There are two general user account types: admin and monitor. As admin, the
user is privileged to execute all the available operations. As monitor, the user can execute operations that display system configuration and status, or set terminal settings.
admin admin monitor monitor AAA is a term describing a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing the system. The Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) or Lightweight Directory Access Protocol (LDAP) protocols are supported by the MLNX-OS switch.
Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. Network access servers interface with AAA servers using the Remote Authentication Dial-In User Service (RADIUS) protocol. User Re-authenticationRe-authentication prevents users from accessing resources or perform tasks for which they do not have authorization. If credential information (e.g., AAA server information like IP address, key, port number, and so forth) that has been previously used to authenticate a user is modified, that user gets immediately logged out and then asked to re-authenticate. RADIUSRADIUS (Remote Authentication Dial-In User Service), widely used in network environments, is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. It is commonly used for embedded network devices such as routers, modem servers, switches and so on. RADIUS is currently the de-facto standard for remote authentication. It is prevalent in both new and legacy systems. It is used for several reasons:
TACACS+TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. It is commonly used for providing NAS (Network Access Security). NAS ensures secure access from remotely connected users. TACACS implements the TACACS Client and provides the AAA (Authentication, Authorization, and Accounting) functionalities. TACACS is used for several reasons:
LDAPLDAP (Lightweight Directory Access Protocol) is an authentication protocol that allows a remote access server to forward a user's log-on password to an authentication server to determine whether access can be allowed to a given system. LDAP is based on a client/server model. The acts as a client to the LDAP server. A remote user (the remote administrator) interacts only with the , not with the back-end server and database. LDAP authentication consists of the following components:
Each entry in the LDAP server is referenced by its Distinguished Name (DN). The DN consists of the user-account name concatenated with the LDAP domain name. The following is an example DN where the the user-account name is John: uid=John,ou=people,dc=domain,dc=com LDAP supports user membership in groups. If remote user
is a member of admin or monitor group, it will be logged with admin or monitor capabilities respectively.
Supported group types (objectClass) on LDAP server side are as follows:
System Secure ModeSystem secure mode is a state that configures the switch system to run secure algorithms in compliance with FIPS 140-2 requirements. In this mode, unsecure algorithms are disabled and unsecure feature configurations are disallowed. In this mode the system supports Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, which is a NIST (National Institute of Standards and Technology) publication that specifies the requirement for system cypher functionality. When this mode is activated, all the modules which are used by the system are verified to work in compliance with the secure mode. Note that if system fails to load in secure mode it is loaded in non-secure mode. Prerequisites: 1. Disable SNMPv1 and v2. switch (config) # no snmp-server enable communities 2. Only allow SNMPv3 users with sha and aes-128. switch (config) # snmp-server user <username> v3 auth sha <password1> priv aes-128 <password2> 3. Only allow SNMPv3 traps with sha and aes-128. switch (config) # snmp-server host <ip-address> informs version 3 user <username> auth sha <password1> priv aes-128 <password2> 4. Only allow SSHv2. switch (config) # ssh server min-version 2 5. Enable SSH server strict security mode. switch (config) # ssh server security strict 6. Disable HTTP access. switch (config) # no web http enable 7. Enable HTTPS strict cyphers. switch (config) # web https ssl ciphers TLS1.2 If a necessary prerequisite is not fulfilled the system does not activate secure mode and issues an advisory message accordingly. Secure mode is not supported on modular switch systems.
switch (config) # system secure-mode enable Warning! Configuration is about to be saved and the system will be reloaded. Type 'YES' to confirm the change in secure mode: YES To deactivate secure mode, do the following: switch (config) # no system secure-mode enable Warning! Configuration is about to be saved and the system will be reloaded. Type 'YES' to confirm the change in secure mode: YES To verify secure mode configuration and state, do the following: switch (config)# show system secure-mode Secure mode configured: yes Secure mode enabled: yes Which of the following protocols handles authentication authorization and accounting services?AAA protocols are primarily used for network access control (LAN, WAN resources) and network device administration (firewall, routers switches). AAA protocols were designed as a centralized way to implement access control covering authentication, authorization, and accounting capabilities.
Which of the following provides authentication authorization and accounting AAA?Authentication, authorization, and accounting services are often provided by a dedicated AAA server, a program that performs these functions. A current standard by which network access servers interface with the AAA server is the Remote Authentication Dial-In User Service (RADIUS).
Which of the following servers provide centralized authentication authorization and accounting management for users who initiate requests to use a network service?Terms in this set (5) Which of the following networking protocols provide a centralized authentication, authorization and accounting management system for users that connect and use network services? RADIUS provides AAA services.
How does AAA protocol work?The AAA server compares a user's authentication credentials with other user credentials stored in a database. If the credentials match, the user is permitted access to the network. If the credentials do not match, authentication fails and network access is denied.
|