Home

Cisco Systems SN 5428-2 User's Manual

1. Authentication services list webservices2 local group janus group tacacs EEEE gt AAA authentication services SCSI routing instance zeus user name zeusabc password zeus123 A IP hosts with i iSCSI drivers SN 5428 2 Storage Router user name labserver password foo user name labserver2 password foo2 a Disk controller controller I I I I I i M IP Tape controller Storage 85750 Cisco SN 5428 2 Storage Router Software Configuration Guide lt O1 5239 01 Chapter9 Configuring Authentication Configuration Tasks W Figure 9 3 illustrates AAA configuration elements used for Enable authentication with RADIUS servers Figure 9 4 illustrates AAA configuration elements used for Enable authentication with TACACS servers and Figure 9 5 illustrates the example configuration of Enable authentication and the authentication services used in this chapter Figure 9 3 Enable Authentication Configuration Elements with RADIUS Servers Remote RADIUS servers Y s When Enable authentication is S enabled authentication is SA Administrator Monitor required when the user Taa password password attempts Administrator mode 5s A access via the CLI enable a 7 command L I 2 I a y The user is prompted for a password which is sent along with the default user name enab15 to AAA for authentication RADIU
2. Step 1 Step 2 TACACS Hosts Configuring Authentication Services W Use the commands in the following procedure to configure TACACS authentication services Command Description enable Enter Administrator mode tacacs server host 0 7 0 22 tacacs server host 0 7 0 4 tacacs server host 0 7 0 45 Specify the TACACS servers to be used for authentication For example specify the TACACS servers at 10 7 0 22 10 7 0 41 and 10 7 0 45 for use by the storage router Because no port is specified the authentication requests use the default port 49 The global timeout value is also used Like RADIUS servers TACACS servers are accessed in the order in which they are defined or for a specified server group in the order they are defined in the group See the Cisco SN 5400 Series Storage Router Command Reference for more information about the tacacs server host command tacacs server key tacacs123SN Configure the global authentication and encryption key to be used for all TACACS communications between the SN 5428 2 and the TACACS servers For example set the key to tacacs123SN This key must match the key used by the TACACS daemon Local Username Database Use the commands in the following procedure to configure a local username database Command Description enable Enter Administrator mode username labserver password foo username labserver2 password foo2 Enter a user
3. 1 Step 2 Enable authentication Creating Authentication Lists W Use the commands in the following procedure to build a default list of authentication services to be used for Enable authentication Building the default list completes the configuration of Enable authentication and makes it immediately effective Command Description enable Enter Administrator mode aaa authentication enable default group sysadmin enable Create a default list of authentication services for Enable authentication For example create a list so that AAA first tries to perform authentication using the TACACS servers in the group named sysadmin If no TACACS server is found TACACS returns an error and AAA attempts authentication using the configured Administrator mode password If the password you entered does not match the configured Administrator mode password authentication fails and no other methods are attempted e RADIUS servers are passed the default user name enab 5 along with the entered password for authentication purposes e TACACS servers are passed the user name used at login along with the entered password for authentication purposes If a user name was not needed for login the storage router prompts the user to enter a user name along with the enable password when the enable command is issued You must configure the databases used by the RADIUS or TACACS servers with the appropriate user name an
4. 5eaee29546ed37 31d5812ea60eaacl568 Cisco SN 5428 2 Storage Router Software Configuration Guide I oL 5239 01 EN Chapter9 Configuring Authentication W Verifying and Saving Configuration Cisco SN 5428 2 Storage Router Software Configuration Guide OL 5239 01
5. Sep 02 14 37 00 aaa AS_NOTICE Auth test request being queued status pass Auth test request complete Cisco SN 5428 2 Storage Router Software Configuration Guide OL 5239 01 Chapter9 Configuring Authentication Configuring Two Way Authentication W Login Authentication Step 1 Step 2 Use the commands in the following procedure to test Login authentication Command Description enable Enter Administrator mode aaa test authentication login Test the user name and password configured for Monitor mode default sysmonitor ciscomonitor access to the storage router AAA uses the services in the default authentication list Example 9 3 Example 9 3 Testing Login Authentication SN5428 2 MG1 aaa test authentication login default sysmonitor ciscomonitor Sep 02 14 37 00 aaa AS_NOTICE Auth test request being queued Sep 02 14 37 00 aaa AS_NOTICE Auth test request complete status pass Configuring Two Way Authentication Step 1 Step 2 Step 3 Note When iSCSI authentication is enabled the SCSI routing instance must authenticate the IP host during the iSCSI TCP connection process IP hosts that cannot be authenticated are not allowed access to the storage resources IP hosts may also require authentication of the SCSI routing instance during the iSCSI TCP connection process If the SCSI routing instance cannot be authenticated the IP host terminates the connection Use the commands in the
6. Use the commands in the following procedure to build a unique list of authentication services to be used for iSCSI authentication Command Description Step1 enable Enter Administrator mode Step2 aaa authentication iscsi Create a unique list of authentication services for iSCSI webservices2 local group janus _ authentication group tacacs For example create the list called webservices2 so that AAA first tries to perform authentication using the local username database If AAA fails to find a user name match an attempt is made to contact a RADIUS server in the server group named janus If no RADIUS server in group janus is found RADIUS returns an error and AAA tries to use perform authentication using all configured TACACS servers If no TACACS server is found TACACS returns an error and authentication fails If a RADIUS or TACACS server does not find a user name and password match authentication fails and no other methods are attempted Note If local or local case is the first service in the authentication list and a user name match is not found the next service in the list will be tried If local or local case is not the first service authentication fails if a user name match is not found Authentication always fails if a RADIUS or TACACS server fails to find a user name match Cisco SN 5428 2 Storage Router Software Configuration Guide Ca OL 5239 01 Chapter 9 Configuring Authentication Step
7. authentication is AL S a enabled the SCSI routing Ss 7 N X password instance passes the user name 5s SS A password and password from the iSCSI i S driver to AAA for authentication x s a EN AAA uses the specified authentication list to determine RADIUS TACACS which services to use for the authentication attempt local or local case Authentication services lists If authentication fails the connection is refused and the fo aLL gt AAA authentication services host cannot obtain access to storage resources SCSI routing instance T SN 5428 2 Storage Router IP host and optionally SCSI routing instance user name and password via pane CHAP when iSCSI TCP ae connection established iSCSI drivers S85 Disk Disk controller a M controller E jp i E Tape controller y O E3 Cisco SN 5428 2 Storage Router Software Configuration Guide T OL 5239 01 g os Chapter9 Configuring Authentication WE Configuration Tasks Figure 9 2 iSCSI Authentication Example Configuration Remote TACACS servers IP 10 7 0 22 IP 10 7 0 41 E IP 10 7 0 45 Global Key tacacs123SN N group janus Username database Remote RADIUS servers _ IP 10 5 0 61 PS s IP 10 6 0 53 TS Global Key rad123SN are labserver foo re pS labserver2 foo2 wS N 5s N 5s he SS a local or RADIUS TACACS local case
8. authentication using the specified iSCSI authentication list The command response indicates a pass or fail status iSCSI Authentication Use the commands in the following procedure to test iSCSI authentication Command Description Step1 enable Enter Administrator mode Step2 aaa test authentication iscsi Test the user names and passwords listed in the username database webservices2 labserver foo aaa test authentication iscsi webservices2 labserver2 foo2 AAA uses the services in the authentication list named webservices2 for authentication Example 9 1 Example 9 1 Testing iSCSI Authentication SN5428 2 MG1 aaa test authentication iscsi webservices2 labserver foo Sep 02 14 37 00 aaa AS_NOTICE Sep 02 14 37 00 aaa AS_NOTICE Enable Authentication Auth test request being queued status pass Auth test request complete Use the commands in the following procedure to test Enable authentication Command Description Step1 enable Enter Administrator mode Step2 aaa test authentication enable Test the password configured for Administrator mode access to the default enab15 ciscoadmin storage router using the default user name passed to RADIUS servers AAA uses the services in the default authentication list Example 9 2 Example 9 2 Testing Enable Authentication SN5428 2 MG1 aaa test authentication enable default enab15 ciscoadmin Sep 02 14 37 00 aaa AS_NOTICE
9. initial 9 in the example display indicates that the password is encrypted e You can re enter an encrypted password using the normal username password command Enter the encrypted password in single or double quotes starting with 9 and a single space For example copying and pasting password 9 ea9bb0c57ca4806d3555f3f78a4204177a from the example above into the username pat command would create an entry for pat in the username database The user named pat would have the same password as the user named foo This functionality allows user names and passwords to be restored from saved configuration files e When entering a password a zero followed by a single space indicates that the following string is not encrypted 9 followed by a single space indicates that the following string is encrypted To enter a password that starts with 9 or zero followed by one or more spaces enter a zero and a space and then enter the password string For example to enter the password 0 123 for the user named pat enter this command username pat password 0 0 123 To enter the password 9 73Zjm 5 for user name lab1 use this command username labl password 0 9 73Zjm 5 Enable Enable is a special authentication service it is available for Enable and Login authentication only The Enable service compares the password you entered with the Administrator mode password configured for the storage router The requested access is granted
10. name and password for each host requiring authentication prior to access to storage and for each user requiring Monitor mode access to the SN 5428 2 via console Telnet or SSH management sessions For example add the following user name and password combinations e labserver and foo e labserver2 and foo2 For iSCSI authentication user name and password pairs must match the CHAP user name and password pairs configured for the iSCSI drivers that require access to storage via the SCSI routing instances that have iSCSI authentication enabled If other services are also used such as RADIUS or TACACS these user name and password pairs must also be configured within the databases those services use for authentication purposes I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide Chapter9 Configuring Authentication HZ Configuring Authentication Services The following rules apply to passwords e Passwords are entered in clear text However they are changed to XX XXX in the CLI command history cache and are stored in the local username database in an encrypted format e Ifthe password contains embedded spaces enclose it with single or double quotes e After initial entry passwords display in their encrypted format Use the show aaa command to display the local username database entries The following is an example display username foo password 9 ea9bb0c57ca4806d3555f3 78a4204177a The
11. obtain Administrator mode access to the storage router a7 Za a a7 a gt a z Remote TACACS servers i the user name and password are sent fees gt I I y Administrator Monitor password password A N c I 4 N I Fi sN I N 1 A y TACACS Enable Monitor Authentication services list AAA authentication services CLI command session processor A SN 5428 2 Storage Router enable command prompts for password and user name if none needed at login a 4 Telnet SSH or console management session 105746 mi Cisco SN 5428 2 Storage Router Software Configuration Guide OL 5239 01 Chapter9 Configuring Authentication Configuration Tasks Figure 9 5 Enable Authentication Example Configuration group sysadmin Remote TACACS servers IP 10 7 0 22 os IP 10 7 0 41 Global key tacacs123SN Administrator password ciscoadmin ae A S 1 v I Saa l a y TACACS Enable Monitor Authentication services list group sysadmin enable user name ciscouser password ciscoadmin AAA authentication services CLI command session processor A SN 5428 2 Storage Router user name ciscouser password ciscoadmin m l L L i L y 4 Telnet SSH or console management session 105747 I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configur
12. the SN 5428 2 in Administrator mode via the CLI enable command or an FTP session e Login authentication provides a mechanism to authenticate users requesting access to the SN 5428 2 in Monitor mode via the login process from a Telnet session SSH session or the management console iSCSI Authentication When enabled iSCSI drivers provide user name and password information each time an iSCSI TCP connection is established iSCSI authentication uses the iSCSI Challenge Handshake Authentication Protocol CHAP authentication method iSCSI authentication can be enabled for specific SCSI routing instances Each SCSI routing instance enabled for authentication can be configured to use a specific list of authentication services or it can be configured to use the default list of authentication services For IP hosts that support two way authentication the SCSI routing instance can also be configured to provide user name and password information during the iSCSI TCP connection process Note iSCSI authentication is available for SN 5428 2 storage routers deployed for SCSI routing or transparent SCSI routing only it is not available for storage routers deployed for FCIP Cisco SN 5428 2 Storage Router Software Configuration Guide a O1 5239 01 Chapter9 Configuring Authentication Using Authentication W Enable Authentication When configured a user enters password information each time the CLI enable command is entered from
13. 20 OL 5239 01 Chapter9 Configuring Authentication Verifying and Saving Configuration W Example 9 4 Display AAA Configuration SN5428 2 MG1 show aaa aaa new model username labserver password 9 491c083a73d7 89bc0205927d086cdd0d8 username labserver2 password 9 5ccd52d543e0d3a5558afe8cbe2867dd41 radius server key 9 64ced29a261a8ca554a6f4ea8d494669c1 radius server host 10 6 0 53 auth port 1645 radius server host 10 6 0 73 auth port 1645 radius server host 10 5 0 61 auth port 1645 tacacs server key 9 c5fc960c37b1la3ad4d76e2495b169e4b08 tacacs server host 10 7 0 22 auth port 49 tacacs server host 10 7 0 41 auth port 49 tacacs server host 10 7 0 45 auth port 49 aaa group server radius janus 61 auth port 1645 53 auth port 1645 aaa group server radius janus server 10 5 0 aaa group server radius janus server 10 6 0 aaa group server tacacs sysadmin aaa group server tacacs Sysadmin server 10 7 0 22 auth port 49 aaa group server tacacs sysadmin server 10 7 0 41 auth port 49 aaa authentication enable default group sysadmin enable aaa authentication iscsi webservices2 local group janus group tacacs aaa authentication login default group sysadmin monitor Example 9 5 Verify iSCSI Authentication for SCSI Routing Instance SN5428 2 MG1 show scsirouter zeus brief SCSI Router Information SCSI Router Authentication Information Router Authentication Username Password zeus webservices2 zeusabc 9
14. ACACS servers For example create a group sysadmin named sysadmin All authentication server groups must have unique names you cannot have a group of TACACS servers named sysadmin and a group of RADIUS servers named sysadmin OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide jg Chapter9 Configuring Authentication HZ Creating Authentication Lists Command Description Step3 aaa group server tacacs Add a TACACS server to the named group For example add the sysadmin server 0 7 0 22 TACACS server at IP address 0 7 0 22 to the group named sysadmin Because no port is specified authentication requests to this server use the default port 49 Servers are accessed in the order in which they are defined within the named group Step4 aaa group server tacacs Add another TACACS server to the named group For example sysadmin server 0 7 0 41 add the TACACS server at IP address 10 7 0 41 to the group named sysadmin Creating Authentication Lists iSCSI Enable and Login authentication use lists of defined authentication services to administer security functions The list that is created for Enable and Login authentication must be named default iSCSI authentication supports a variety of authentication lists Use the procedures that follow according to the type of authentication required e iSCSI authentication e Enable authentication e Login authentication iSCSI authentication
15. CHAPTER Configuring Authentication This chapter explains how to configure the authentication portion of Cisco s authentication authorization and accounting AAA services on the SN 5428 2 Storage Router and how to configure Enable Login and iSCSI authentication which use AAA services The following tasks are covered Prerequisite Tasks page 9 2 Using Authentication page 9 2 Configuration Tasks page 9 4 Configuring Authentication Services page 9 12 Creating Named Server Groups page 9 15 Creating Authentication Lists page 9 16 Testing Authentication page 9 18 Configuring Two Way Authentication page 9 19 Enabling iSCSI Authentication page 9 20 Verifying and Saving Configuration page 9 20 The AAA function is always enabled for the storage router it cannot be disabled Authentication parameters can be configured using CLI commands as described in this chapter or via the web based GUI To access the web based GUI point your browser to the storage router s management interface IP address After logging on click the Help link to access online help for the GUI I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide Chapter9 Configuring Authentication W Prerequisite Tasks Prerequisite Tasks Before performing AAA configuration tasks on the storage router make sure you have configured system parameters as described in Chapter 2 First Time Configuration or Chapter 3 Config
16. I routing instances named zeus using the authentication list named webservices2 Verifying and Saving Configuration You can save the configuration at any time using either the save aaa bootconfig or save all bootconfig commands Although AAA configuration changes are effective immediately you must save the authentication configuration for it to be retained in the SN 5428 2 when it is rebooted Step 1 Step 2 Step 3 Step 4 Step5 Step 6 Use the following procedure to verify and save authentication settings Command Description enable Enter Administrator mode show aaa Display AAA configuration Example 9 4 show scsirouter zeus brief Verify that iSCSI authentication is enabled and optionally that the appropriate user name and password are configured for the specified SCSI routing instance For example verify that the SCSI routing instance named zeus is enabled for authentication using the authentication list named webservices2 and is configured with the user name zeusabc and password zeus123 Example 9 5 save aaa bootconfig Save authentication settings save scsirouter zeus bootconfig Save the SCSI routing instances save all bootconfig Optional Save all configuration settings This command may be used in place of individual save aaa bootconfig and save scsirouter bootconfig commands described in Steps 4 and 5 Cisco SN 5428 2 Storage Router Software Configuration Guide P9
17. S Enable Monitor Authentication services list the entered password is sent with AAA uses the default default user name enab15 authentication list to determine which services to use for the authentication attempt rose 5 gt I I y i Authentication Tails the CLI command session processor request is refused and the user A cannot obtain Administrator mode access to the SN 5428 2 AAA authentication services SN 5428 2 Storage Router enable command prompts for password P 105745 Telnet SSH or console management session Cisco SN 5428 2 Storage Router Software Configuration Guide T OL 5239 01 E o7 Chapter 9 Configuring Authentication WE Configuration Tasks Figure 9 4 Enable Authentication Configuration Elements with TACACS Servers When Enable authentication is enabled authentication is required when the user attempts Administrator mode access via the CLI enable command The user is prompted for a password which is sent along with the user name entered at login to AAA for authentication If the user name was not needed for login the storage router prompts the user to enter a user name along with the password and both are sent to AAA for authentication AAA uses the default authentication list to determine which services to use for the authentication attempt If authentication fails the request is refused and the user cannot
18. ation Guide jg Chapter9 Configuring Authentication WE Configuration Tasks Figure 9 6 illustrates AAA configuration elements used for Login authentication and Figure 9 7 illustrates the example configuration of Login authentication and the authentication services used in this chapter Figure 9 6 Login Authentication Configuration Elements Remote RADIUS servers Remote TACACS servers ae N When Login authentication is Sn enabled authentication is ss s required when the user a Ms attempts Monitor mode access Sy to the SN 5428 2 by attempting Sa to establish a CLI command Username database g user password Monitor user password password A Administrator password user password I I I I N I I A y y session The login process prompts the RADIUS user for a user name andpass local or TACACS local case Enable Monitor word which are passed to AAA for authentication Authentication services list AAA uses the default authentication list to determine l AAA authentication services which services to use for the CLI command session processor authentication attempt A If authentication fails the login request is refused and the user cannot obtain Monitor mode access to the SN 5428 2 SN 5428 2 Storage Router I Login requires user name and password I I I y ise wo Ei Telnet SSH or console management
19. d password information Note Step 1 Step 2 Local and local case services cannot be used for Enable authentication Login authentication Use the commands in the following procedure to build a default list of authentication services to be used for Login authentication Building the default list completes the configuration of Login authentication and makes it immediately effective Command Description enable Enter Administrator mode aaa authentication login default group sysadmin monitor Create a default list of authentication services for Login authentication For example create a list so that AAA first tries to perform authentication using the TACACS servers in the group named sysadmin If no TACACS server is found TACACS returns an error and AAA attempts authentication using the configured Monitor mode password eliminating authentication of the user name If the password you entered does not match the configured Monitor mode password authentication fails and no other methods are attempted I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide Chapter9 Configuring Authentication WE Testing Authentication Testing Authentication You can perform authentication testing at any time For example before enabling iSCSI authentication for a SCSI routing instance you can test iSCSI authentication The user name and password are passed to AAA which performs
20. e used for iSCSI authentication of IP hosts accessing storage via the SCSI routing instance named zeus In the example configurations shown in Figure 9 5 and Figure 9 7 the group of TACACS servers named sysadmin will be used for Enable and Login authentication Radius Server Groups Use the commands in the following procedure to create a named group of RADIUS servers Command Description enable Enter Administrator mode aaa group server radius janus Create a group of RADIUS servers For example create a group named janus All authentication server groups must have unique names you cannot have a group of RADIUS servers named janus and a group of TACACS servers named janus aaa group server radius janus Add a RADIUS server to the named group For example add the server 10 5 0 61 RADIUS server at IP address 0 5 0 6 to the group named janus Because no port is specified authentication requests to this server use the default UDP port 1645 Servers are accessed in the order in which they are defined within the named group aaa group server radius janus Add another RADIUS server to the named group For example server 10 6 0 53 add the RADIUS server at IP address 0 6 0 53 to the group named janus TACACS Server Groups Use the commands in the following procedure to create a named group of TACACS servers Command Description enable Enter Administrator mode aaa group server tacacs Create a group of T
21. following procedure to configure a user name and password for a SCSI routing instance that must be authenticated by IP hosts Command Description enable Enter Administrator mode scsirouter zeus username Assign a user name to the SCSI routing instance For example zeusabc configure the user name zeusabc for the SCSI routing instance named zeus scsirouter zeus password Assign a password to the SCSI routing instance For example zeus123 configure the password zeus123 for the SCSI routing instance named zeus The SCSI routing instance user name and password pair must also be configured within the authentication database services used by the IP hosts for authentication purposes I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide Chapter9 Configuring Authentication HZ Enabling iSCSI Authentication Enabling iSCSI Authentication iSCSI authentication is enabled for specific SCSI routing instances By default iSCSI authentication is Step 1 Step 2 not enabled Use the commands in the following procedure to enable iSCSI authentication using the authentication services configured in the specified authentication list Command Description enable Enter Administrator mode scsirouter zeus authentication webservices2 Enable authentication for the named SCSI routing instance using the named authentication list For example enable authentication for the SCS
22. he storage router authentication only Monitor Uses the Monitor mode password configured for the Enable and Login storage router authentication only Configuration Tasks Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 To configure iSCSI Enable or Login authentication and the associated authentication services on the storage router perform the following steps Configure the desired authentication services such as RADIUS TACACS and the local username database Optional Create named groups of RADIUS and TACACS servers Create authentication lists Optional Test authentication using configured authentication services Optional Configure the user name and password for SCSI routing instances that will participate in two way authentication Enable authentication for individual SCSI routing instances Verify and save AAA and iSCSI authentication configuration Figure 9 1 illustrates AAA configuration elements used for iSCSI authentication and Figure 9 2 illustrates the example configuration of iSCSI authentication and the authentication services used in this chapter Cisco SN 5428 2 Storage Router Software Configuration Guide OL 5239 01 Chapter9 Configuring Authentication Configuration Tasks W Figure 9 1 iSCSI Authentication Configuration Elements REE RADIUS servers dienes TACACS sen servers T x 3 so SS Username database SBS 4 Sa password Say 3 s password When iSCSI
23. names and passwords for iSCSI authentication RADIUS Servers Use the commands in the following procedure to configure RADIUS authentication services Command Description enable Enter Administrator mode radius server host 0 6 0 53 Specify the RADIUS server to be used for authentication For example specify the RADIUS server at 0 6 0 53 for use by the storage router Because no port is specified the authentication requests use the default UDP port 1645 Global timeout and retransmit values are also used See the Cisco SN 5400 Series Storage Router Command Reference for more information about the radius server host command radius server host 0 6 0 73 Specify additional RADIUS servers For example specify the RADIUS servers at 10 6 0 73 and 10 5 0 6 as the second and third dius host 0 5 0 61 Pa ee rae RADIUS server to be used for authentication RADIUS servers are accessed in the order in which they are defined or for a specified server group in the order they are defined in the group radius server key rad 23SN Configure the global authentication and encryption key to be used for all RADIUS communications between the SN 5428 2 and the RADIUS daemon For example set the key to rad 23SN This key must match the key used on the RADIUS daemon Cisco SN 5428 2 Storage Router Software Configuration Guide Poi OL 5239 01 Chapter 9 Configuring Authentication Step 1 Step 2 Step 3
24. ns If you are using remote security servers AAA is the means through which you establish communications between the SN 5428 2 and the remote RADIUS or TACACS security server Table 9 1 lists the authentication services and indicates which authentication types can be performed by each service Table 9 1 Authentication Services Authentication Service Description Authentication Types RADIUS A distributed client server system that secures All networks against unauthorized access The SN 5428 2 sends authentication requests to a central RADIUS server that contains all user authentication and network service access information TACACS A security application that provides centralized All validation of users TACACS services are maintained in a database on a TACACS daemon running typically on a UNIX or Windows NT workstation Cisco SN 5428 2 Storage Router Software Configuration Guide OL 5239 01 g oos Chapter9 Configuring Authentication W Configuration Tasks Table 9 1 Authentication Services continued Authentication Service Description Authentication Types Local or Uses a local username database on the storage router Login and iSCSI Local case for authentication Local case indicates that the user authentication only name authentication is case sensitive Passwords authentication is always case sensitive Enable Uses the Administrator mode password configured for Enable and Login t
25. only if the passwords match See Chapter 3 Configuring System Parameters for more information about changing the Administrator mode password Monitor Monitor is a special authentication service it is available for Enable and Login authentication only The Monitor service compares the password you entered with the Monitor mode password configured for the storage router The requested access is granted only if the passwords match See Chapter 3 Configuring System Parameters for more information about changing the Monitor mode password Cisco SN 5428 2 Storage Router Software Configuration Guide Pos O1 5239 01 _ Chapter 9 Configuring Authentication Creating Named Server Groups W Creating Named Server Groups Step 1 Step 2 Step 3 Step 4 Step 1 Step 2 By default you can use all configured RADIUS or TACACS servers for authentication All configured RADIUS servers belong to the default group named radius All configured TACACS servers belong to the default group named tacacs You can also create named groups of RADIUS or TACACS servers to be used for specific authentication purposes For example you can use a subset of all configured RADIUS servers for iSCSI authentication of IP hosts requesting access to storage via a specific SCSI routing instance In the example configuration shown in Figure 9 2 the group of RADIUS servers named janus and the default group of all TACACS servers will b
26. session 3 Cisco SN 5428 2 Storage Router Software Configuration Guide a10 i al Chapter9 Configuring Authentication Figure 9 7 Login Authentication Example Configuration group sysadmin Configuration Tasks Remote TACACS servers IP 10 7 0 22 IP 10 7 0 41 Global Key tacacs123SN Monitor password ciscomonitor A a y RADIUS local or TACACS local case Enable Monitor Authentication services list group sysadmin monitor AAA authentication services CLI command session processor A SN 5428 2 Storage Router user name sysmonitor password ciscomonitor y CH 4 Telnet SSH or console management session 85754 I OL 5239 01 Cisco SN 5428 2 Storage Router Software Configuration Guide Chapter9 Configuring Authentication HZ Configuring Authentication Services Configuring Authentication Services Configuring authentication services consists of setting the appropriate parameters for the various AAA service options that can be used by the storage router The storage router can use any or all of the supported services e RADIUS e TACACS e Local username database e Enable e Monitor Use the procedures that follow to configure the storage router to use each of these services Note Step 1 Step 2 Step 3 Step 4 See the iSCSI driver readme file for details on configuring CHAP user
27. the management console or from a Telnet or SSH management session If the storage router is configured to allow FTP access Enable authentication also authenticates users attempting to login and establish an FTP session with the storage router Using RADIUS Security Servers Because the enable command does not require you to enter a user name RADIUS authentication services are passed the default user name enab15 along with the entered password for authentication If no authentication services are configured the entered password is checked against the Administrator mode password configured for the storage router Using TACACS Security Servers Because the enable command does not require you to enter a user name TACACS authentication services are passed the user name used at login along with the entered password for authentication If a user name was not needed for login the storage router will prompt the user to enter a user name along with the enable password when the enable command is issued Login Authentication When configured you are prompted to enter a user name and password each time access to the storage router is attempted from the management console or from a Telnet or SSH management session Authentication Services Authentication is configured by defining the authentication services available to the storage router iSCSI Enable and Login authentication types use authentication services to administer security functio
28. uring System Parameters If the storage router is deployed for SCSI routing you should also configure SCSI routing instances as described in Chapter 6 Configuring SCSI Routing before proceeding See the iSCSI driver readme file for details on configuring IP hosts for iSCSI authentication Note AAA configuration settings are cluster wide elements and are shared across a cluster All AAA configuration and management functions are performed from a single storage router in a cluster Issue the show cluster command to identify the storage router that is currently performing AAA configuration and management functions Using Authentication AAA is Cisco s architectural framework for configuring a set of three independent security functions in a consistent modular manner Authentication provides a method of identifying users including login and password dialog challenge and response and messaging support prior to receiving access to the requested object function or network service The SN 5428 2 Storage Router implements the authentication function for three types of authentication e iSCSI authentication provides a mechanism to authenticate all IP hosts that request access to storage via a SCSI routing instance IP hosts can also verify the identity of a SCSI routing instance that responds to requests resulting in two way authentication e Enable authentication provides a mechanism to authenticate users requesting access to

Cisco Systems SN 5428-2 User's Manual

Contents

Download Pdf Manuals

Related Search

Related Contents