Configuration Considerations

Use the information in this section to understand the limitations of some security functions, such as BSAC RADIUS servers and Layer 2 protocols before you attempt to configure security.

Attribute Format for a Third-party RADIUS Server

If you use a third-party RADIUS server and need to modify the dictionary files, you must add a vendor-specific attribute (attribute #26) and use 1584 as vendor code for all the devices and then send back access-priority vendor-assigned attribute number 192 with a decimal value of 1 to 6, depending upon whether you want read only to read-write-all.

Authentication for Privileged EXEC Command Mode

Authentication for Privileged EXEC command mode supports RADIUS and TACACS+ protocols. If RADIUS and TACACS+ servers are not reachable, access to Privileged EXEC command mode is denied. You must open a new session and type the same username and password used to Telnet or SSH to the switch

RADIUS on Management Ports

The management port supports the RADIUS protocol. When RADIUS packets are sent out of the management port, the SRC-IP address is properly entered in the RADIUS header.

For more information about the supported RADIUS servers, see the documentation of the RADIUS server.

RADIUS Server SNMP Accounting

An SNMP query sent by an unreachable RADIUS server configured as used‐by snmp and with accounting enabled, can cause a timeout. A timeout can occur if the device that receives the SNMP query attempts to send accounting packets to the unreachable server. You can mitigate the timeout issue by configuring lower retry and timeout values on the RADIUS server. Alternatively, you can configure a higher timeout value for SNMP.

Single Profile Enhancement for BSAC RADIUS Servers

Before enabling Remote Access Dial-In User Services (RADIUS) accounting on the device, you must configure at least one RADIUS server.

The switch software supports Microsoft Radius Servers (NPS Windows 2008, Windows 2003 IAS Server), BaySecure Access Control (BSAC), Merit Network servers and Linux based servers. To use these servers, you must first obtain the software for the server. You must also make changes to one or more configuration files for these servers.

Single Profile is a feature that is specific to BSAC RADIUS servers. In a BSAC RADIUS server, when you create a client profile, you can specify all the returnable attributes. When you use the same profile for different products, you specify all the returnable attributes in the single profile.

SNMP Cloned User Considerations

If the user from which you are cloning has authentication, you can choose for the new user to either have the same authentication protocol as the user from which it was cloned, or no authentication. If you choose authentication for the new user, you must provide a password for that user. If you want a new user to have authentication, you must indicate that at the time you create the new user. You can assign a privacy protocol only to a user that has authentication.

If the user from which you are cloning has no authentication, then the new user has no authentication.

Source IP Configuration

Note

Note

The following Source IP configuration considerations are only applicable on hardware platforms running VOSS Release 8.2 and later.

The Source IP is the Internet Protocol address of the device sending the IP data packet. For devices running VOSS Release 8.2 and later, the system limits the Source IP to a maximum of three interfaces; the management Out-of-Band (OOB) management interface, the VLAN management interface, or the Circuitless IP (CLIP) management interface. The system uses separate routing tables for each Segmented Management Instance interface, plus a default main table. Since multiple routing tables are in use, each management interface can have overlapping or identical static routes without interfering with each other. The main table has a super-set of all routes where the weight of the static route can tie-break routes to the same destination going through different segmented management interfaces. By default, the following weights are used and the default route priority is management CLIP, then management VLAN, then management OOB:
  • mgmt CLIP - 100

    mgmt VLAN - 200

    mgmt OOB - 300

You can route packets through a different management interface than the default configuration, but you must add a specific static route or change the default weight of the management interface.
For example, if the default route uses mgmt CLIP and you want to use the mgmt OOB interface as the source IP to reach a RADIUS server, you must peform one of the following options:
  • Configure a specific source IP static route for the mgmt OOB interface:
    mgmt oob
    ip route 192.0.2.0/24 next-hop 198.51.100.1

OR

  • Configure the default mgmt OOB route weight lower than the default mgmt CLIP route weight:
    mgmt oob
    no ip route 0.0.0.0/24 next-hop 198.51.100.1
    ip route 0.0.0.0/24 next-hop 198.51.100.1 weight 50
Note

Note

If you change the default route weight, the management interface with the lowest weight value becomes the default route for all segmented management interface traffic.

For VOSS Release 8.1.5 and earlier, there was a potential for thousands of different Source IP management interfaces for applications initiating an outbound connection without a Source IP specified. To avoid Source IP fluctuations for many management interfaces with frequent route updates, you could specify the Source IP for applications where the source IP identifies the client. Configuring a Source IP for specific management applications is deprecated in VOSS Release 8.2 and later.

Note

Note

This applies only to client mgmt applications initiating an outgoing connection, where the source IP address is not specified. If an application is running in server mode, the source IP address of the reply packet is configured to the destination IP address of the original request for TCP connections.