Router Installation and Configuration Manual/Configuring Global Settings: the AAA and Global Configuration Menus

From ImageStream Router Documentation

Jump to: navigation, search
This chapter describes how to configure settings that the ImageStream router uses across all of its ports and interfaces.
This chapter discusses the following topics:
  • Setting the Administrative Password
  • Configuring the Router for TACACS+ Server Authentication
  • Setting the Hostname
  • Configuring Name Resolution
  • Configuring Local Event Logging
  • Configuring Remote Event Logging
  • Configuring Advanced Event Logging
  • Configuring the User-Configurable Startup Script
  • Configuring the Default Terminal Type
  • Configuring the Default Text Editor
  • Setting the System Time
After logging in, the main menu is displayed (your menu may look slightly different):
     ISis-Router main menu 
     1. Configuration menu 
     2. Show interface status 
     3. Advanced  
     4. Router software management 
     5. Backup/Restore 
     6. halt/reboot 
     0. Log off 
Your first steps should be to configure the Global Configuration Settings on the router. Select menu option 1, Configuration menu, and press Enter to configure the router. The Configuration menu should appear (your menu may look slightly different):
     Configuration menu 
     1. AAA (Password) Configuration 
     2. Global configuration 
     3. Network interface configuration 
     4. Firewall and QOS configuration 
     5. Service configuration 
     6. Dynamic routing configuration 
     7. Save configuration to flash 
     0. ISis-Router main menu 
Next, select menu option 1, AAA (Password) Configuration, and press Enter to configure the routers Login and Password settings. The AAA (Password) Configuration menu will be displayed(again, your menu may look slightly different):
     AAA (Password) Configuration 
     1. Change local root password 
     2. TACACS+ authentication (disabled) 
     3. Disable all remote AAA 
     0. Configuration menu 


Contents

Setting the Administrative Password

ImageStream routers are shipped without a password. Press Enter at the Password: prompt when accessing the router for the first time. The password is an ASCII-printable string of up to 127 characters used to access the router's administration features. Only the administrator can change the password.
To set the password, select menu option 1 and press Enter. The following will be displayed:
     Changing password for root 
     Enter the new password (minimum of 5, maximum of 127 characters) Please use a combination 
     of upper and lower case letters and numbers. 
     New password: 
Enter your new password and press Enter. Your password will not be displayed on the screen for security purposes. Pressing Enter without entering a password resets the password to the default value, which is no password. The router will then display the prompt:
     Re-enter new password: 
Re-enter your new password exactly as before and press Enter. Your password will not be displayed on the screen. If your passwords do not match, the router will respond with:
     They don't match; try again. 
You will then be prompted for your new password again. If you use a dictionary word, a short password or no password, the router will respond with:
     Bad password: too short. 
Warning: weak password (enter it again to use it anyway).
The system will prompt you again for the new password for confirmation. You will then have to reenter the password as described above. Once you have successfully entered the password, the router will respond with:
     Password changed. 
and return you to the main menu system. Remember that this password change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the password change to become permanent.

Configuring the Router for TACACS+ Server Authentication

ImageStream routers support centralized user authentication and login shell selection using a Terminal Access Controller Access Control System (TACACS+) server/database. When enabled, the router will contact the TACACS+ server to authenticate users that attempt to log in to the router. If the TACACS+ server does not have an entry for the user ID, or if the router cannot contact the TACACS+ server, then the router will check the local password file. Although the local password file contains only the root administrative user, it is possible to create multiple levels of access to the router when using a TACACS+ server for authentication.
You should only configure TACACS+ authentication if you have a valid TACACS+ server available on your network. If you are unsure, do not configure this option.
To configure TACACS+ authentication select menu option 2, TACACS+ authentication (disabled), and press Enter. The following will be displayed:
     Remember that you must configure your TACACS+ server. The router will use the local password as a fallback. 

     Enter the hostname or IP address of the primary TACACS+ server or leave blank to disable TACACS+ for AAA: 
Enter the IP address or the fully qualified domain name (FQDN) for your primary TACACS+ server and press Enter. For example, if your TACACS+ server is located at tacacs.imagestream.com, you would enter tacacs.imagestream.com at the prompt. If you are attempting to clear a previous TACACS+ server configuration, then press Enter at the prompt without entering any information.
After entering the primary server, the router will display:
     You may configure up to 3 additional TACACS+ servers. 

     Do you have additional TACACS+ servers to configure (y/N)?: 
Note: If you have backup TACACS+ servers, follow the on-screen prompts to fill in the IP address or Fully Qualified Domain Name (FQDN) of the backup server(s). After you have entered your TACACS+ servers, the router will display:
     Enter the encryption secret (all servers must use a common secret) or leave blank to disable encryption: 
Note: If your TACACS+ server uses an encryption key, enter it here. The key must be the same for all servers. The router will not prompt you for alternate keys. If your TACACS+ server does not use encryption, then leave the entry blank and press Enter at the prompt. You will be prompted to confirm that encryption should be disabled.
When you have entered the encryption secret information, the router will display:
     Now rebuilding AAA configurations (/etc/pam.conf)...done. 
and return you to the main menu system. Remember that this remote AAA change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the hostname change to become permanent.

Disabling Remote AAA Configurations

To disable any remote AAA configurations, select menu option 3, Disable all remote AAA, and press Enter to reset the router to its original default AAA configuration (local password file only).

Global Configurations

Next, select menu option 2, Global Configuration, from the Configuration menu and press Enter to configure the routers Global Settings. The Global configuration menu will be displayed (again your menu may appear slightly different):
     Global configuration 
     1. Change hostname 
     2. Change DNS server 
     3. Configure Event Logging 
     4. Configure rc.local (user configurable startup script) 
     5. Select terminal type (linux) 
     6. Select default editor (pico) 
     7. Set the time 
     0. Configuration menu

Setting the Hostname

The hostname, or system name, is the name that identifies the router for Domain Name Service (DNS) queries, Simple Network Management Protocol (SNMP) queries, Internet Protocol Security Suite (IPSec) and Secure Shell (SSH) authentication. Enter a name that is valid for your network. The system name can have up to 16 characters, and appears in the command line prompt.
To set the hostname, select menu option 2, Change hostname, and press Enter. The following will displayed:
     Enter the domain for this machine: 
Enter the domain name for your router and press Enter. For example, if your router is named router.imagestream.com, you would enter imagestream.com at the prompt. Do not enter the hostname, as you will be prompted for this information next. Also, be sure to use the domain name for your router, and not the domain name imagestream.com from our example here.
After entering the domain name, the router will display:
     Enter the hostname for this machine:
Enter the hostname for your router and press Enter. For example, if your router is named router.imagestream.com, you would enter router at the prompt. Be sure to enter the hostname you have chosen for your router, and not the hostname from our example here (that is, of course, unless the hostname for your router will also be router).
The router will then prompt you to confirm the fully qualified domain name (FQDN) of your router, for example:
    Your FQDN (Fully Qualified Domain Name) is router.imagestream.com.com, is this correct (Y/n) : 
Press Y or y if the entry displayed is correct. Press N or n if the entry displayed is incorrect. Pressing N or n will erase your entries and the router will prompt you again for the domain name and hostname. If you pressed Y or y, the router will display the hostname you have entered, for example:
     Hostname changed to router.imagestream.com.
and return you to the Global configuration menu system. Remember that this hostname change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the hostname change to become permanent.

Configuring Name Resolution

The ImageStream router can work with a Domain Name Server (DNS). Chapter 31, Basic Networking, describes this name service. If you do not set a valid domain name resolution server, you will not be able to use the automatic software update feature on your router.
To set the DNS server, select menu option 2, Change DNS server, and press Enter. The following will be displayed:
     Enter the domain for this machine: 
Enter the domain name for your router and press Enter. For example, if your router is named router.imagestream.com, you would enter imagestream.com at the prompt. Do not enter the hostname (router in our example). This domain name does not necessarily have to be the same domain as the router's domain name. This value will be the first domain searched to resolve names. For example, if you enter the command telnet router from the command line, the DNS resolver on the router will search imagestream.com if that value is entered in response to the question above.
Once you have entered the domain name, you will be prompted for the IP address of the domain name server for your network:
     Enter the nameserver IP address for this router: 
Enter the IP address of the nameserver for your router and press Enter. For example, if your nameserver is located at the IP address 192.168.100.1, you would enter 192.168.100.1 at the prompt. The router will display:
     Now writing the /etc/resolv.conf file...done. 
and return you to the Global configuration menu system. If you need to add additional search domains or name servers, you can do this from the command line. Enter the command /etc/editor /etc/resolv.conf. This will open the standard Linux resolv.conf file in your default text editor. This is an advanced option, and you should only edit this file if you are familiar with the resolv.conf file under Linux. Remember that any changes to the DNS server are not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the changes to become permanent.

Configuring Local Event Logging

The ImageStream router can log messages to a local file, to the console or to remote devices or logging servers via the standard syslog facility. By default, system messages are logged only to a local file on the router.
Select menu option 3, Configure Event Logging, from the Global Configuration menu and press Enter to configure the router's global settings. The Configuration Event Logging menu will be displayed(again, your menu may look slightly different):
     Configure Event Logging 
       1. Configure remote event logging 
       2. Enable local event logging 
       3. Configure advanced event logging 
       0. Global configuration 
To configure local event logging, select menu option 3 and press Enter. The following will be displayed:
     Enabling local logging will create an automatically rotated system logfile accessible from the router's 
     Advanced menu or in the file '/var/log/syslog'.
 
     Would you like to enable local system logging? 
     Press 'Y' or 'y' to enable system logging or press Enter to disable system logging and remove old logs (y/N).
Follow the on-screen prompts to enable or disable local system logging. The logfile created by the router will not fill the router's virtual file system. By default, the system will log to /var/log/syslog, with 1 backup file. Files will rotate every 24 hours or after 250KB of log information, whichever comes first. For debugging purposes, ImageStream recommends that you leave local system logging enabled by pressing Y at the prompt.
The router will display the following:
     Enabling console logging will send all messages to both remote and console root logins. 
     
     Woulds you like to enable console logging?
     Press 'Y' or 'y' to enable logging or press Enter to disable console logging  (y/N).
Note: Enabling console logging will print all system messages on your screen when you are logged in as the root user. For some users, the number of messages generated may make it difficult to use the router, so this option is disabled by default. If the appearance of messages on your console does not affect your use of the router, ImageStream recommends enabling this option. Follow the on-screen prompts to enable or disable console logging. The router will display the following:
     Now writing the /etc/syslog.conf file...done. 
and return you to the menu system. Remember that this change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the change to become permanent.

Configuring Remote Event Logging

The ImageStream router can log messages to a local file, to the console or to remote devices or logging servers via the standard syslog facility. By default, system messages are logged only to a local file on the router.
To configure the routers global settings select menu option 3, Configure Event Logging, from the Global Configuration menu and press Enter. The Configure Event Logging menu will be displayed(again, your menu may look slightly different):
Configure Event Logging 
1. Configure remote event logging 
2. Enable local event logging 
3. Configure advanced event logging 
0. Global configuration 
To set up a remote logging server, select menu option 1 and Enter. The router will display the following:
Remember that you must configure your remote syslog server to accept syslog data from remote systems.  Most syslog 
implementations use '-r' to enable this function.   Consult your server documentation or man pages. 
Enter name or IP address of machine to log to, or leave blank to disable remote logging: 
Enter either the IP address or FQDN of the remote logging machine and press Enter. For example, if the remote logging machine is server.imagestream.com and its IP address is 192.168.100.1, you would enter either of those values at the prompt. If you leave the entry blank, remote logging will be disabled. The router will display:
Now writing the /etc/syslog.conf file...done. 
and return you to the Configuration Event menu system. Remember that this change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the change to become permanent.
Press menu option 0 to return to the Global configuration menu.

Configuring Advanced Event Logging

For users familiar with the UNIX syslog facility, the Event Logging menu includes an advanced configuration option. This configuration file allows you to configure advanced logging parameters for local and remote logging. The default configuration file includes two types of examples: remote logging using a "local" facility and local logging using log rotation.
Select menu option 3, Configure Event Logging, from the Global Configuration menu to configure the router's global settings. The Configuration Event Logging menu will be displayed(again, your menu may look slightly different):
Configure Event Logging 
1. Configure remote event logging 
2. Enable local event logging 
3. Configure advanced event logging 
0. Global configuration 
To configure the Remote Event Logging, select menu option 3 and press Enter. The router will display the syslog.conf.local file. The following example shows the use of a local facility for log separation on a remote server:
local0.*	@server.imagestream.com
The command above directs the router to send all local0 messages to the machine at the FQDN server.imagestream.com. The remote logging server can be configured to send any local0 messages to a separate data file for easier analysis. Any local facility from 0 to 7 is valid. The local facilities can be used to create separate log files directly on the router as well.
The next example shows the use of ImageStream's log rotation options:
*.*	/var/log/syslog rotate,size=250k,age=24,files=1
The entries in the syslog.conf.local file follow the format:
<facilities to log> 	<output file/destination> 	<logging options> 
Each section should be separated by a space or a tab. The logging options are separated by a comma. You may not use a tab or a space in the output file/destination. The available logging options are:
rotate - Signals the syslog daemon to automatically rotate log files. If you do not provide any other options, then syslog will rotate the log file after it reaches 1 MB in size and will maintain 5 spare/backup files.
sizek - Specified in "k", this option tells the syslog daemon the size at which files should be rotated.
age - Specified in hours, this option tells the syslog daemon how often to automatically rotate files. For example, age=24 signals syslog to rotate the file every 24 hours regardless of size.
files - This option tells the syslog daemon how many spare/backup files to maintain. For example, files=2 creates 2 spare/backup files (syslog.1 and syslog.2) in addition to the main log file.


After saving the file and exiting, the router will display:
Now writing the /etc/syslog.conf file...done. 
and return you to the Configure Event menu system. Remember that this change is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the change to become permanent.
Press menu option 3 and press Enter to return to the Global Configuration menu.

Configuring the User-Configurable Startup Script

The ImageStream router supports the use of user-defined commands or scripts on startup. To enable any user scripts or issue special commands, choose option 4 from the Global configuration menu and press Enter: The Global configuration menu will be displayed (again, your display may appear slightly different).
Global configuration 
1. Change hostname 
2. Change DNS server 
3. Configure Event Logging 
4. Configure rc.local (user configurable startup script) 
5. Select terminal type (linux) 
6. Select default editor (pico) 
7. Set the time 
0. Configuration menu 
This will open the rc.local file in your default text editor. This is an advanced option, and you should only edit this file if you are familiar with the rc.local file under Linux. Remember that any changes to the rc.local file are not saved automatically to the router’s nonvolatile (Flash) memory. You must save your configuration to flash for the changes to become permanent.


nfiguring the Default Terminal Type

he <bouter supports thirteen common terminal types for use in displaying the router's menu and command line system to the connected display. The default value of vt100 should work for most users. This is an advanced option, and you should only change this setting if you are familiar with terminal types and need support for a different type.


o set the default terminal type, select menu option 6 and press Enter. The following menu will be displayed:


et your terminal type (vt100)

. vt100 (default)

. vt102

. vt220

. linux (linux systems only)

. Other (May cause software to be inoperable)

. Global configuration



o select the vt100 terminal type or the corresponding number to a different terminal type, select the menu option that matches your terminal type. Assuming you chose option 1 the following would be displayed:


t100 selected as the default terminal type.


nd return you to the above menu. Remember that any change in the terminal type is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the hostname change to become permanent.


o return to the Global configuration menu, select menu option 0 and press Enter the Global configuration menu will be displayed.


nfiguring the Default Text Editor

he <bouter supports two common text editors for use in configuring the system, vi and pico. Both text editors are available from the command line. The menu system defaults to pico. The pico editor is recommended for most users. If you are an advanced administrator familiar with vi, then select this option as your default.


o set the default text editor, select menu option 6 and press Enter. The following menu will be displayed:


elect default editor (pico)

. Pico

. vi (for advanced users)

. Global configuration



elect either menu option 1 or 2 to choose the editor of your choice and press Enter. The router will display (assuming Pico is selected) the following:


ico selected as the default editor.


hen return you to the above menu. Remember that any change in the default editor is not saved automatically to the router's nonvolatile (Flash) memory. You must save your configuration to flash for the hostname change to become permanent.


o return to the Global configuration menu, select menu option 0 and press Enter. The Global configuration menu will be displayed.


tting the System Time

he <bouter you receive has a system clock. This clock is used to calculate device uptimes and downtimes, log system messages via syslog and maintain modification times on files. The system clock can be synchronized with a server running the Network Time Protocol (NTP).


o set the system time, select menu option 7 and press Enter. The router will display the current time and prompt you if you want to synchronize the system time with a network time server.


tting the System Time Manually

o set the system time manually, press N and Enter. The router will display the following:


lease enter the date in this format (MMDDhhmmCCYY):


nter the date in the specified format. For example, if the date is September 10, 2002 at 7:10 a.m., enter:


91007102002


he router will then prompt you to confirm the date and time that you entered, for example:


ou have entered 09-10-2002 07:10, is this correct (Y/n) :


ress 'Y' or 'y' if the entry displayed is correct. Press 'N' or 'n' if the entry displayed is incorrect. Pressing 'N' or 'n' will erase your entries and the router will prompt you again for the system time. If you press 'Y' or 'y', the router will ask for the local time zone:


lease enter the time zone abbreviation ('UTC' for Coordinated Universal Time) :


nter the correct abbreviation for the time zone you want to use with the router. For example, Central European Summer Time is entered as CEST. Next, the router will ask for the time offset from UTC:


Please enter the UTC offset for your time zone ('-8' for Pacific Standard Time) :


nter a + or a - and the number of hours between your local time zone and UTC. The router will then prompt you to confirm the time zone and offset. Once you confirm the time zone and offset, the router will display the time:


Tue Sep 10 07:10:00 PST 2002


hen return you to the above menu. The system time will be automatically changed on the router and saved to the router's nonvolatile (Flash) memory.


o return to the Configuration menu, select menu option 0 and press Enter. The Configuration menu will be displayed.

Personal tools
Router software releases