Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 12

Con RADIUS authentication, Enable AAA accounting for commands

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 12 highlights

Enable AAA accounting for commands Rationale: AAA accounting for commands records login and command information about console connections and remote connections, such as Telnet and SSH. Configuration: OS10(config)# aaa accounting commands all {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory • commands all-Record all user-entered commands. RADIUS accounting does not support this option. • console-Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections. • default-Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH. • start-stop-Send a start notice when a process begins, and a stop notice when the process ends. • stop-only-Send only a stop notice when a process ends. • none-No accounting notices are sent. • logging-Logs all accounting notices in syslog. • group tacacs+-Logs all accounting notices on the first reachable TACACS+ server. Enable AAA accounting for authentication events Rationale: AAA accounting for authentication events records login and command information about console connections and remote connections, such as Telnet and SSH. Configuration: OS10(config)# aaa accounting exec {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory • console-Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections. • default-Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH. • start-stop-Send a start notice when a process begins, and a stop notice when the process ends. • stop-only-Send only a stop notice when a process ends. • none-No accounting notices are sent. • logging-Logs all accounting notices in syslog. • group tacacs+-Logs all accounting notices on the first reachable TACACS+ server. The authentication methods in the method list work in the order they are configured. Enable AAA re-authentication or enable mode Rationale: Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to reauthenticate by logging in again when an authentication method or server changes. Configuration: OS10(config)# aaa re-authenticate enable Configure RADIUS authentication Rationale: Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security. Configuration: OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-name [auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key} OS10(config)# exit OS10# write memory 12 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Enable AAA accounting for commands
Rationale
: AAA accounting for commands records login and command information about console connections and remote connections,
such as Telnet and SSH.
Configuration
:
OS10(config)# aaa accounting commands all {console | default} {start-stop | stop-only | none}
[logging] [group tacacs+]
OS10(config)# exit
OS10# write memory
commands all
—Record all user-entered commands. RADIUS accounting does not support this option.
console
—Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections.
default
—Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for
example, Telnet and SSH.
start-stop
—Send a start notice when a process begins, and a stop notice when the process ends.
stop-only
—Send only a stop notice when a process ends.
none
—No accounting notices are sent.
logging
—Logs all accounting notices in syslog.
group tacacs+
—Logs all accounting notices on the first reachable TACACS+ server.
Enable AAA accounting for authentication events
Rationale
: AAA accounting for authentication events records login and command information about console connections and remote
connections, such as Telnet and SSH.
Configuration
:
OS10(config)# aaa accounting exec {console | default} {start-stop | stop-only | none}
[logging] [group tacacs+]
OS10(config)# exit
OS10# write memory
console
—Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections.
default
—Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for
example, Telnet and SSH.
start-stop
—Send a start notice when a process begins, and a stop notice when the process ends.
stop-only
—Send only a stop notice when a process ends.
none
—No accounting notices are sent.
logging
—Logs all accounting notices in syslog.
group tacacs+
—Logs all accounting notices on the first reachable TACACS+ server.
The authentication methods in the method list work in the order they are configured.
Enable AAA re-authentication or enable mode
Rationale
: Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to
reauthenticate by logging in again when an authentication method or server changes.
Configuration
:
OS10(config)# aaa re-authenticate enable
Configure RADIUS authentication
Rationale
: Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure
communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport
Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional
security.
Configuration
:
OS10(config)# radius-server host {hostname | ip-address} tls security-profile
profile-name
[auth-port
port-number
] key {0
authentication-key
| 9
authentication-key
|
authentication-key
}
OS10(config)# exit
OS10# write memory
12
OS10 security best practices