18 August 2015 53-1003833-01 Brocade syntax conventions ... Enabling and disabling ACL accounting on Brocade NetIron XMR Series and Brocade MLXe Series ... 6 Brocade NetIron Security

  • View
    223

  • Download
    2

Embed Size (px)

Text of 18 August 2015 53-1003833-01 Brocade syntax conventions ... Enabling and disabling ACL accounting on...

  • 53-1003833-0118 August 2015

    Brocade NetIronSecurity Configuration Guide

    Supporting Multi-Service IronWare R05.9.00

  • 2015, Brocade Communications Systems, Inc. All Rights Reserved.

    ADX, Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, HyperEdge, ICX, MLX, MyBrocade, OpenScript, The EffortlessNetwork, VCS, VDX, Vplane, and Vyatta are registered trademarks, and Fabric Vision and vADX are trademarks of BrocadeCommunications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may betrademarks of others.

    Notice: This document is for informational purposes only and does not set forth any warranty, expressed or implied, concerning anyequipment, equipment feature, or service offered or to be offered by Brocade. Brocade reserves the right to make changes to this documentat any time, without notice, and assumes no responsibility for its use. This informational document describes features that may not becurrently available. Contact a Brocade sales office for information on feature and product availability. Export of technical data contained inthis document may require an export license from the United States government.

    The authors and Brocade Communications Systems, Inc. assume no liability or responsibility to any person or entity with respect to theaccuracy of this document or any loss, cost, liability, or damages arising from the information contained herein or the computer programs thataccompany it.

    The product described by this document may contain open source software covered by the GNU General Public License or other opensource license agreements. To find out which open source software is included in Brocade products, view the licensing terms applicable tothe open source software, and obtain a copy of the programming source code, please visit http://www.brocade.com/support/oscd.

    http://www.brocade.com/support/oscd

  • Contents

    Preface...................................................................................................................................13Document conventions....................................................................................13

    Text formatting conventions................................................................ 13Command syntax conventions............................................................ 13Notes, cautions, and warnings............................................................ 14

    Brocade resources.......................................................................................... 15Contacting Brocade Technical Support...........................................................15Document feedback........................................................................................ 16

    About This Document.............................................................................................................. 17Supported hardware and software.................................................................. 17

    Supported software............................................................................. 17Notice to the reader.........................................................................................18How command information is presented in this guide.....................................18

    Securing Access to Management Functions............................................................................. 19Securing access methods............................................................................... 19Restricting remote access to management functions..................................... 23

    Using ACLs to restrict remote access ................................................ 23Defining the console idle time............................................................. 26Restricting remote access to the device to specific IP addresses...... 27Defining the Telnet idle time................................................................28Specifying the maximum login attempts for Telnet access ................ 29Restricting remote access to the device to specific VLAN IDs............29Enabling specific access methods...................................................... 30

    Setting passwords...........................................................................................32Setting a Telnet password ..................................................................33Setting passwords for management privilege levels........................... 33Recovering from a lost password........................................................36Displaying the SNMP community string.............................................. 36Disabling password encryption........................................................... 36Specifying a minimum password length..............................................37

    Setting up local user accounts........................................................................ 37Configuring a local user account.........................................................38

    Enabling strict password enforcement............................................................ 39Configuring the strict password rules.................................................. 39Password history.................................................................................40Setting passwords to expire................................................................ 40Login lockout....................................................................................... 41Requirement to accept the message of the day..................................41Regular password rules...................................................................... 41Strict password rules...........................................................................42

    Web interface login lockout............................................................................. 42Creating an encrypted all-numeric password..................................................43Granting access by time of day.......................................................................43Configuring SSL security for the Web Management Interface........................ 43

    Enabling the SSL server on a Brocade device....................................44Importing digital certificates and RSA private key files....................... 44

    Brocade NetIron Security Configuration Guide 353-1003833-01

  • Generating an SSL certificate........................................................... 45Configuring TACACS or TACACS+ security.................................................45

    How TACACS+ differs from TACACS...............................................45TACACS or TACACS+ authentication, authorization, and

    accounting................................................................................... 46TACACS or TACACS+ configuration considerations........................49Enabling SNMP traps for TACACS...................................................50Identifying the TACACS or TACACS+ servers................................. 50Specifying different servers for individual AAA TACACS

    functions...................................................................................... 51Brocade NetIron XMR Series and Brocade NetIron MLX

    SeriesSetting optional TACACS or TACACS+ parameters.........52Configuring authentication-method lists for TACACS or

    TACACS+....................................................................................53Configuring TACACS+ authorization................................................ 56Configuring TACACS+ accounting....................................................59Configuring an interface as the source for all TACACS or

    TACACS+ packets...................................................................... 60Displaying TACACS or TACACS+ statistics and configuration

    information...................................................................................60Validating TACACS+ reply packets.................................................. 62

    Configuring RADIUS security........................................................................65RADIUS authentication, authorization, and accounting.................... 65RADIUS configuration considerations...............................................69RADIUS configuration procedure......................................................70Configuring Brocade-specific attributes on the RADIUS server........70Enabling SNMP traps for RADIUS ...................................................72Identifying the RADIUS server to the Brocade device...................... 72Specifying different servers for individual AAA functions..................73Radius health check..........................................................................74Setting RADIUS parameters............................................................. 74Configuring authentication-method lists for RADIUS........................ 76Configuring RADIUS authorization....................................................77Configuring RADIUS accounting.......................................................79Configuring an interface as the source for all RADIUS packets....... 80Configuring an IPv6 interface as the source for all RADIUS

    packets........................................................................................ 81Displaying RADIUS configuration information...................................81

    Configuring AAA on the console................................................................... 82Configuring AAA authentication-method lists for login..................................83Configuring authentication-method lists........................................................84

    Configuration considerations for authentication-method lists.....