Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 335 17
IP Configuration Domain Name 336 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17
IP Configuration Domain Name Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 337 17
IP Configuration Domain Name 338 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 17
18 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 328 Security This section describes device security and access control. The system handles various types of security. The following list of topics describes the various types of security features described in this section. Some features are used for more than a single type of security or control, and so they appear twice in the list of topics below. Permission to administer the device is described in the following sections: •Defining Users •Configuring TACACS+ •Configuring RADIUS •Management Access Method •Management Access Method •Secure Sensitive Data Management •SSL Server Protection from attacks directed at the device CPU is described in the following sections: •Configuring TCP/UDP Services •Defining Storm Control •Access Control Access control of end-users to the network through the device is described in the following sections: •Management Access Method •Management Access Method •Configuring TACACS+
Security Defining Users Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 329 18 •Configuring RADIUS •Configuring Port Security •802.1X •Defining Time Ranges Protection from other network users is described in the following sections. These are attacks that pass through, but are not directed at, the device. •Denial of Service Prevention •DHCP Snooping •SSL Server •Defining Storm Control •Configuring Port Security •IP Source Guard •ARP Inspection •Access Control •First Hop Security Defining Users The default username/password is cisco/cisco. The first time that you log in with the default username and password, you are required to enter a new password. Pas sword complexit y is enabled by default . If the pas sword that you choose is not complex enough (Password Complexity Settings are enabled in the Password Strength page), you are prompted to create another password. Setting User Accounts The User Accounts page enables entering additional users that are permitted to access to the device (read-only or read-write) or changing the passwords of existing users. After adding a level 15 user (as described below), the default user is removed from the system.
Security Defining Users 330 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 NOTEIt is not permitted to delete all users. If all users are selected, the Delete button is disabled. To add a new user: STEP 1Click Administration > User Accounts. This page displays the users defined in the system and their user privilege level. STEP 2Select Password Recover y Ser vice to enable this feature. When this is enabled, an end user, with physical access to the console port of the device, can enter the boot menu and trigger the password recovery process. When the boot system process ends, you are allowed to login to the device without password authentication. Entering the device is allowed only via the console and only when the console is connected to the device with physical access. When password recovery mechanism is disabled, accessing the boot menu is still allowed and you can trigger the password recovery process. The difference is that in this case, all configuration and user files are removed during the system boot process, and a suitable log message is generated to the terminal. STEP 3Click Add to add a new user or click Edit to modify a user. STEP 4Enter the parameters. •User Name—Enter a new username between 0 and 20 characters. UTF-8 characters are not permitted. •Password—Enter a password (UTF-8 characters are not permitted). If the password strength and complexity is defined, the user password must comply with the policy configured in the Setting Password Complexity Rules section. •Confirm Password—Enter the password again. •Password Strength Meter—Displays the strength of password. The policy for password strength and complexity are configured in the Password Strength page. •User Level—Select the privilege level of the user being added/edited. -Read-Only CLI Access (1)—User cannot access the GUI, and can only access CLI commands that do not change the device configuration. -Read/Limited Write CLI Access (7)—User cannot access the GUI, and can only access some CLI commands that change the device configuration. See the CLI Reference Guide for more information.
Security Defining Users Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 331 18 -Read/Write Management Access (15)—User can access the GUI, and can configure the device. STEP 5Click Apply. The user is added to the Running Configuration file of the device. Setting Password Complexity Rules Passwords are used to authenticate users accessing the device. Simple passwords are potential security hazards. Therefore, password complexity requirements are enforced by default and may be configured as necessary. Password complexity requirements are configured on the Password Strength page reached through the Security drop-down menu. Additionally, password aging time may be configured on this page. To define password complexity rules: STEP 1Click Security > Password Strength. STEP 2Enter the following aging parameters for passwords: •Password Aging—If selected, the user is prompted to change the password when the Password Aging Time expires. •Password Aging Time—Enter the number of days that can elapse before the user is prompted to change the password. NOTEPassword aging also applies to zero-length passwords (no password). STEP 3Select Password Complexity Settings to enable complexity rules for passwords. If password complexity is enabled, new passwords must conform to the following default settings: •Have a minimum length of eight characters. •Contain characters from at least three character classes (uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard). •Are different from the current password. •Contain no character that is repeated more than three times consecutively. •Do not repeat or reverse the users name or any variant reached by changing the case of the characters.
Security Configuring TACACS+ 332 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Do not repeat or reverse the manufacturers name or any variant reached by changing the case of the characters. STEP 4If the Password Complexity Settings are enabled, the following parameters may be configured: •Minimal Password Length—Enter the minimal number of characters required for passwords. NOTEA zero-length password (no password) is allowed, and can still have password aging assigned to it. •Allowed Character Repetition—Enter the number of times that a character can be repeated. •Minimal Number of Character Classes—Enter the number of character classes which must be present in a password. Character classes are lower case (1), upper case (2), digits (3), and symbols or special characters (4). •The New Password Must Be Different than the Current One—If selected, the new password cannot be the same as the current password upon a password change. STEP 5Click Apply. The password settings are written to the Running Configuration file. NOTEConfiguring the username-password equivalence, and manufacturer-password equivalence may be done through the CLI. See the CLI Reference Guide for fur ther instruction. Configuring TACACS+ An organization can establish a Terminal Access Controller Access Control System (TACACS+) server to provide centralized security for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization. The device can act as a TACACS+ client that uses the TACACS+ server for the following services: •Authentication—Provides authentication of users logging onto the device by using usernames and user-defined passwords.
Security Configuring TACACS+ Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 333 18 •Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges. •Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server. In addition to providing authentication and authorization services, the TACACS+ protocol helps to ensure TACACS message protection through encrypted TA C A C S b o d y m e s s a g e s . TACACS+ is supported only with IPv4. Some TACACS+ servers support a single connection that enables the device to receive all information in a single connection. If the TACACS+ server does not support this, the device reverts to multiple connections. Accounting Using a TACACS+ Server The user can enable accounting of login sessions using either a RADIUS or TA C A C S + s e r v e r. The user-configurable, TCP port used for TACACS+ server accounting is the same TCP port that is used for TACACS+ server authentication and authorization.