Applies To:

Show Versions Show Versions

Manual Chapter: Management Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

17 
Use the authentication command to set a primary, secondary, or tertiary authentication service for the current management-access point.
Use the no form of the command to remove an authentication service.
primary | secondary | tertiary is a required choice for setting the precedence of this authentication service:
primary is the preferred authentication service,
secondary is the authentication service to be used if the primary service fails, and
tertiary is used if the secondary fails, too.
active-directory | radius | local is another required choice, for setting the authentication type.
active-directory authenticates through the externally-configured Active Directory. (You can use the active-directory update seed-domain command to automatically discover the Active Directory (AD) and all of its Domain Controllers.) This option allows Windows clients with sufficient privileges (see below) to log in with their Windows credentials.
radius authenticates using a RADIUS (Remote Authentication Dial-In User Service) server on the network.
local authenticates using services local to the ARX.
Use the show management access command to show the current configuration mapping of authentication services to management-access points.
To remove an authentication service with no authentication, you must remove the lowest-precedence service first. For example, if you have a management service configured with primary, secondary, and tertiary authentication, you must remove the tertiary authentication service before you can remove the secondary service.
The active-directory option requires additional configuration: you must also identify Windows-user groups with sufficient privileges for administrative access. Use the group command to create a group with the same name as the desired Windows group, then use windows-domain (gbl-group) to declare a domain for that group, and finally use the role command to add one or more administrative roles for that group. For example, you could create a Domain Admins group in the medarch.org domain and give it highly-privileged roles, such as storage-engineer and crypto-officer. As another example, you could create a Domain Users group with the lesser role of operator.
Before you configure RADIUS authentication, use the show radius-server command to verify that a RADIUS server is properly configured. To insure against RADIUS-server failures, we recommend that you configure a secondary local service behind any primary RADIUS service.
A client application can access the ARX API to make queries about the ARX configuration and state. These queries come through one of two management access points, http-api or https-api. Each query from the client application results in a separate authentication.
We recommend using local authentication only for the API access points; active-directory or radius authentication may create an excessive load on your domain controllers (for active-directory) or RADIUS server. If you must duplicate accounts in more than one database, we recommend using the same password for all of them.
bstnA(cfg)# management access https
bstnA(cfg-mgmt-access[HTTPS])# authentication primary active-directory
bstnA(cfg-mgmt-access[Telnet])# no authentication secondary
Most RADIUS servers listen at a well-known port. By default, the ARX sends all RADIUS traffic to that port. Use the auth-port command to change the destination-port number for outbound RADIUS traffic.
Use the no form of the command to reset the port number to the default.
auth-port port-number
port-number (1024-65535) is the destination-port number at the RADIUS server.
bstnA(gbl)# radius-server 192.168.25.207
Use the clear session command to end a current CLI or GUI user session on the ARX.
clear session login-id
login-id (1-128 characters) is the ID of the session to disconnect. The show sessions command shows a list of valid IDs.
Use the show sessions command to view the list of current user sessions.
bstnA# clear session 25250
bstnA# clear session F8DAB350CE624E50AD767A717E931826
Use the show statistics authentication command to view the number of successful and failed login attempts. This command clears all of those counters.
bstnA# clear statistics authentication
Use the key command to set the key (password or shared secret) on the ARX to match the key on the RADIUS server. The switch and its RADIUS server must have identical keys.
Use the no form of the command to erase the key. Erasing the key disables authentication at the current RADIUS server.
bstnA(gbl)# radius-server 192.168.25.201
Key: $3cretPa$$w0rd
Validate Key: $3cretPa$$w0rd
Each of these services is gated by an authentication service. Use the management access command to start configuring authentication service(s) for a management-access point.
Use the no form of the command to remove all authentication services from a management-access point, thus shutting down access.
Use the show management access command to show the current configuration mapping of access points to their authentication services and available interfaces.
http://arx-management-ip:83/arx-api/
where arx-management-ip is either the out-of-band management-IP address (interface mgmt) or an in-band (VLAN) management-ip address (interface vlan). The permit command determines which of these address types are available for access. Use show interface mgmt and/or show interface vlan to find the IP addresses for each interface.
https://arx-management-ip:843/arx-api/
where arx-management-ip is a valid management IP, as described above.
You can use the show statistics api command to find usage statistics for the API.
bstnA(cfg)# management access console
bstnA(cfg)# management access all
bstnA(cfg)# no management access telnet
Use the permit command to allow access to the current management-access point. You can permit access through the out-of-band MGMT interface, any in-band (VLAN) interface, or all management interfaces. Use no permit to deny access.
vlan | mgmt | all is a required choice:
vlan permits (or denies) access through any in-band (VLAN) management interface. Use the show interface vlan command to see all in-band management interfaces.
mgmt permits or denies access through the out-of-band management interface, labeled MGMT on the front panel. Use the show interface mgmt command to see the configuration for this interface. This option is unavailable on the ARX-VE, which has no out-of-band management interface. This option also may not apply to the ARX-1500 or ARX-2500, where the out-of-band management interface may be re-purposed as a standard client/server port (see the documentation for interface mgmt).
all permits or denies access through all of the above.
Use show management access to see which management-access points are currently available.
bstnA(cfg)# management access telnet
bstnA(cfg)# management access ssh
Use the radius-server command to configure/identify a RADIUS server as an authentication provider for the ARX. You can use this command multiple times to configure multiple RADIUS servers.
Use the no form of the command to remove one RADIUS-server configuration.
radius-server hostname-or-ip-address
hostname-or-ip-address (1-128 characters or an IP address) is the hostname or IP address of a RADIUS server.
This command places you in gbl-radius mode. From gbl-radius mode, use the key (gbl-radius) command to enter the shared-secret from the RADIUS server. You can change the timeout and/or retry interval with the timeout (gbl-radius) and retries (gbl-radius) commands. If the RADIUS server listens at a port other than the well-known port, you can use the auth-port (gbl-radius) command to adjust the port configuration.
Important: Before you remove a RADIUS server through the no command, ensure a backup authentication method is in place for management services.
bstnA(gbl)# radius-server 192.168.25.201
Use the retries command to change the connection-retry interval for communication with RADIUS servers.
Use the no form of the command to reset the retry interval to the default.
retries number

number (3-65535) is the number of times the switch attempts to connect to the RADIUS server before declaring a failure.
bstnA(gbl)# radius-server 192.168.25.207
Use the show management access command to show the authentication services configured for system management.
Service is Console, Telnet, SSH, HTTP, HTTPS, SNMP, HTTP-API, or HTTPS-API. This is the management-access point, a point of entry for a system administrator. Use the management access command to edit one or all of these management-access configurations.
Primary is the primary authentication service for this management-access point. The choices are AD (for Active-Directory authentication, which allows Windows users to authenticate with their Windows credentials), local (for authentication service that runs on the ARX), or RADIUS (for authentication at a remote RADIUS server).
Tertiary are backup authentication services. If the primary service fails, the switch uses the secondary service; if the secondary authentication fails too, the switch falls back to the tertiary service. Use the authentication command to reset the primary, secondary, or tertiary service.
Allowed Interface is VLAN, Management, or both. VLAN indicates that administrators can gain access through any in-band (VLAN) management interface. Management indicates that access is allowed through the out-of-band management interface, labeled MGMT on the front panel. Use the permit command to permit VLAN and/or MGMT access.
bstnA> show management access
Use the show radius-server command to display a summary of all RADIUS servers known to the switch.
Hostname is the name or IP address of the RADIUS server.
Authport is the destination port at the RADIUS server.
Acctport is the port used for accounting; currently not used.
Timeout is the current connection-timeout interval.
Retries is the current connection-retry interval.
bstnA(gbl)# show radius-server
bstnA# show radius-server
Use the show sessions command to view all current management sessions on the switch.
Session ID identifies each session. CLI sessions have integer IDs, and GUI sessions have string IDs. The flag, (local session), appears for the current CLI session.
Username identifies the administrative user.
Access is the type of connection. This is the same as the management-access point that you choose with the management access command (for example, console, ssh, or https).
Connect Time shows how long the session has been running displayed in minutes and hours. If the session has been running less than a minute, a dash is displayed instead of the time.
Source IP is the IP address from which the user logged in.
You can use the clear session with one of the IDs to clear that administrative session, thereby logging off the administrator.
bstnA# show sessions
bstnA# show sessions
Immediately after you use ssh-host-key generate to change the SSH host keys on the switch, you should distribute the new keys to remote SSH clients. Use the show ssh-host-key command to show the public host keys.
dsa | rsa | rsa1 selects a particular SSH key; by default, all of them are shown.
dsa is the key for DSA over SSHv2,
rsa selects the key for RSA over SSHv2, and
rsa1 chooses RSA over SSHv1. By default, SSHv1 is not supported, use ssh-v1 enable to enable SSHv1 support.
Use the ssh-host-key generate command to change all private/public host-key pairs on the switch. Then use this command to see the new public keys and begin distributing them to SSH clients. Install the appropriate public key (DSA, RSA, or RSA1) at each client; refer to the clients SSH documentation for instructions.
bstnA(cfg)# show ssh-host-key
Use this command to display the authentication-login statistics. Use the clear statistics authentication command to clear the current authentication statistics and reset the counters.
bstnA# show statistics authentication
dsa | rsa selects the type of SSH key to set.
dsa is the key for DSA, and
rsa selects the key for RSA over SSHv2.
where key-text has a <Return> character at the end of each line.
This is the format of a typical text file for a private key. PuTTYgen creates a text file with this format if you load a generated key and select Conversions -> Export OpenSSH key. This is also the format you find in /etc/ssh/ssh_host_*sa_key on a Linux box with SSH.
The ARX generates a new public key to associate with this new private key. The new public key is accessible through show ssh-host-key. You copy the appropriate public key to trusted clients, as described below. The private key remains hidden on the switch.
After the new host key is installed, client machines warn their users that the switchs host key has changed. They must update to the new host key before they authenticate with the ARX. Right after generating new host keys, use the show ssh-host-key command to show the new public key, then copy and paste it onto the client machine. Refer to the client machines SSH documentation for the specific configuration file.
bstnA(cfg)# ssh-host-key rsa
After the new host keys are generated, client machines warn their users that the switchs host key has changed. They must update to the new host key before they authenticate with the ARX. Right after generating new host keys, use the show ssh-host-key command to show the new public keys, then copy and paste the appropriate key onto the client machine. Refer to the client machines SSH documentation for the specific configuration file.
bstnA# ssh-host-key generate
Use the no form of the command to disable SSHv1 and return to v2-only support.
bstnA(cfg)# ssh-v1 enable
bstnA(cfg)# no ssh-v1 enable
Use the timeout command to change the timeout interval for communication with RADIUS servers.
Use the no form of the command to reset the timeout interval to the default.
timeout milliseconds
milliseconds (3-65535) is the number of milliseconds to wait for a server response before timing out.
After the timeout expires, the switch retries its request as many times as specified through the retries (gbl-radius) command. If all retries fail, the request fails, which causes fallback to the next level of authentication service (secondary or tertiary), if one is configured.
bstnA(gbl)# radius-server 192.168.25.207
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)