Cisco Sg3008 Manual

							Security
Configuring TACACS+
334 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
The following information is sent to the TACACS+ server by the device when a 
user logs in or out:
Defaults
The following defaults are relevant to this feature:
•No default TACACS+ server is defined by default. 
•If you configure a TACACS+ server, the accounting feature is disabled by 
default.
Interactions With Other Features
You cannot enable accounting on both a RADIUS and TACACS+ server.
Workflow
To use a TACACS+ server, do the following:
STEP 1Open an account for a user on the TACACS+ server.
STEP  2Configure that server along with the other parameters in the TACACS+ and Add 
TA C A C S +  S e r v e r  p a g e s .
Table 2:
Argument Description In Start 
MessageIn Stop 
Message
task_id A unique accounting session 
identifier. Ye s Ye s
user Username that is entered for 
login authentication.Ye s Ye s
rem-addr P address of the user. Yes Yes
elapsed-time Indicates how long the user was 
logged in.No Yes
reason Reports why the session was 
terminated.No Yes 
						

							Security
Configuring TACACS+
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  335
18
 
STEP  3Select TA C A C S + in the Management Access Authentication page, so that when a 
user logs onto the device, authentication is performed on the TACACS+ server 
instead of in the local database.
NOTEIf more than one TACACS+ server has been configured, the device uses the 
configured priorities of the available TACACS+ servers to select the TACACS+ 
server to be used by the device.
Configuring a TACACS+ Server
The TACACS+ page enables configuring TACACS+ servers. 
Only users who have privilege level 15 on the TACACS+ server can administer the 
device. Privilege level 15 is given to a user or group of users on the TACACS+ 
server by the following string in the user or group definition:
service = exec {
priv-lvl = 15
} 
To configure TACACS+ server parameters:
STEP 1Click Security > TA C A C S +.
STEP  2Enable TACACS+ Accounting if required. See explanation in the Accounting 
Using a TACACS+ Server section.
STEP  3Enter the following default parameters: 
•Key String—Enter the default Key String used for communicating with all 
TA C A C S +  s e r v e r s  i n  Encrypted or Plaintext mode. The device can be 
configured to use this key or to use a key entered for an specific server 
(entered in the Add TACACS+ Server page).
If you do not enter a key string in this field, the server key entered in the Add 
TACACS+ Server page must match the encryption key used by the 
TA C A C S +  s e r v e r.  
If you enter both a key string here and a key string for an individual 
TACACS+ server, the key string configured for the individual TACACS+ 
server takes precedence.
•Timeout for Reply—Enter the amount of time that passes before the 
connection between the device and the TACACS+ server times out. If a 
value is not entered in the Add TACACS+ Server page for a specific server, 
the value is taken from this field. 
						

							Security
Configuring TACACS+
336 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Source IPv4 —(In Layer 3 system mode only) Select the device IPv4 
source interface to be used in messages sent for communication with the 
TA C A C S +  s e r v e r.  
•Source IPv6 —(In Layer 3 system mode only) Select the device IPv6 
source interface to be used in messages sent for communication with the 
TA C A C S +  s e r v e r.  
NOTEIf the Auto option is selected, the system takes the source IP address 
from the IP address defined on the outgoing interface.
STEP  4Click Apply. The TACACS+ default settings are added to the Running 
Configuration file. These are used if the equivalent parameters are not defined in 
the Add page.
STEP  5To add a TACACS+ server, click Add.
STEP  6Enter the parameters.
•Server Definition—Select one of the following ways to identify the 
TA C A C S +  s e r v e r :
-By IP Address—If this is selected, enter the IP address of the server in 
the Server IP Address/Name field.
-By Name—If this is selected enter the name of the server in the Server IP 
Address/Name field.
•IP Version—Select the supported IP version of the source address: IPv6 or 
IPv4. 
•IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The 
options are:
-Link Local—The IPv6 address uniquely identifies hosts on a single 
network link. A link local address has a prefix of FE80, is not routable, and 
can be used for communication only on the local network. Only one link 
local address is supported. If a link local address exists on the interface, 
this entry replaces the address in the configuration.
-Global—The IPv6 address is a global Unicast IPV6 type that is visible and 
reachable from other networks.
•Link Local Interface—Select the link local interface (if IPv6 Address Type 
Link Local is selected) from the list. 
•Server IP Address/Name—Enter the IP address or name of the TACACS+ 
server. 
						

							Security
Configuring TACACS+
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  337
18
 
•Priority—Enter the order in which this TACACS+ server is used. Zero is the 
highest priority TACACS+ server and is the first server used. If it cannot 
establish a session with the high priority server, the device tries the next 
highest priority server. 
•Source IP Address—(For SG500X devices and other devices in Layer 3 
system mode). Select to use either the default device source address or one 
of the available device IP addresses for communication with the TACACS+ 
server.
•Key String—Enter the default key string used for authenticating and 
encrypting between the device and the TACACS+ server. This key must 
match the key configured on the TACACS+ server. 
A key string is used to encrypt communications by using MD5. You can 
select the default key on the device, or the key can be entered in Encrypted 
or Plaintext form. If you do not have an encrypted key string (from another 
device), enter the key string in plaintext mode and click Apply. The 
encrypted key string is generated and displayed.
If you enter a key, this overrides the default key string if one has been 
defined for the device on the main page.
•Timeout for Reply—Enter the amount of time that passes before the 
connection between the device and the TACACS+ server times out. Select 
Use Default to use the default value displayed on the page.
• IP Port—Enter the port number through which the TACACS+ session 
occurs.
•Single Connection—Select to enable receiving all information in a single 
connection. If the TACACS+ server does not support this, the device reverts 
to multiple connections.
STEP  7To display sensitive data in plaintext form in the configuration file, click Display 
Sensitive Data As Plaintext.
STEP  8Click Apply. The TACACS+ server is added to the Running Configuration file of the 
device. 
						

							Security
Configuring RADIUS
338 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
Configuring RADIUS
Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 
802.1X or MAC-based network access control. The device is a RADIUS client that 
can use a RADIUS server to provide centralized security. 
An organization can establish a Remote Authorization Dial-In User Service 
(RADIUS) server to provide centralized 802.1X or MAC-based network access 
control for all of its devices. In this way, authentication and authorization can be 
handled on a single server for all devices in the organization.
The device can act as a RADIUS client that uses the RADIUS server for the 
following services:
•Authentication—Provides authentication of regular and 802.1X users 
logging onto the device by using usernames and user-defined passwords. 
•Authorization—Performed at login. After the authentication session is 
completed, an authorization session starts using the authenticated 
username. The RADIUS server then checks user privileges.
•Accounting—Enable accounting of login sessions using the RADIUS server. 
This enables a system administrator to generate accounting reports from 
the RADIUS server.
Accounting Using a RADIUS Server
The user can enable accounting of login sessions using a RADIUS server. 
The user-configurable, TCP port used for RADIUS server accounting is the same 
TCP port that is used for RADIUS server authentication and authorization.
Defaults
The following defaults are relevant to this feature:
•No default RADIUS server is defined by default. 
•If you configure a RADIUS server, the accounting feature is disabled by 
default. 
						

							Security
Configuring RADIUS
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  339
18
 
Interactions With Other Features
You cannot enable accounting on both a RADIUS and TACACS+ server.
Radius Workflow
To user a RADIUS server, do the following:
STEP 1Open an account for the device on the RADIUS server.
STEP  2Configure that server along with the other parameters in the RADIUS and ADD 
RADIUS Server pages.
NOTEIf more than one RADIUS server has been configured, the device uses the 
configured priorities of the available RADIUS servers to select the RADIUS server 
to be used by the device.
To set the RADIUS server parameters:
STEP 1Click Security > RADIUS.
STEP  2Enter the RADIUS Accounting option. The following options are available:
•Port Based Access Control (802.1X, MAC Based, Web Authentication)—
Specifies that the RADIUS server is used for 802.1x port accounting.
•Management Access—Specifies that the RADIUS server is used for user 
login accounting.
•Both Port Based Access Control and Management Access—Specifies 
that the RADIUS server is used for both user login accounting and 802.1x 
port accounting.
•None—Specifies that the RADIUS server is not used for accounting.
STEP  3Enter the default RADIUS parameters if required. Values entered in the Default 
Parameters are applied to all servers. If a value is not entered for a specific server 
(in the Add RADIUS Server page) the device uses the values in these fields.
•Retries—Enter the number of transmitted requests that are sent to the 
RADIUS server before a failure is considered to have occurred. 
•Timeout for Reply—Enter the number of seconds that the device waits for 
an answer from the RADIUS server before retrying the query, or switching to 
the next server.  
						

							Security
Configuring RADIUS
340 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Dead Time—Enter the number of minutes that elapse before a non-
responsive RADIUS server is bypassed for service requests. If the value is 0, 
the server is not bypassed. 
•Key String—Enter the default key string used for authenticating and 
encrypting between the device and the RADIUS server. This key must match 
the key configured on the RADIUS server. A key string is used to encrypt 
communications by using MD5. The key can be entered in Encrypted or 
Plaintext form. If you do not have an encrypted key string (from another 
device), enter the key string in plaintext mode and click Apply. The 
encrypted key string is generated and displayed.
This overrides the default key string if one has been defined.
•Source IPv4 —(In Layer 3 system mode only) Select the device IPv4 source 
interface to be used in messages for communication with the RADIUS 
server. 
•Source IPv6 —(In Layer 3 system mode only) Select the device IPv6 
source interface to be used in messages for communication with the 
RADIUS server. 
NOTEIf the Auto option is selected, the system takes the source IP address 
from the IP address defined on the outgoing interface.
STEP  4Click Apply. The RADIUS default settings for the device are updated in the 
Running Configuration file.
To add a RADIUS server, click Add.
STEP  5Enter the values in the fields for each RADIUS server. To use the default values 
entered in the RADIUS page, select Use Default. 
•Server Definition—Select whether to specify the RADIUS server by 
IP address or name.
•IP Version—Select the version of the IP address of the RADIUS server. 
•IPv6 Address Type—Displays that IPv6 address type is Global. 
•IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The 
options are:
-Link Local—The IPv6 address uniquely identifies hosts on a single 
network link. A link local address has a prefix of FE80, is not routable, and 
can be used for communication only on the local network. Only one link 
local address is supported. If a link local address exists on the interface, 
this entry replaces the address in the configuration. 
						

							Security
Configuring RADIUS
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  341
18
 
-Global—The IPv6 address is a global Unicast IPV6 type that is visible and 
reachable from other networks.
•Link Local Interface—Select the link local interface (if IPv6 Address Type 
Link Local is selected) from the list. 
•Server IP Address/Name—Enter the RADIUS server by IP address or 
name.
•Priority—Enter the priority of the server. The priority determines the order 
the device attempts to contact the servers to authenticate a user. The device 
starts with the highest priority RADIUS server first. Zero is the highest 
priority.
Key String—Enter the key string used for authenticating and encrypting 
communication between the device and the RADIUS server. This key must 
match the key configured on the RADIUS server. It can be entered in 
Encrypted or Plaintext format . If Use Default is selected, the device 
attempts to authenticate to the RADIUS server by using the default Key 
String.
•Timeout for Reply—Enter the number of seconds the device waits for an 
answer from the RADIUS server before retrying the query, or switching to the 
next server if the maximum number of retries were made. If Use Default is 
selected, the device uses the default timeout value.
•Authentication Port—Enter the UDP port number of the RADIUS server port 
for authentication requests.
•Accounting Port—Enter the UDP port number of the RADIUS server port for 
accounting requests.
•Retries—Enter the number of requests that are sent to the RADIUS server 
before a failure is considered to have occurred. If Use Default is selected, the 
device uses the default value for the number of retries.
•Dead Time—Enter the number of minutes that must pass before a non-
responsive RADIUS server is bypassed for service requests. If Use Default 
is selected, the device uses the default value for the dead time. If you enter 
0 minutes, there is no dead time.
•Usage Type—Enter the RADIUS server authentication type. The options are: 
-Lo gin—RADIUS server is used for authenticating users that ask to 
administer the device.
-802.1X—RADIUS server is used for 802.1x authentication. 
						

							Security
Management Access Method
342 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
-All—RADIUS server is used for authenticating user that ask to administer 
the device and for 802.1X authentication.
STEP  6To display sensitive data in plaintext form in the configuration file, click Display 
Sensitive Data As Plaintext.
STEP  7Click Apply. The RADIUS server definition is added to the Running Configuration 
file of the device.
Management Access Method
Access profiles determine how to authenticate and authorize users accessing the 
device through various access methods. Access Profiles can limit management 
access from specific sources.
Only users who pass both the active access profile and the management access 
authentication methods are given management access to the device.
There can only be a single access profile active on the device at one time.
Access profiles consist of one or more rules. The rules are executed in order of 
their priority within the access profile (top to bottom).
Rules are composed of filters that include the following elements:
•Access Methods—Methods for accessing and managing the device:
-Te l n e t
-Secure Telnet (SSH)
-Hypertext Transfer Protocol (HTTP)
-Secure HTTP (HTTPS)
-Simple Network Management Protocol (SNMP)
-All of the above
•Action—Permit or deny access to an interface or source address.
•Interface—Which ports, LAGs, or VLANs are permitted to access or are 
denied access to the web-based configuration utility. 
						

							Security
Management Access Method
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  343
18
 
•Source IP Address—IP addresses or subnets. Access to management 
methods might differ among user groups. For example, one user group 
might be able to access the device module only by using an HTTPS 
session, while another user group might be able to access the device 
module by using both HTTPS and Telnet sessions.
Active Access Profile
The Access Profiles page displays the access profiles that are defined and 
enables selecting one access profile to be the active one.
When a user attempts to access the device through an access method, the device 
looks to see if the active access profile explicitly permits management access to 
the device through this method. If no match is found, access is denied.
When an attempt to access the device is in violation of the active access profile, 
the device generates a SYSLOG message to alert the system administrator of the 
attempt.
If a console-only access profile has been activated, the only way to deactivate it is 
through a direct connection from the management station to the physical console 
port on the device.
For more information see Defining Profile Rules.
Use the Access Profiles page to create an access profile and to add its first rule. If 
the access profile only contains a single rule, you are finished. To add additional 
rules to the profile, use the Profile Rules page.
STEP 1Click Security > Mgmt Access Method > Access Profiles.
This page displays all of the access profiles, active and inactive.
STEP  2To change the active access profile, select a profile from the Active Access 
Profile drop down menu and click Apply. This makes the chosen profile the active 
access profile. 
NOTEA caution message appears if you selected Console Only. If you 
continue, you are immediately disconnected from the web-based 
configuration utility and can access the device only through the console 
port. This only applies to device types that offer a console port.