Inhaltszusammenfassung zur Seite Nr. 1
CHAPTER 9
Configuring Authentication
This chapter explains how to configure the authentication portion of Cisco’s authentication,
authorization and accounting (AAA) services on the SN 5428-2 Storage Router and how to configure
Enable, Login and iSCSI authentication, which use AAA services.
The following tasks are covered:
• Prerequisite Tasks, page 9-2
� Using Authentication, page 9-2
� Configuration Tasks, page 9-4
� Configuring Authentication Services, page 9-12
� Creating Named Server Gro
Inhaltszusammenfassung zur Seite Nr. 2
Chapter 9 Configuring Authentication Prerequisite Tasks Prerequisite Tasks Before performing AAA configuration tasks on the storage router, make sure you have configured system parameters as described in Chapter 2, “First-Time Configuration,” or Chapter 3, “Configuring System Parameters.” If the storage router is deployed for SCSI routing, you should also configure SCSI routing instances as described in Chapter 6, “Configuring SCSI Routing,” before proceeding. See the iSCSI driver rea
Inhaltszusammenfassung zur Seite Nr. 3
Chapter 9 Configuring Authentication Using Authentication Enable Authentication When configured, a user enters password information each time the CLI enable command is entered from the management console, or from a Telnet or SSH management session. If the storage router is configured to allow FTP access, Enable authentication also authenticates users attempting to login and establish an FTP session with the storage router. Using RADIUS Security Servers Because the enable command does n
Inhaltszusammenfassung zur Seite Nr. 4
Chapter 9 Configuring Authentication Configuration Tasks Table 9-1 Authentication Services (continued) Authentication Service Description Authentication Types Local or Uses a local username database on the storage router Login and iSCSI Local-case for authentication. Local-case indicates that the user authentication only name authentication is case-sensitive. Passwords authentication is always case-sensitive. Enable Uses the Administrator mode password configured for Enable and Login
Inhaltszusammenfassung zur Seite Nr. 5
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-1 iSCSI Authentication Configuration Elements Remote RADIUS servers Remote TACACS+ servers Username database user password user password user password When iSCSI authentication is user password enabled, the SCSI routing user password instance passes the user name user password . . . . . . . . and password from the iSCSI . . . . . . . . driver to AAA for authentication. AAA uses the specified local
Inhaltszusammenfassung zur Seite Nr. 6
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-2 iSCSI Authentication Example Configuration Remote TACACS+ servers IP 10.7.0.22 IP 10.7.0 41 IP 10.7.0.45 group janus Global Key: tacacs123SN Username database Remote RADIUS servers IP 10.5.0.61 IP 10.6.0.53 Global Key: rad123SN labserver foo labserver2 foo2 local or RADIUS TACACS+ local-case Authentication services list: webservices2 local group janus group tacacs+ AAA authentication services SCSI routing instance:
Inhaltszusammenfassung zur Seite Nr. 7
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-3 illustrates AAA configuration elements used for Enable authentication with RADIUS servers, Figure 9-4 illustrates AAA configuration elements used for Enable authentication with TACACS+ servers, and Figure 9-5 illustrates the example configuration of Enable authentication and the authentication services used in this chapter. Figure 9-3 Enable Authentication Configuration Elements with RADIUS Servers Remote RADIUS server
Inhaltszusammenfassung zur Seite Nr. 8
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-4 Enable Authentication Configuration Elements with TACACS+ Servers Remote TACACS+ servers When Enable authentication is enabled, authentication is required when the user Administrator Monitor attempts Administrator mode password password access via the CLI "enable" command. The user is prompted for a password, which is sent along with the user name entered at login, to AAA for authentication. TACACS+ Enable Monitor If the
Inhaltszusammenfassung zur Seite Nr. 9
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-5 Enable Authentication Example Configuration group sysadmin Remote TACACS+ servers IP 10.7.0.22 Administrator password: ciscoadmin IP 10.7.0.41 Global key: tacacs123SN TACACS+ Enable Monitor Authentication services list: group sysadmin user name = ciscouser enable password = ciscoadmin AAA authentication services CLI command session processor SN 5428-2 Storage Router user name = ciscouser password = ciscoadmin Telnet, S
Inhaltszusammenfassung zur Seite Nr. 10
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-6 illustrates AAA configuration elements used for Login authentication and Figure 9-7 illustrates the example configuration of Login authentication and the authentication services used in this chapter. Figure 9-6 Login Authentication Configuration Elements Remote TACACS+ servers Remote RADIUS servers Username database user password Monitor Administrator user password When Login authentication is password password user
Inhaltszusammenfassung zur Seite Nr. 11
Chapter 9 Configuring Authentication Configuration Tasks Figure 9-7 Login Authentication Example Configuration group sysadmin Remote TACACS+ servers Monitor password: IP 10.7.0.22 ciscomonitor IP 10.7.0.41 Global Key: tacacs123SN local or RADIUS TACACS+ Enable Monitor local-case Authentication services list: group sysadmin monitor AAA authentication services CLI command session processor SN 5428-2 Storage Router user name: sysmonitor password: ciscomonitor Telnet, SSH or console managemen
Inhaltszusammenfassung zur Seite Nr. 12
Chapter 9 Configuring Authentication Configuring Authentication Services Configuring Authentication Services Configuring authentication services consists of setting the appropriate parameters for the various AAA service options that can be used by the storage router. The storage router can use any or all of the supported services: � RADIUS � TACACS+ � Local username database � Enable � Monitor Use the procedures that follow to configure the storage router to use each of these services.
Inhaltszusammenfassung zur Seite Nr. 13
Chapter 9 Configuring Authentication Configuring Authentication Services TACACS+ Hosts Use the commands in the following procedure to configure TACACS+ authentication services. Command Description Step 1 enable Enter Administrator mode. Step 2 tacacs-server host 10.7.0.22 Specify the TACACS+ servers to be used for authentication. For example, specify the TACACS+ servers at 10.7.0.22, 10.7.0.41, tacacs-server host 10.7.0.41 and 10.7.0.45 for use by the storage router. Because no port is
Inhaltszusammenfassung zur Seite Nr. 14
Chapter 9 Configuring Authentication Configuring Authentication Services The following rules apply to passwords: � Passwords are entered in clear text. However, they are changed to “XXXXX” in the CLI command history cache, and are stored in the local username database in an encrypted format. � If the password contains embedded spaces, enclose it with single or double quotes. � After initial entry, passwords display in their encrypted format. Use the show aaa command to display the local
Inhaltszusammenfassung zur Seite Nr. 15
Chapter 9 Configuring Authentication Creating Named Server Groups Creating Named Server Groups By default, you can use all configured RADIUS or TACACS+ servers for authentication. All configured RADIUS servers belong to the default group named radius. All configured TACACS+ servers belong to the default group named tacacs+. You can also create named groups of RADIUS or TACACS+ servers, to be used for specific authentication purposes. For example, you can use a subset of all configured
Inhaltszusammenfassung zur Seite Nr. 16
Chapter 9 Configuring Authentication Creating Authentication Lists Command Description Step 3 aaa group server tacacs+ Add a TACACS+ server to the named group. For example, add the sysadmin server 10.7.0.22 TACACS+ server at IP address 10.7.0.22 to the group named sysadmin. Because no port is specified, authentication requests to this server use the default port 49. Servers are accessed in the order in which they are defined within the named group. Step 4 aaa group server tacacs+ Add
Inhaltszusammenfassung zur Seite Nr. 17
Chapter 9 Configuring Authentication Creating Authentication Lists Enable authentication Use the commands in the following procedure to build a default list of authentication services to be used for Enable authentication. Building the default list completes the configuration of Enable authentication and makes it immediately effective. Command Description Step 1 enable Enter Administrator mode. Step 2 aaa authentication enable Create a default list of authentication services for Enable
Inhaltszusammenfassung zur Seite Nr. 18
Chapter 9 Configuring Authentication Testing Authentication Testing Authentication You can perform authentication testing at any time. For example, before enabling iSCSI authentication for a SCSI routing instance, you can test iSCSI authentication. The user name and password are passed to AAA, which performs authentication using the specified iSCSI authentication list. The command response indicates a pass or fail status. iSCSI Authentication Use the commands in the following procedur
Inhaltszusammenfassung zur Seite Nr. 19
Chapter 9 Configuring Authentication Configuring Two-Way Authentication Login Authentication Use the commands in the following procedure to test Login authentication. Command Description Step 1 enable Enter Administrator mode. Step 2 aaa test authentication login Test the user name and password configured for Monitor mode default sysmonitor ciscomonitor access to the storage router. AAA uses the services in the default authentication list (Example 9-3). Example 9-3 Testing Login Authent
Inhaltszusammenfassung zur Seite Nr. 20
Chapter 9 Configuring Authentication Enabling iSCSI Authentication Enabling iSCSI Authentication iSCSI authentication is enabled for specific SCSI routing instances. By default, iSCSI authentication is not enabled. Use the commands in the following procedure to enable iSCSI authentication using the authentication services configured in the specified authentication list. Command Description Step 1 enable Enter Administrator mode. Step 2 scsirouter zeus authentication Enable authenticatio