Configuring Network Security

Security management controls access to network resources using local guidelines so that sensitive information cannot be accessed without appropriate authorization. For example, a security management subsystem can monitor users logging onto a network resource and refuse access to those who enter inappropriate access codes.

Security management partitions network resources into authorized and unauthorized areas. Certain users can be denied access to all network resources. Other users can be granted access to a network resource, such as a particular system, but can be denied access to areas on that system that contain sensitive information. Security management identifies sensitive network resources, determines mappings between sensitive network resources and user sets, monitors access points to sensitive network resources, and logs inappropriate access to sensitive network resources.

The Catalyst 5000 series switch features the following network security tools:

MAC Address Security
Terminal Access Controller Access Control System Plus (TACACS+) protocol

MAC Address Security

Media Access Control (MAC) address security allows the Catalyst 5000 series switch to block input to an Ethernet or Fast Ethernet port when the MAC address of a station attempting to access the port is different from the configured MAC address. When a port receives a packet, the module compares the source address of that packet to the secure source address learned by the port. When a source address change occurs, the port is disabled, and the LED for that port turns orange. When the port is reenabled, the port LED turns green.

MAC address security does not apply to trunk ports where the source addresses change frequently.

Procedure

To enable MAC address security, perform this task:

Task	Command
Enable port security.	set port security mod_num/port_num(s) enable [mac_addr]

The set port security command allows you to set a specified port's MAC address as the given address. If the MAC address is not given, the address is learned. Once the address is learned, it remains unchanged until the system relearns it when you reenter the command. The MAC address is stored in nonvolatile random-access memory (NVRAM) and maintained even after the reset. When a packet's source address does not match the allowed address, the port through which the packet came is disabled, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) Manager. After entering the set port security command, you see the following example screen:

Console> set port security
Usage:set port security modNum/portNum(s) <enable|disable> [mac_addr]
Console> set port security 3/1 enable 
Port 3/1 port security enabled with the learned mac address.
Console> set port security 3/1 enable 01-02-03-04-05-06 
Port 3/1 port security enabled with 01-02-03-04-05-06 as the secure mac address.
Console>(enable)

To disable MAC address security, enter the set port security mod_num/port_num(s) disable [mac_addr] command.

Verification

The show port command displays all security information, such as MAC addresses, the port counter values, and whether security is enabled or disabled. When the port is in learning mode, or if the security is disabled, MAC addresses are not displayed. After entering the show port command with the MAC address enabled on port 3/1, port 3/3, and port 3/4, you see this display:

Console> show port help
Usage: show port
       show port <mod_num>
       show port <mod_num/port_num>
Console> show port 3
Port Name                 		Status   Vlan       Level  Duplex Speed  Type 	
---- -------------------- -------- ---------- ------ ------ -----  ------------
3/1                       connect  1          normal   half    10  10 BASE-T
3/2                       connect  1          normal   half    10  10 BASE-T
3/3                       connect  1          normal   half    10  10 BASE-T
3/4                       shutdown 1          normal   half    10  10 BASE-T
3/5                       shutdown 1          normal   half    10  10 BASE-T
3/6                       shutdown 1          normal   half    10  10 BASE-T
3/7                       shutdown 1          normal   half    10  10 BASE-T
3/8                       shutdown 1          normal   half    10  10 BASE-T
3/9                       shutdown 1          normal   half    10  10 BASE-T
3/10                      shutdown 1          normal   half    10  10 BASE-T
3/11                      shutdown 1          normal   half    10  10 BASE-T
3/12                      shutdown 1          normal   half    10  10 BASE-T
3/13                      connect  3          normal   half    10  10 BASE-T
3/14                      connect  3          normal   half    10  10 BASE-T
3/15                      connect  3          normal   half    10  10 BASE-T
3/16                      connect  3          normal   half    10  10 BASE-T
3/17                      connect  3          normal   half    10  10 BASE-T
3/18                      connect  3          normal   half    10  10 BASE-T
3/19                      connect  3          normal   half    10  10 BASE-T
.
.
.
3/44                      connect  3          normal   half    10  10 BASE-T
3/45                      connect  3          normal   half    10  10 BASE-T
3/46                      connect  3          normal   half    10  10 BASE-T
3/47                      connect  3          normal   half    10  10 BASE-T
3/48                      shutdown 3          normal   half    10  10 BASE-T
Port Security  Secure-Src-Addr 	   Last-Src-Addr  	    Shutdown
---- --------  -----------------  -----------------  --------
3/1 	 enabled			   01-02-03-04-05-06  			01-02-03-04-05-06  	No
3/2 	 disabled			   			 	                                    No
3/3 	 enabled			    			  	                                   No
3/4 	 enabled			   05-06-07-08-09-10  			10-11-12-13-14-15  Yes
...
...	
3/48 	enabled			  16-17-18-19-20-21  22-23-24-25-26-27 			Yes
Port Auto-Parts Fr-toolong Datarate-  crc-errors Runt-pkt   	Good-Pkts  Src-addr-
                           Mismatch                                    Changes
---- ---------- ---------- ---------- ---------- ---------- ---------- -----------
3/1           	0 	         0	          0		          0          	0          	0          	0
3/2	           0		          0          	0          	0		          0		          0          	0
3/3	           0	          0          	0          	0          	0	          0	          0
3/4           	0	          0          	0          	0	          0          	0	          0
3/5	           0	          0	          0	          0          	0          	0          	0
...
...
3/48          		0	          0          	0	          0          	0          	0	          0
Port Rcv-Multi  Xmit-Multi Good-Bytes Align-Errs Short-Evnt Late-Colls Excess-Col
---- ---------- ---------- ---------- ---------- ---------- ---------- ----------
3/1           0	          0          		0		          0 			         0 	         0      	    0
3/2           0          	0          	0          	0 		         0 	         0	          0
3/3	           0          	0 	         0 	         0 		         0          	0	          0
3/4	           0 	         0          	0 	         0 		         0 	         0          	0
3/5	           0          	0          	0 	         0          		0          	0          	0
...
...
3/48	          0 	         0 	         0 	         0 		         0 	         0	          0
Last-Time-Cleared
--------------------------
Wed Feb 22 1995, 18:28:46
Console>

Terminal Access Controller Access Control System Plus

TACACS+ protocol exchanges Network Access Server (NAS) information between a network device and a centralized database. TACACS+ is a new version of TACACS, a User Datagram Protocol (UDP)-based, access-control protocol referenced by RFC 1492.

The TACACS+ protocol allows a separate access server (the TACACS+ server) to provide authentication, authorization, and accounting (AAA). These services, while all part of the TACACS+ protocol, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services.

Note This implementation of the TACACS+ protocol for Catalyst 5000 series switches supports the authentication feature only.

Each service can be tied to its own database or can use the other services available on the TACACS+ server or on the network, as shown in Figure 10-1. The TACACS+ protocol uses Transmission Control Protocol (TCP) as its transport protocol to ensure reliable delivery and encrypts all traffic between the NAS and the TACACS+ daemon.

Figure 10-1: TACACS+ Protocol for Authentication

The TACACS+ protocol is an independent feature that is enabled or disabled at the user's discretion. If the TACACS+ protocol is not enabled, the current Catalyst 5000 series switch login interface is enabled by default.

The TACACS+ protocol allows you to perform these authentication tasks:

Enable or disable TACACS+ authentication to determine if a user has access permission to the Catalyst 5000 series switch
Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged mode
Specify a key that is used to encrypt the protocol packets
Configure the server on which the TACACS+ server daemon resides
Set the number of login attempts allowed
Set the timeout interval for server daemon response
Enable or disable the directed-request option

Prerequisite

You must configure a TACACS+ server before enabling the TACACS+ protocol on the Catalyst 5000 series switch.

Procedure

To configure the TACACS+ protocol, perform these steps in privileged mode:

Task	Command
Step 1 Enable TACACS+ authentication for login.	set authentication login tacacs enable
Step 2 Enable TACACS+ authentication for enable.	set authentication enable tacacs enable
Step 3 Configure the key used to encrypt packets.	set tacacs key key
Step 4 Configure the server on which the TACACS+ server daemon resides.	set tacacs server ip_addr primary
Step 5 Configure the number of login attempts allowed to the TACACS+ server.	set tacacs attempts N
Step 6 Set the timeout interval in which the server daemon must respond.	set tacacs timeout N

Verification

To verify the TACACS+ configuration settings, use the show tacacs command. After entering the command, you see this display:

Console> show tacacs
Login authentication tacacs: enabled
Login authentication local: disabled
Enable authentication tacacs: enabled
Enable authentication local: disabled
Tacacs key: Stand and Deliver
Tacacs login attempts: 3
Tacacs timeout: 5 seconds
Tacacs direct request: disabled
Tacacs-Server       Status
---------------     -------
192.20.22.7         primary
192.20.22.8

Note The tacacs key can be displayed only in the enable mode.

Examples

This section shows how to configure the TACACS+ protocol using the set authentication and set tacacs commands. The last command in the example, show tacacs, displays the configuration. For more information on using these commands, refer to the Catalyst 5000 Series Command Reference publication.

To enable TACACS+ for login authentication, enter the following command:

Console> set authentication login tacacs enable

To define the TACACS+ key for authentication to be Stand and Deliver, enter the following command:

Console> set tacacs key Stand and Deliver

To set the IP address of the primary TACACS+ server, enter the following command:

Console> set tacacs server 192.20.22.7 primary

To set the maximum allowable number of login attempts to the TACACS+ server, enter the following command:

Console> set tacacs attempts 3
The attempts value must be between 1 through 10.

To set the length of time in seconds before login attempts time out, enter the following command:

Console> set tacacs timeout 5
The timeout value must be between 1 through 255.

To display the TACACS+ configuration, enter the following command:

Console> show tacacs

How TACACS+ Authentication Works

The authentication process controls access to network devices by determining the identity of a user or an entity. The TACACS+ protocol works with many types of authentication, such as fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually takes place in these instances:

When you first log onto a machine
When you send a service request that requires privileged access

When you first attempt to log on, the TACACS+ protocol takes your user password information, encrypts the information using the MD5 encryption algorithm, and adds a TACACS+ packet header. This header information identifies the type of packet being sent (for example, an authentication packet), the packet's sequence number, the type of encryption used, and the total length of the packet. The TACACS+ protocol then forwards the packet to the TACACS+ server.

When the TACACS+ server receives the packet, it does the following:

Authenticates the user information and notifies the client that authentication has either passed or failed.
Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until authentication has either passed or failed.

When you send a request for privileged or restricted services, the TACACS+ protocol asks you to provide the information necessary to access the privileged service.

If local password authentication is enabled and TACACS+ password authentication fails, the local password authentication is invoked. By default, only local authentication is enabled.

Disabling TACACS+ authentication automatically reenables local authentication.

A TACACS+ key can be configured on the Catalyst 5000 series switch. This key is used to encrypt the packets transmitted to the server and must be the same as the one configured on the server daemon. If a TACACS+ key is not configured, the packets will not be encrypted.

Note If a TACACS+ key is configured on the Catalyst 5000 series switch, make sure an identical key is configured on the TACACS+ server.

Multiple TACACS+ servers can be configured. One of the servers can be specified as the primary server. The primary server is tried first.

Caution Make sure that the TACACS+ protocol is enabled and configured correctly before disabling the local login or enable authentication. If the TACACS+ protocol is enabled but not configured correctly, or if the TACACS+ server is not online, you may not be able to log in to the Catalyst 5000 series switch.

Note The TACACS+ protocol on the Catalyst 5000 series switch supports one privileged mode only (level 1).

Table of Contents

Configuring Network Security

How TACACS+ Authentication Works