Dell SmartFabric OS10 and SmartFabric Services Security Configuration Guide June 2023

Enable AAA login authentication

Configuring AAA authentication with a fallback option provides resiliency while authentication. If one method fails, the system uses the other method of authentication.

OS10(config)# aaa authentication login {console | default} {local | group radius | group tacacs+}
OS10(config)# exit
OS10# write memory

• console—Configure authentication methods for console logins.
• default—Configure authentication methods for SSH and Telnet logins.
• local—Use the local username, password, and role entries configured with the username password role command.
• group radius—Use the RADIUS servers configured with the radius-server host command.
• group tacacs+—Use the TACACS+ servers configured with the tacacs-server host command.

The authentication methods in the method list work in the order they are configured.

Enable AAA re-authentication or enable mode

Prevent users from accessing resources, perform tasks that they are not authorized to perform, and require users to reauthenticate by logging in again when an authentication method or server changes.

OS10(config)# aaa re-authenticate enable

Configure authorization

AAA command authorization controls user access to a set of commands assigned to users and is performed after user authentication. When enabled, AAA authorization checks a remote authorization server for each command that a user enters on the switch. If the commands that are entered by the user are configured in the remote server for that user, the remote server authorizes the usage of the command.

By default, the role you configure with the username password role command sets the level of CLI commands that a user can access.

An OS10 switch uses a list of authorization methods and the sequence in which they apply to determine the level of command authorization granted to a user. You can configure authorization methods with the aaa authorization command. By default, OS10 uses only the local authorization method. You can also configure TACACS+ server-based authorization.

The authorization methods in the method list run in the order that you configure them. Reenter the methods to change the order. The local authorization method remains enabled even if you remove all configured methods in the list using the no aaa authorization command.

• Enable authorization and configure the authorization methods for CLI access in CONFIGURATION mode. Reenter the command to configure additional authorization methods and CLI access.

  aaa authorization {commands | config-commands | exec-commands} {role user-role}
  {console | default} {[local] [group tacacs+]}

  • commands — Configure authorization for all CLI commands, including all EXEC and configuration commands.
  • config-commands — Configure authorization only for configuration commands.
  • exec-commands — Configure authorization only for EXEC commands.
  • role user-role — Configure command authorization for a user role: sysadmin, secadmin, netadmin, or netoperator.
  • console — Configure authorization for console-entered commands.
  • default — Configure authorization for nonconsole-entered commands and commands that are entered in nonconsole sessions, such as in SSH and VTY.
  • local — Use the local username, password, and role entries configured with the username password role command for command authorization.
  • group tacacs+ — Use the TACACS+ servers that are configured with the tacacs-server host command for command authorization.

For detailed information about how to configure vendor-specific attributes on a security server, see the respective RADIUS or TACACS+ server documentation.

Examples: AAA authorization

• All commands that are entered from a console session with the sysadmin user role are authorized using configured TACACS+ servers first, and local user credentials next, if TACACS+ servers are not reachable or configured.

  OS10(config)# aaa authorization commands role sysadmin console group tacacs+ local

• All configuration commands that are entered from a nonconsole session with the sysadmin user role are authorized using the configured TACACS+ servers.

  OS10(config)# aaa authorization config-commands role sysadmin default group tacacs+

Remove AAA authorization methods

OS10(config)# no aaa authorization commands role sysadmin console

Enable AAA accounting for commands

AAA accounting for commands records login and command information about console connections and remote connections, such as Telnet and SSH.

OS10(config)# aaa accounting commands all {console | default} {start-stop | stop-only | none} [logging] [group tacacs+]
OS10(config)# exit
OS10# write memory

• commands all—Record all user-entered commands. RADIUS accounting does not support this option.
• console—Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections.
• default—Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH.
• start-stop—Send a start notice when a process begins, and a stop notice when the process ends.
• stop-only—Send only a stop notice when a process ends.
• none—No accounting notices are sent.
• logging—Logs all accounting notices in syslog.
• group tacacs+—Logs all accounting notices on the first reachable TACACS+ server.

Enable AAA accounting for authentication events

OS10(config)# aaa accounting exec {console | default} {start-stop | stop-only | none} [logging] [group tacacs+]
OS10(config)# exit
OS10# write memory

• console—Record all user authentication and logins or all user-entered commands in OS10 sessions on console connections.
• default—Record all user authentication and logins or all user-entered commands in OS10 sessions on remote connections; for example, Telnet and SSH.
• start-stop—Send a start notice when a process begins, and a stop notice when the process ends.
• stop-only—Send only a stop notice when a process ends.
• none—No accounting notices are sent.
• logging—Logs all accounting notices in syslog.
• group tacacs+—Logs all accounting notices on the first reachable TACACS+ server.

The authentication methods in the method list work in the order they are configured.

Privilege and Role-Based Access Control

Role-based access control (RBAC) provides control for access and authorization. Users are granted permissions based on defined roles. Create user roles based on job functions to allow users appropriate system access. A user can be assigned only a single role, and many users can have the same role. A user role authenticates and authorizes a user at login.

Default roles

The following are the default roles on the system:

• sysadmin—Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles.
• secadmin—Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information.
• netadmin—Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information.
• netoperator—Access to EXEC mode to view the system status. A network operator cannot access the show running-configuration or show startup-configuration commands or modify configuration settings on a switch.

Configuring roles

Controlling terminal access to a switch is one method of securing the device and network. To increase security, you can limit user access to a subset of commands using privilege levels.

• Create privilege levels in CONFIGURATION mode.

  OS10(config)# privilege mode priv-lvl privilege-level command-string

  • mode—Enter the privilege mode used to access CLI modes:
    • exec—Accesses EXEC mode.
    • configure—Accesses class-map, DHCP, logging, monitor, OpenFlow, policy-map, QOS, support-assist, telemetry, CoS, Tmap, UFD, VLT, VN, VRF, WRED, and alias modes.
    • interface—Accesses Ethernet, fibre-channel, loopback, management, null, port-group, lag, breakout, range, port channel, and VLAN modes.
    • route-map—Accesses route-map mode.
    • router—Accesses router-bgp and router-ospf modes.
    • line—Accesses line-vty mode.
  • priv-lvl privilege-level—Enter the number of a privilege level, from 2 to 14.
  • command-string—Enter the commands supported at the privilege level.
• Create a username, password, assign a role, and assign a privilege level in CONFIGURATION mode.

  OS10(config)# username username password password role role priv-lvl privilege-level

  • username username—Enter a text string; 32 alphanumeric characters maximum; one character minimum.
  • password password—Enter a text string; 32 alphanumeric characters maximum, nine characters minimum.
  • role role—Enter a user role.
  • priv-lvl privilege-level—Enter a privilege level, from 0 to 15.
    • Level 0—Provides users the least privilege, restricting access to basic commands.
    • Level 1—Provides access to a set of show commands and certain operations such as ping, traceroute, and so on.
    • Level 15—Provides access to all available commands, equivalent to the commands permitted with the sysadmin role.
    • Levels 0, 1, and 15—System configured privilege levels with a predefined command set.
    • Levels 2 to 14—Not configured. You can customize these levels for different users and access rights.
• Configure an enable password for each privilege level in CONFIGURATION mode. Use the enable password command to switch between privilege levels and access the commands that are supported at each level.

  OS10(config)# enable password encryption-type password-string priv-lvl privilege-level
  OS10(config)# exit
  OS10# write memory

  • encryption-type—Enter an encryption type for the password entry:
    • 0—Use plain text with no password encryption.
    • sha-256—Encrypt the password using the SHA-256 algorithm.
    • sha-512—Encrypt the password using the SHA-512 algorithm.
    NOTE:Ensure that you use either sha-256 or sha512 encryption for your passwords.
  • priv-lvl privilege-level—Enter a privilege level, from 1 to 15.
  NOTE:Use SHA-256 or SHA-512 for password encryption.

OS10(config)# privilege exec priv-lvl 12 "show version"
OS10(config)# privilege exec priv-lvl 12 "configure terminal"
OS10(config)# privilege configure priv-lvl 12 "interface ethernet"
OS10(config)# privilege interface priv-lvl 12 "ip address"
OS10(config)# username delluser password $6$Yij02Phe2n6whp7b$ladskj0HowijIlkajg981 role secadmin priv-lvl 12
OS10(config)# enable password sha-256 $5$2uThib1o$84p.tykjmz/w7j26ymoKBjrb7uepkUB priv-lvl 12
OS10(config)# exit
OS10# write memory

View users and their roles

The following shows the users that are configured on the local system, their roles, and the assigned privilege levels:

OS10# show running-configuration users
username admin password $6$q9QBeYjZ$jfxzVqGhkxX3smxJSH9DDz7/3OJc6m5wjF8nnLD7/VKx8SloIhp4NoGZs0I/UNwh8WVuxwfd9q4pWIgNs5BKH. role sysadmin priv-lvl 15
OS10# show running-configuration userrole

Configure user role on server

If a console user logs in with RADIUS or TACACS+ authentication, the role you configured for the user on the RADIUS or TACACS+ server applies. User authentication fails if no role is configured on the authentication server.

To authenticate a user on OS10 through a TACACS+ server, configure the mandatory role with a value.

Configure remote authentication

This section describes how to configure remote authentication on the system.

Configure RADIUS authentication

Traditional RADIUS-based user authentication runs over UDP and uses the MD5 message-digest algorithm for secure communications. To provide enhanced security in RADIUS user authentication exchanges, RFC 6614 defines the RADIUS over Transport Layer Security (TLS) protocol. RADIUS over TLS secures the entire authentication exchange in a TLS connection and provides additional security.

OS10(config)# radius-server host {hostname | ip-address} tls security-profile profile-name [auth-port port-number] key {0 authentication-key | 9 authentication-key | authentication-key}
OS10(config)# exit
OS10# write memory

• hostname—Enter the hostname of the RADIUS server.
• ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
• tls security-profile profile-name—Enter the security profile to use the X.509v3 certificate on the switch to use for TLS authentication with a RADIUS server.
• key 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters.
• key 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters.
• authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
• auth-port port-number—(Optional) Enter the UDP port number used on the server for authentication, from 0 to 65535, default 1812.
• key authentication-key—(Optional) Enter the authentication key to authenticate the device on the server. A maximum of 42 characters; default radius_secure.

Configure RADIUS authentication retries

Configure the number of times OS10 retransmits a RADIUS authentication request. To avoid unnecessary retries, configure a lower value.

OS10(config)# radius-server retransmit retries
OS10(config)# exit
OS10# write memory

retries—Enter the number of retry attempts, from 0 to 100.

Configure TACACS+ authentication

Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting, configure a lower value.

OS10(config)# tacacs-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number]
OS10(config)# exit
OS10# write memory

• hostname—Enter the hostname of the RADIUS server.
• ip-address—Enter the IPv4 (A.B.C.D) or IPv6 (x:x:x:x::x) address of the RADIUS server.
• 0 authentication-key—Enter an authentication key in plain text. A maximum of 42 characters.
• 9 authentication-key—Enter an authentication key in encrypted format. A maximum of 128 characters.
• authentication-key—Enter an authentication in plain text. A maximum of 42 characters. It is not necessary to enter 0 before the key.
• auth-port port-number—(Optional) Enter the UDP port number used on the server for authentication, from 0 to 65535, default 1812.
• authentication-key—(Optional) Enter the authentication key used to authenticate the switch on the server. A maximum of 42 characters; default radius_secure.

Configure TACACS+ authentication response timer

Configure the global timeout used to wait for an authentication response from TACACS+ servers. To avoid long waiting, configure a lower value.

OS10(config)# tacacs-server timeout seconds
OS10(config)# exit
OS10# write memory

seconds—Enter the timeout period used to wait for an authentication response from a TACACS+ server, from 1 to 1000 seconds.

View what authentication method is configured

To view what authentication method is configured on the system use the following command:

OS10# show running-configuration aaa
aaa authentication login default group radius local
aaa authentication login console local