Use the authentication command to set a primary, secondary, or tertiary authentication service for the current management-access point.

Use the no form of the command to remove an authentication service.

primary | secondary | tertiary is a required choice for setting the precedence of this authentication service:

active-directory | radius | local is another required choice, for setting the authentication type.

Use the show management access command to show the current configuration mapping of authentication services to management-access points.

To remove an authentication service with no authentication, you must remove the lowest-precedence service first. For example, if you have a management service configured with primary, secondary, and tertiary authentication, you must remove the tertiary authentication service before you can remove the secondary service.

The active-directory option requires additional configuration: you must also identify Windows-user groups with sufficient privileges for administrative access. Use the group command to create a group with the same name as the desired Windows group, then use windows-domain (gbl-group) to declare a domain for that group, and finally use the role command to add one or more administrative roles for that group. For example, you could create a Domain Admins group in the medarch.org domain and give it highly-privileged roles, such as storage-engineer and crypto-officer. As another example, you could create a Domain Users group with the lesser role of operator.

Before you configure RADIUS authentication, use the show radius-server command to verify that a RADIUS server is properly configured. To insure against RADIUS-server failures, we recommend that you configure a secondary local service behind any primary RADIUS service.

A client application can access the ARX API to make queries about the ARX configuration and state. These queries come through one of two management access points, http-api or https-api. Each query from the client application results in a separate authentication.

We recommend using local authentication only for the API access points; active-directory or radius authentication may create an excessive load on your domain controllers (for active-directory) or RADIUS server. If you must duplicate accounts in more than one database, we recommend using the same password for all of them.

Most RADIUS servers listen at a well-known port. By default, the ARX sends all RADIUS traffic to that port. Use the auth-port command to change the destination-port number for outbound RADIUS traffic.

Use the no form of the command to reset the port number to the default.

port-number (1024-65535) is the destination-port number at the RADIUS server.

Use the clear session command to end a current CLI or GUI user session on the ARX.

login-id (1-128 characters) is the ID of the session to disconnect. The show sessions command shows a list of valid IDs.

If you choose the login ID for the current CLI session, a prompt warns you that you will be disconnected if you proceed. Enter yes to clear the CLI session and disconnect.

Use the show sessions command to view the list of current user sessions.

Use this command to clear all login statistics, shown in the show statistics authentication output.

Use the show statistics authentication command to view the number of successful and failed login attempts. This command clears all of those counters.

Use the key command to set the key (password or shared secret) on the ARX to match the key on the RADIUS server. The switch and its RADIUS server must have identical keys.

Use the no form of the command to erase the key. Erasing the key disables authentication at the current RADIUS server.

The CLI challenges you for the key, and you must re-enter it at the Validate Key prompt. See the example below.

Each of these services is gated by an authentication service. Use the management access command to start configuring authentication service(s) for a management-access point.

Use the no form of the command to remove all authentication services from a management-access point, thus shutting down access.

You can use this command to start provisioning the management-IP interfaces that accept these communication protocols, and the authentication services (Active Directory, RADIUS, or local) to be used. This command puts you into cfg-mgmt-access mode, where you use the permit command to permit access through one or more management IPs. You can also use the authentication command to configure a primary, secondary, and/or tertiary authentication service.

Use the show management access command to show the current configuration mapping of access points to their authentication services and available interfaces.

You can use the show statistics api command to find usage statistics for the API.

The API supports notifications of file and directory changes in any managed volume. To support these API queries, you create a notification rule in any desired managed volume.

Use the permit command to allow access to the current management-access point. You can permit access through the out-of-band MGMT interface, any in-band (VLAN) interface, or all management interfaces. Use no permit to deny access.

vlan | mgmt | all is a required choice:

Use show management access to see which management-access points are currently available.

Use the radius-server command to configure/identify a RADIUS server as an authentication provider for the ARX. You can use this command multiple times to configure multiple RADIUS servers.

Use the no form of the command to remove one RADIUS-server configuration.

hostname-or-ip-address (1-128 characters or an IP address) is the hostname or IP address of a RADIUS server.

This command places you in gbl-radius mode. From gbl-radius mode, use the key (gbl-radius) command to enter the shared-secret from the RADIUS server. You can change the timeout and/or retry interval with the timeout (gbl-radius) and retries (gbl-radius) commands. If the RADIUS server listens at a port other than the well-known port, you can use the auth-port (gbl-radius) command to adjust the port configuration.

To use a RADIUS server, you must configure the server itself as well as the ARX. For details about configuring the external RADIUS server, see Chapter 8, Configuring Management Access, in the ARX® CLI Network-Management Guide.

Use the retries command to change the connection-retry interval for communication with RADIUS servers.

Use the no form of the command to reset the retry interval to the default.

number (3-65535) is the number of times the switch attempts to connect to the RADIUS server before declaring a failure.

Use the show management access command to show the authentication services configured for system management.

Service is Console, Telnet, SSH, HTTP, HTTPS, SNMP, HTTP-API, or HTTPS-API. This is the management-access point, a point of entry for a system administrator. Use the management access command to edit one or all of these management-access configurations.

Primary is the primary authentication service for this management-access point. The choices are AD (for Active-Directory authentication, which allows Windows users to authenticate with their Windows credentials), local (for authentication service that runs on the ARX), or RADIUS (for authentication at a remote RADIUS server).

Secondary and

Tertiary are backup authentication services. If the primary service fails, the switch uses the secondary service; if the secondary authentication fails too, the switch falls back to the tertiary service. Use the authentication command to reset the primary, secondary, or tertiary service.

Allowed Interface is VLAN, Management, or both. VLAN indicates that administrators can gain access through any in-band (VLAN) management interface. Management indicates that access is allowed through the out-of-band management interface, labeled MGMT on the front panel. Use the permit command to permit VLAN and/or MGMT access.

See Figure 17.1, below.

Use the show radius-server command to display a summary of all RADIUS servers known to the switch.

Hostname is the name or IP address of the RADIUS server.

Authport is the destination port at the RADIUS server.

Acctport is the port used for accounting; currently not used.

Timeout is the current connection-timeout interval.

Retries is the current connection-retry interval.

Use the show sessions command to view all current management sessions on the switch.

You can use the clear session with one of the IDs to clear that administrative session, thereby logging off the administrator.

Immediately after you use ssh-host-key generate to change the SSH host keys on the switch, you should distribute the new keys to remote SSH clients. Use the show ssh-host-key command to show the public host keys.

dsa | rsa | rsa1 selects a particular SSH key; by default, all of them are shown.

Use the ssh-host-key generate command to change all private/public host-key pairs on the switch. Then use this command to see the new public keys and begin distributing them to SSH clients. Install the appropriate public key (DSA, RSA, or RSA1) at each client; refer to the clients SSH documentation for instructions.

Use this command to display the authentication-login statistics. Use the clear statistics authentication command to clear the current authentication statistics and reset the counters.

For configuration information, use the show management access command.

Some installations manage their SSH host keys with an external application, such as PuTTYgen (on Windows) or ssh-keygen (on Unix). You can use the ssh-host-key command to install a host key from one of these applications onto the ARX.

dsa | rsa selects the type of SSH key to set.

This is the format of a typical text file for a private key. PuTTYgen creates a text file with this format if you load a generated key and select Conversions -> Export OpenSSH key. This is also the format you find in /etc/ssh/ssh_host_*sa_key on a Linux box with SSH.

As an alternative to installing a pre-generated host key, you can use ssh-host-key generate to generate random host keys for the ARX.

The ARX generates a new public key to associate with this new private key. The new public key is accessible through show ssh-host-key. You copy the appropriate public key to trusted clients, as described below. The private key remains hidden on the switch.

After the new host key is installed, client machines warn their users that the switchs host key has changed. They must update to the new host key before they authenticate with the ARX. Right after generating new host keys, use the show ssh-host-key command to show the new public key, then copy and paste it onto the client machine. Refer to the client machines SSH documentation for the specific configuration file.

An attacker could use one of the ARXs SSH host keys to pose as the ARX for a man-in-the-middle attack. To prevent this, you can periodically regenerate the host keys at the switch and distribute them to your SSH-client machines. Use the ssh-host-key generate command to generate new host keys.

The CLI warns you that this forces all clients to update their host key for the ARX. Enter yes to proceed.

This generates three pairs of host keys, one for each encryption protocol (RSA for SSHv1, RSA for SSHv2, or DSA). Each pair has one private key (stored securely in the switch) and one public key (accessible through show ssh-host-key). You copy the appropriate public key to trusted clients, as described below. The private key remains hidden on the switch.

After the new host keys are generated, client machines warn their users that the switchs host key has changed. They must update to the new host key before they authenticate with the ARX. Right after generating new host keys, use the show ssh-host-key command to show the new public keys, then copy and paste the appropriate key onto the client machine. Refer to the client machines SSH documentation for the specific configuration file.

To install a pre-created host key on the ARX, use the ssh-host-key command in cfg mode.

SSHv1 (as opposed to SSHv2) has well-documented security holes and is therefore not supported by default. Some installations only support SSHv1, so you can use the ssh-v1 enable command to enable it on the current switch.

Use the no form of the command to disable SSHv1 and return to v2-only support.

no ssh-v1 enable

Use the timeout command to change the timeout interval for communication with RADIUS servers.

Use the no form of the command to reset the timeout interval to the default.

milliseconds (3-65535) is the number of milliseconds to wait for a server response before timing out.

After the timeout expires, the switch retries its request as many times as specified through the retries (gbl-radius) command. If all retries fail, the request fails, which causes fallback to the next level of authentication service (secondary or tertiary), if one is configured.