Dell MX9116n SmartFabric OS10 Security Best Practices Guide July 2020 - Page 13

•

hostname

—Enter the hostname of the RADIUS server.

•

ip-address

—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.

•

tls security-profile

profile-name

—Enter the security profile to use the X.509v3 certificate on the switch to use for

TLS authentication with a RADIUS server.

•

key 0

authentication-key

—Enter an authentication key in plain text. A maximum of 42 characters.

•

key 9

authentication-key

—Enter an authentication key in encrypted format. A maximum of 128 characters.

•

authentication-key

—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter

0

before

the key.

•

auth-port

port-number

—(Optional) Enter the UDP port number used on the server for authentication, from 0 to 65535,

default 1812.

•

key

authentication-key

—(Optional) Enter the authentication key to authenticate the switch on the server. A maximum of 42

characters; default

radius_secure

.

Configure RADIUS authentication retries

Rationale

: Configure the number of times OS10 retransmits a RADIUS authentication request. To avoid unnecessary retries, configure a

lower value.

Configuration

:

OS10(config)# radius-server retransmit

retries

OS10(config)# exit

OS10# write memory

retries

—Enter the number of retry attempts, from 0 to 100.

Configure TACACS+ authentication

Rationale

: Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting,

configure a lower value.

Configuration

:

OS10(config)# tacacs-server host {hostname | ip-address} key {0

authentication-key

| 9

authentication-key

|

authentication-key

} [auth-port

port-number

]

OS10(config)# exit

OS10# write memory

•

hostname

—Enter the hostname of the RADIUS server.

•

ip-address

—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.

•

0

authentication-key

—Enter an authentication key in plain text. A maximum of 42 characters.

•

9

authentication-key

—Enter an authentication key in encrypted format. A maximum of 128 characters.

•

authentication-key

—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter

0

before

the key.

•

auth-port

port-number

—(Optional) Enter the UDP port number used on the server for authentication, from 0 to 65535,

default 1812.

•

authentication-key

—(Optional) Enter the authentication key used to authenticate the switch on the server. A maximum of 42

characters; default

radius_secure

.

Configure TACACS+ authentication response timer

Rationale

: Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting,

configure a lower value.

Configuration

:

OS10(config)# tacacs-server timeout

seconds

OS10(config)# exit

OS10# write memory

seconds

—Enter the timeout period used to wait for an authentication response from a TACACS+ server, from 1 to 1000 seconds.

Access rules

Configure secure access rules.

Enable only SSH for remote system access

OS10 security best practices

13

Section	Page
SmartFabric OS10 Security Best Practices Guide July 2020	3
OS10 security best practices	4
On first boot	4
Password rules	5
Federal Information Processing Standards (FIPS)	6
Enable and configure secure boot	6
Users, roles, and privilege levels	7
Port security	9
Management plane	11
Role-based access control	11
Access rules	13
Banner rules	15
SNMP rules	15
Control plane	17
System clock rules	17
Logging rules	17
NTP rules	18
Loopback rules	19
Data plane rules	19
Neighbor authentication	20

Dell MX9116n SmartFabric OS10 Security Best Practices Guide July 2020 - Page 13

Access rules

Page 13 highlights