Dell PowerSwitch S4128F-ON SmartFabric OS10 Security Best Practices Guide July - Page 12
Con RADIUS authentication, Enable AAA accounting for commands
View all Dell PowerSwitch S4128F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 12 highlights
Enable AAA accounting for commands Rationale: AAA accounting for commands records login and command information about console connections and remote connections, such as Telnet and SSH. Configuration: OS10(config)# aaa accounting commands all {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory • commands all-Record all user-entered commands. RADIUS accounting does not support this option. • console-Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections. • default-Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH. • start-stop-Send a start notice when a process begins, and a stop notice when the process ends. • stop-only-Send only a stop notice when a process ends. • none-No accounting notices are sent. • logging-Logs all accounting notices in syslog. • group tacacs+-Logs all accounting notices on the first reachable TACACS+ server. Enable AAA accounting for authentication events Rationale: AAA accounting for authentication events records login and command information about console connections and remote connections, such as Telnet and SSH. Configuration: OS10(config)# aaa accounting exec {console | default} {start-stop | stop-only | none} [logging] [group tacacs+] OS10(config)# exit OS10# write memory • console-Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections. • default-Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH. • start-stop-Send a start notice when a process begins, and a stop notice when the process ends. • stop-only-Send only a stop notice when a process ends. • none-No accounting notices are sent. • logging-Logs all accounting notices in syslog. • group tacacs+-Logs all accounting notices on the first reachable TACACS+ server. The authentication methods in the method list work in the order they are configured. Enable AAA re-authentication or enable mode Rationale: Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to reauthenticate by logging in again when an authentication method or server changes. Configuration: OS10(config)# aaa re-authenticate enable Configure RADIUS authentication Rationale: Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security. Configuration: OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-name [auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key} OS10(config)# exit OS10# write memory 12 OS10 security best practices