security services: authentication, authorization and accounting.

Description of Principle

AAA provides the following three security services.

Authentication

Authentication: The user’s identity is verified to determine if he or she is a legitimate user. The entire authentication is usually performed by reviewing the user’s entered username and password for permissions. The principle of authentication is that each user has a unique permission acquisition criteria. The AAA server checks the user’s criteria against the criteria of each user in the database. If it matches, then the user is authenticated. If not, the network connection is denied. The following authentication methods are currently supported:

RADIUS authentication.
TACACS+ authentication.
Local authentication.

Authorization

Authorization: For authenticated users, authorize which services they can use. For example, after logging into the system, the user may execute some commands to complete the corresponding operations. At this point, the authorization process checks whether the user has permission to execute these commands. In general, the authorization process is a combination of a number of coercion policies that determine the type or quality of activity, resources, or services that the user is allowed to use. The authorization process occurs in the context of authentication, and once a user is authenticated, they are granted the appropriate permissions as well. The following authorization methods are currently supported:

RADIUS authorization.
TACACS+ authorization.
Local authorization.

Accounting Accounting: Records the resources consumed by users using network services during the connection process, such as connection time or the amount of transmissions and traffic sent and received by users during the connection process. The counting process can be performed based on statistical logs of the connection process, user information, authorization control, billing, trend analysis, resource utilization, and capacity planning activities. The following accounting methods are currently supported:

TACACS+ accounting.
Local accounting.

AAA Configuration

Table 1 Overview of AAA Configuration Tasks

Configuration Tasks	Description
Configure Authentication Mode	Optional
Configure Authorization Mode	Optional
Configure Accounting Mode	Optional
Configure RADIUS Server	Optional
Configure TACACS+ Server	Optional

AAA Default Setting

The default setting of AAA is shown in the following table.

Table 2 AAA Default Setting

Parameters	Default value
AAA authentication mode	local
AAA account mode	local
AAA authorization mode	local
Failthrough	disable
TACACS+ global/server auth_type	pap
TACACS+ global/server connection timeout time	5s
TACACS+ global passkey	empty
TACACS+ server TCP port ID	49
TACACS+ server priority	1
TACACS+ server admin VRF	no vrf

Configure Authentication Mode

Configure the authentication methods used for user authentication and the order in which each authentication method takes effect. To avoid authentication failures due to no response in single authentication method scenarios, local authentication is generally configured as the backup authentication method in the authentication scheme.

Table 3 Configure Authentication Mode

Purpose	Command	Description
Enter global configuration view.	configure terminal	-
Configure AAA authentication mode.	aaa authentication-mode login{tacacs+\| local\|tacacs+,local\|local,tacacs+\|radius,local\| local,radius\|radius\|default}	The default mode is local.Comma-separated modes indicate multi-level authentication.
Enable failthrough.	aaa authentication-mode failthrough {enable\|disable\|default}	This function is disabled by default.After this function is enabled, when performing multi-level authentication, if the first level of authentication fails, it will continue to perform the second level of authentication; otherwise, it will end directly.

Configure Authorization Mode

Configure the authorization methods used for user authorization and the order in which each authorization method takes effect. The use of multiple authorization methods in an authorization scheme avoids authorization failures caused by the lack of response from a single authorization method. The authentication and authorization processes of RADIUS are converged and cannot be separated, and the authorization information is included in the authentication acceptance message responded by the server. Therefore, there is no need to configure the authorization mode when using RADIUS authentication.

Table 4 Configure Authorization Mode

Purpose	Command	Description
Enter global configuration view.	configure terminal	-
Configure authorization mode	aaa authorization -mode{tacacs+\|local\|tacacs+,local\|default}	The default mode is local.

Configure Accounting Mode

Configure the accounting mode to be used for user accounting.

Table 5 Configure Accounting Mode

Purpose	Command	Description
Enter global configuration view.	configure terminal	-
Configure account mode	aaa accounting-mode{tacacs+\|local\|tacacs+,local\|default}	The default mode is local.

Configure RADIUS Server

Table 6 Configure RADIUS Server

Purpose	Command	Description
Enter global configuration view.	configure terminal	-
Add radius server	radius server ip_address [priority priority] shared-secret	Specify the RADIUS server IP. you can specify the server priority (range 1 to 64).After entering, enter the passkey

Configure TACACS+ Server

Table 6 TACACS+ Server Configuration

Purpose	Command	Description
Enter global configuration view.	configure terminal	-
Add TACACS+ server.	tacacs-server ip_address [timeout interval ]* [auth_type {chap\|pap\|mschap\|login}] [port tcp_port ]* [pri priority] [use-mgmt-vrf] [cipher cipher-secret \|key]	ip_address: tacacs+ server IP address.interval :timeout interval(s), range 1 to 60, default is 5.key: passkey.auth_type : authentication type, default is “pap”.tcp_port: TCP port ID, range is 1-65535, default is 49.priority : the default value is 1use-mgmt-vrf: manage vrf, default is “no vrf”.If you enter key, enter the passkey after the command is finished
Configure TACACS+ global authtype.	tacacs-server authtype [chap\|pap\|mschap\|login]	-
Configure TACACS+ global key.	tacacs-server passkey	Enter the passkey after the command is completed
Configure TACACS+ global timeout.	tacacs-server timeout interval	interval : timeout interval(s), range 1 to 60, default is 5
Restore to default configuration.	tacacs-server default {authtype\|passkey\|timeout}	-

Display and Maintenance

Table 7 Display and Maintenance

Purpose	Command	Description
Show AAA configuration	show aaa	-
Show tacacs+ configuration	show tacacs	-
Show radius configuration	show radius	-

Typical Configuration Examples

Example for Configuring Radius Authentication for SSH login users****1. Networking Requirements A RADIUS server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use RADIUS authentication to log in to the switch via SSH to manage the switch remotely.The specific requirements are as follows: The administrator must enter the correct username and password to log in to the switch via SSH. After logging in to the switch via SSH, the administrator can execute all commands at level 0 to 15. 2. Topology

Procedure

RADIUS Server:

#Install freeradius

#Edit the /etc/freeradius/clients.conf to configure the client passkey ,IP

client 10.250.0.0/24 {
        secret = radkey
        shortname = test
}

#Edit the /etc/freeradius/users to configure the username and password used by the client to log in

"user"        Cleartext-Password := "admin"
        Reply-Message = "Hello, %{User-Name}",
        Management-Privilege-Level = 15

#Turn on freeradius service

sudo freeradius -X
```** Switch **\#Configure the authentication method

```plaintext
sonic# configure terminal
sonic(config)# aaa authentication-mode login radius,local

#If multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled.

sonic(config)# aaa authentication-mode failthrough enable

#Configure the radius server

sonic# configure terminal
sonic(config)#radius server 10.250.0.243 shared-secret

#Enter the passkey of the radius authentication server after the command is completed, which needs to be consistent with the configuration on the radius server 4. Verify the configuration. #Client login via ssh remotely.

ssh user@10.250.0.206
Connecting to 10.250.0.206:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
WARNING! The remote SSH server rejected X11 forwarding request.
Linux sonic 4.9.0-14-2-amd64 #1 SMP Debian 4.9.246-2 (2020-12-17) x86_64
    _          _                _   _   ___   ____
   / \    ___ | |_   ___  _ __ | \ | | / _ \ / ___|
  / _ \  / __|| __| / _ \| '__||  \| || | | |___ \
 / ___ \ __ \| |_ |  __/| |   | |\  || |_| | ___) |
/_/   _\|___/ __| ___||_|   |_| _| ___/ |____/

------- Asterfusion Network Operating System -------
Help:    http://www.asterfusion.com/
user@sonic:-$
```****Example for Configuring Tacacs+ Authentication for SSH login users

1. Networking Requirements
   A Tacacs+server is deployed in the network as shown in the figure below, and the enterprise wants the administrator to use Tacacs+authentication to log in to the switch via SSH to manage the switch remotely.The specific requirements are as follows:
   The administrator must enter the correct username and password to log in to the switch via SSH.
   After logging in to the switch via SSH, the administrator can execute all commands at level 0 to 15.
2. Topology

![](/media/archbee/5QwC1RU_49KLoIw7LeeJp-20251201-021334.png)

3. Procedure** TACACS+ Server **\#Install tacacs+
Edit the /etc/tacacs+/tac_plus.conf to configure the client passkey ,the username and password used by the client to log in

```bash
key = "testkey123"
user = su1
{
login = cleartext "su1"
pap = cleartext "su1"
member = remote_user_su
}

#Restart tacacs+service

systemctl stop tacacs_plus.service
sudo tac_plus -C /etc/tacacs+/tac_plus.conf -G -g -d 512
```** Switch **\#Configure the authentication method

```plaintext
sonic# configure terminal
sonic(config)# aaa authentication-mode login tacacs+/tacacs+,local/local,tacacs+

#If multiple authentication methods or multiple servers are configured, the failthrough needs to be enabled.

sonic(config)# aaa authentication-mode failthrough enable

#Configure the Tacacs+server

sonic# configure terminal
sonic(config)#tacacs+ server 10.250.0.243 timeout 30 key auth-type pap

Enter the passkey of the Tacacs+ authentication server after the command is completed, which needs to be consistent with the configuration on the Tacacs+ server.

Verify the configuration.

#Client login via ssh remotely.

ssh su1@10.250.0.206
Connecting to 10.250.0.206:22...
Connection established.
To escape to local shell, press Ctrl+Alt+].
WARNING! The remote SSH server rejected X11 forwarding request.
Linux sonic 4.9.0-14-2-amd64 #1 SMP Debian 4.9.246-2 (2020-12-17) x86_64
    _          _                _   _   ___   ____
   / \    ___ | |_   ___  _ __ | \ | | / _ \ / ___|
  / _ \  / __|| __| / _ \| '__||  \| || | | |___ \
 / ___ \ __ \| |_ |  __/| |   | |\  || |_| | ___) |
/_/   _\|___/ __| ___||_|   |_| _| ___/ |____/

------- Asterfusion Network Operating System -------
Help:    http://www.asterfusion.com/
su1@sonic:-$

Management VRF

Introduction

By separating service port traffic from management port traffic, the security of the management network can be improved.

Configure Management VRF

Table 8 Configrue Management VRF

Purpose	Commands	Description
Enter global configuration view.	configure terminal	-
Enter the management port configuration view.	interface mgmt 0	-
Configure the management port VRF.	vrf mgmt	-

Display and Maintenance

Table 9 Management VRF Display and Maintenance

Purpose	Commands	Description
Display the management interface IP and gateway.	show interface mgmt	-
Display the management VRF	show interface mgmt vrf	-

Storm Control

Introduction

Storm Control, the storm suppression function, should be configured on the traffic ingress. After broadcast/unknown-unicast/multicast storm suppression is configured on the interface, when the corresponding traffic on the interface exceeds the threshold set by the user, the system will automatically drop the messages that exceed the traffic limit, preventing BUM messages from affecting normal network service traffic forwarding.

Configure Storm Control

Currently Storm Control only supports configuration on physical interfaces.
When the interface needs to modify the parameters of Storm Control, you do not need to delete the previous configuration, and the repeated configuration will automatically overwrite the previous operation.
You can set the speed limit in Bps (Bytes per second) or pps (packets per second). The actual speed limit in packets may not be accurate due to different chip implementations. For example, some chips implement speed limits in packets by using a fixed message length that translates into a speed limit in bytes, in which case the suppression threshold configured on the port may not be consistent with the actual effective suppression threshold.

Table 10 Configure Storm Control Profile

Purpose	Commands	Description
Enter global configuration view.	configure terminal	-
Enter interface configuration view.	interface ethernet interface-number	-
Configure a storm suppression policy.	storm-suppress {unknown-unicast\|broadcast\|multicast} {bytes\|packets} limit_value [cbs cbs_value]	limit_value specify the rate-limit value, which ranges from 7812 - 300000000000 bit/sec in bytes mode and 61 - 2343750000 pkts/sec pkts/sec in packets mode. cbs_value specify the Committed Burst Size, which is the amount of committed burst traffic that can pass instantaneously. The range of values is 1 - 1518500249 bytes in bytes mode and 1 - 11863283 packets in packets mode.

Display and Maintenance

Table 11 Display and Maintenance

Purpose	Commands	Description
Display the configuration for storm suppression.	show storm-suppress	-