Date post: | 08-Feb-2016 |
Category: |
Documents |
Upload: | shais-masoodi |
View: | 130 times |
Download: | 2 times |
HP Procurve L3 Switch
Check ID Name Severity
SW-01 Device password not set High
SW-02 Unused ports are enabled(Later) High
SW-03 Older version of Software is installed(later) High
SW-04 Insecure CLI access privileges Medium
SW-05 SNMP service is not secured Medium
SW-06 MediumNetwork access to the device is not restricted
SW-07 Unsafe log generation and log collection Medium
SW-08 Time server not designated Medium
SW-09 Non-Essential services running Medium
SW-10 Dynamic ARP Protection not enabled(later) Medium
SW-11 System statutory warning not set Medium
SW-12 SSH disabled for remote administration Medium
SW-13 Spanning-tree protocol not secured(later) Medium
SW-14 Device processes directed broadcasts(later) Medium
SW-15 Proxy ARP is enabled(later) Medium
SW-16 MediumVirus Throttling (Connection-Rate Filtering) not set(later)
SW-17 DHCP snooping not enabled(later) Medium
SW-18 Secure Management VLAN not configured(later) Medium
SW-19 Medium
SW-20 Insecure ACE are configured Medium
SW-21 Insecure hostname Low
Console inactivity timeout not set(Configured)
SW-22 Radius authentication is not used(later) Low
Sample Finding Description
"password manager" and "password operator" is not set
Login to a switch should always be an authenticated access.The manager and operator passwords and (optional) usernames control access to the menu interface, CLI, and web browser interface.
All Ethernet ports are enabled, unused Ethernet ports should be disabled.
Only required interfaces should be enabled on the device, an unused interface is not monitored or controlled, this might expose the device to unknown attacks on those interfaces. Disabling unused interfaces creates a more secure environment than when leaving them up and opening them to hacking attempts.
Older IOS version K.12.14 installed.
Procurve devices should always be updated with latest version of IOS, that include fixes for known issues, vulnerabilities bugs etc. Also include new features.
Telnet is used for remote administration.
The following command were not set on this deviceno telnet-server
Telnet protocol transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.
snmp server version 3 not used, default "public" community string is used with unrestricted access and easy to guess community string "AdaniInfra" is used.
snmp-server community "public" Unrestricted snmp-server community "AdaniInfra" Operator
SNMPv1 and SNMPv2 use very weak authentication scheme based on community strings. Most SNMP implementations send those strings repeatedly as part of periodic polling. SNMPv1 and SNMPv2 use clear-text authentication strings. Moreover, they are easily spoofable, datagram-based transaction protocols. Better to disable SNMP but if SNMP is required then SNMPv3 should be used. If SNMPv1 or SNMP v2 is required to be used then then configure strong non-guessable SNMP strings.
"ip authorized-managers" command is not set
To prevent unauthorized access, remote administration of the device should be restricted only to the specific IP addresses.
"time timezone" not set.
System Logging is enabled for all activities.
logging 132.132.49.5
All important device logs should be enabled and collected to monitor all critical information and system level activity.
Time server is used for synchronizing the system time on all devices and servers across the organisation. Once the time server is designated, the device refers to time server for system time, instead of its local clock.
ftpd, telnetd, tftpd, rlogind are not running
By default many unnecessary services like FTP Daemon, Telnet Daemon, etc are installed and enabled in this device. These services are not required for normal operation of the device and can be safely disabled.
"arp-protect" is not set
On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid IP-to-MAC address bindings advertised in the source protocol address and source physical address fields are discarded.
Custom banner "banner motd" is not set.
Displaying appropriate warning messages when users access a system assists in prosecuting computer crime cases and defending legal issues involving the system.
"ip ssh" is not set.
Unexcrypted protocol for remote administration like Telnet transmits all information, including login credentials in clear text. To prevent password stealing, SSH should be used for remote administration, as SSH encrypts all the traffic between the device and the SSH client.
spanning-tree <port-list | all> bpdu-filter is not set.
Spanning tree protocol prevents the layer 2 loops and “broadcast storm” that can bring down the network. By attacking the Spanning-Tree Protocol, the network attacker hopes to spoof his or her system as the root bridge in the topology.
The STP security features prevent the switch from malicious attacks or configuration errors: • BPDU Filtering and BPDU Protection: Protects the network from denial-of-service attacks that use spoofing BPDUs by dropping incoming BPDU frames and/or blocking traffic through a port. • STP Tcn Guard: Protects the STP root bridge from malicious attacks or configuration mistakes.
"no ip directed-broadcast" is not set.
Directed broadcast is a packet destined for a specified broadcast IP address. A single copy of a directed broadcast is routed to the specified network, where it is broadcast to all terminals on that network. This can be used by attackers to flood the network with the broadcast packets. Directed broadcast is rarely used for legitimate purposes. Hence, Procurve devices should be configured not to process directed broadcast packets.
"no ip arp-proxy" not set, per VLAN basis.
Proxy ARP is a method by which routers may make themselves available to hosts. Procurve device can act as intermediary for ARP, responding to ARP queries on selected interfaces and thus enabling transparent access between multiple LAN segments.
"connection-rate-filter" is not defined.
Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic, also throttles or blocks such traffic. This feature also provides a method for allowing legitimate, high connection-rate traffic from a given host while still protecting your network from possibly malicious traffic from other hosts.
"dhcp-snooping" is not set.
"management-vlan" is not set.
DHCP snooping can be used to help avoid the Denial of Service attacks that result from unauthorized users adding a DHCP server to the network that then provides invalid configuration data to other DHCP clients on the network. DHCP snooping accomplishes this by allowing you to distinguish between trusted ports connected to a DHCP server or switch and untrusted ports connected to end-users. DHCP packets are forwarded between trusted ports without inspection. DHCP packets received on other switch ports are inspected before being forwarded. Packets from untrusted sources are dropped.
Configuring a secure Management VLAN creates an isolated network for managing the ProCurve switches that support this feature. If you configure a secure Management VLAN, access to the VLAN and to the switch’s management functions (Menu, CLI, and web browser interface) is available only through ports configured as members. Multiple ports can belong to the Management VLAN. Only traffic from the Management VLAN can manage the switch, i.e. only the workstations connected to ports belonging to the Management VLAN can manage and reconfigure the switch.
"console inactivity-timer" not set.
Idle Console, Telnet and Ssh connections should be disconnected, if session remains in-active for pre-defined time duration.
Lot of ACEs are configured with allow all access
ip access-list extended "151" 10 permit icmp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 20 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 20
These ACLs are listed below do not end with "deny all and log" * 151 * 152
Access Control Entries can be configured to restrict access from specific hosts to specific hosts and services. The ACEs are processed sequentially, with the first ACE that matches taking effect. If a match is not made, the switch will deny access by default.
Host name of the device is set to "FHDCHP5406ZL", location, name and model number of HP Procurve device in use
Device hostnames some times reflects the firewall models and OS versions. This may help an attacker to narrow down the list of attack procedures on the device. The attacker can now focus on a specific device and concentrate on exploiting only that device thus saving a lot of time.
"radius server" is not set.
RADIUS (Remote Authentication Dial-In User Service) enables the use of multiple servers for centralized authentication, this allows a different password for each user instead of having to rely on maintaining and distributing switch-specific passwords to all users. For accounting, this can help you track network resource usage. RADIUS can facilitate, Commands Authorization and accounting also.
Impact Solution
If the switch has neither a Manager nor an Operator password, anyone having access to the switch through either Telnet, the serial port, or the web browser interface can access the switch with full manager privileges. Also, if you configure only an Operator password, entering the Operator password enables full manager privileges.
Set password for Manager and operator accounts. At the config prompt, enter the command (config)#password < manager | operator | all > accordingly to enable authenticated access to the switch.
If any port is enabled and not in use then a malicious user can plug into an open port and access all resources in the network.
The following command can be used to disable the unused network interfaces, at the config prompt:
(config)# interface <interface name> <interface number> disable(config)# write memoryFor serial console: (config)#serial-console disableFor usb port:(config)#usb-host-port disable(config)# write memory
If the IOS is not updated then an attacker can expolit known vulnerabilties in the IOS to get unauthorized access to the router.
It is strongly recommends that the IOS should be patched / upgraded to the latest software version. Refere the admin guide for software download and upgrade procedure.
A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.
Enable SSH with the following commnds:(1) A public/private key pair has been generated on the switch with command generate (config)#ssh [dsa | rsa](2) To enable SSH enter command (config)#ip ssh.Then disable telnet access:(config)#no telnet-server
A malicious user can gain administrative access of the device by stealing the community strings and/or spoofing the IP address of SNMP manager.
SNMP is not required, then disable it by entering following command:(1) no snmp enableIf SNMP is required, configure the device to use SNMPv3 for communicating with SNMP manager using the following command:(2) snmpv3 enableConfigure SNMP user and configure a strong password for the user.(3) snmpv3 user <user_name> [auth <md5 | sha> <auth_pass>] [priv <des | aes> <priv_pass>]Configure SNMP group:(4) snmpv3 group <group_name> user <user_name> sec-model <ver1 | ver2c | ver3>To configure strong SNMP community enter the following command:SNMPv3 Communities:(5.1) snmpv3 community index <index_name> name <community_name> sec-name <security_name> tag <tag_value>
An unauthorized user can connect to the device remotely. An unauthorized user can initiate multiple simultaneous login attempts and cause denial of service.
At the config prompt, enter the command(config)#ip authorized-managers <ip-address> <ip-mask>> access [manager | operator] accordingly to enable only authorized access to the switch.
Malicious activities may go unnoticed in the absence of logs. No information available for investigation and forensics in case any intrusion occurs.
At the config enter the following commands to enable logging on a HP device:(config)#logging <ip address>(config)#logging facility syslog(config)#debug destination session(config)#debug event
Mismatch in the time information in the logs from different devices, can lead to errors in the correlated event information.
At the config enter the following commands to enable sntp timesync on the switch:(config)#timesync sntp(config)# sntp unicast(config)# sntp server <sntp ip address>
A malicious user can compromise the device by exploiting the vulnerabilities of the unnecessary services.
Using the ip ssh filetransfer command to enable Secure FTP (SFTP) automatically disables TFTP and auto-TFTP. (config)# ip ssh filetransfer
When this feature is not enabled, a maliciou user may be able to excute layer 2 attacks like MAC address spoofing, DHCP starvation attack. The attacker can intercept traffic for other hosts in a "man-in-the-middle" attack.
To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level. (config)# arp-protect vlan (vlan-range)
Absence of a statutory warning may lead to failure in the implication of an accused malicious user.
Create an appropriate login warning message banner which shows that the system is for authorized use only and all the activities on the system are being monitored.Use either of the commands: (config)#banner motd <delimiter> <message>
A malicious user can sniff traffic on the wire and can steal operator and manager passwords of the device.
For Operator: "ssh login"For Manager: "ssh enable"
Generating a public/private key pair on the switch(config)#crypto key generate <autorun-key [rsa] | cert [rsa] <keysize> | ssh [dsa | rsa] bits <keysize>>
Enabling SSH (config)#ssh enable local | radius
(config)#ip ssh cipher <cipher-type> filetransfer ip-version mac <mac-type> timeout < 5 - 120 > listen <oobm | data | both> Enabling user authentication (config)#aaa authentication ssh login < local | tacacs | radius >[< local | none >] (config)#aaa authentication ssh enable < local | tacacs | radius>[< local | none >]
If STP security is not eanbled then an attacker can announce his system root bridge and can see a variety of frames.
The bpdu-filter option forces a port to always stay in the forwarding state and be excluded from standard STP operation. The following command is used to configure BPDU filters: (config)#spanning-tree <port-list | all> bpdu-filter Enables/disables the BPDU filter feature on the specified port(s).
When tcn-guard is enabled for a port, it causes the port to stop propagating received topology change notifications and topology changes to other ports. The following command is used to configure tcn-guard: (config)# spanning-tree < port-list > tcn-guard
A malicious user can perform DoS attack using directed broadcast packets.
Configure the device not to process directed broadcasts by the entering following command in the interface configuration mode:(config)#no ip directed-broadcastEnter this command for every physical interface of the device.
It breaks the LAN security perimeter; effectively extending a LAN at layer 2 across multiple segments. Security can be undermined. A machine can claim to be another in order to intercept packets.
Proxy ARP is disabled by default on ProCurve routing switches, if found enabled then the following command is used to disable the proxy arp on per valn basis:(config)# vlan <vlan number>ProCurve(vlan-1)# no ip proxy-arp
If this feature is not enabled, any virus/ worm can be sperad network without any detection.
The following command enables connection-rate filtering and sets the global sensitivity level:(config)#filter connection-rate < port-list > < notify-only | throttle | block > (config)#connection-rate-filter sensitivity < low | medium | high | aggressive >(config)#connection-rate-filter unblock < all | host | ip-addr >
low: Sets the connection-rate sensitivity to the lowest possible sensitivity, i.e. 54 destinations in less than 0.1 seconds.
medium: Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second.
high: Sets the connection-rate sensitivity to allow a mean of 22 destinations in less than 1 second.
An attacker with rougue DHCP server can successfully intercept traffic for other hosts in a "man-in-the-middle" attack.
DHCP snooping is enabled globally by entering this command: (config)# dhcp-snooping
Enabling DHCP Snooping on VLANS (config)# dhcp-snooping vlan <vlan-id-range>
Configuring Authorized Server Addresses (config)# dhcp-snooping authorized-server <ip-address>
Configuring DHCP Snooping Trusted Ports(config)# dhcp-snooping trust <port-list>
Managing the switch from common VLAN posses a risk of manager credential getting sniffed. A malicious user can sniff traffic on the wire and can steal manager or operator passwords of the device.
Note: Configuring Management VLAN on a switch by using a Telnet connection through a port that is not in the Management VLAN, then you will lose management contact with the switch if you log off your Telnet connection or execute write memory and reboot the switch. (config)# management-vlan <vlan number>(config)# vlan 100 tagged <port number>
Un-authorized user can gain access to the firewall using un-attended sessions.
Timeout period of 10 minutes should be configured for connections to HPProCurve. The following command is used to set the console inactivity time out:(config)#console inactivity-timer 10
A weak ACL configuration could allow a malicious user or an attacker to gain unauthorized access to network services. With weak network filtering configured, the device would not prevent access from the unauthorized hosts.
It is recommends that, where possible, all ACEs should be configured to restrict access to network addresses and services from only those hosts that require access and ACLs are configured to ensure that:
* ACEs do not allow access from any source; * ACEs do not allow access from a source network address; * ACEs do not allow access to any destination; * ACEs do not allow access to a destination network address; * ACEs do not allow access to any destination service; * ACEs do not allow access to a range of destination services; * ACEs do not allow any network protocol; * ACEs do not allow any ICMP message types; * ACEs log all denied access; * ACEs log all allowed access;
An attacker can try known attacks specific to that device model and OS version. Time required for device and OS fingerprinting will be very less.
The following command is used to change the hostname of the switch: (config)#hostname < ascii-string >
Without RADIUS server it is difficult to manage passwords for multiple administrator users on various network devices. For enforcing password policies, and password updates, the administrators have to change the password locally across all the devices, that multiplies the tasks.
Following set of command is used to setup RADIUS authentication for various management access:(config)#aaa authentication console | telnet | ssh | web | < enable | login radius> (config)#radius-server host < IP-address > [auth-port < port-number >] [acct-port < port-number >] [key < server-specific key-string >] (config)#radius-server key < global key-string > (config)#radius-server timeout < 1 - 15> (config)#radius-server retransmit < 1 - 5 > (config)#radius-server dead-time < 1 - 1440 > (config)#show radius [< host < ip-address>](config)#show authentication(config)#show radius authentication
Impact In Axis Bank Commands
As a security measure only authorized ip's will be able to access the switches throug ssh.
HP Procurve---- (config)# password operator user-name
NAME (config)# password manager user-name NAME Juniper------ root# set user admin-ro class read-
only authentication plain-text-password root# set
user cyrus class super-user authentication plain-text-
password H3C--------- [Switch] role name
NAME [Switch-role-NAME] rule 1 permit read feature
[Switch-role-role1] rule 2 permit command system-view
FOR MANAGER-- [Switch] local-user user1 class manage [Switch-luser-manage-user1]
password simple aabbcc
No impact will be there as it a part of a security measure. unauthorized network access can be stopped through physical
and logical barriers.
HP Procurve----->(config)#interface PORT-LIST(eth-PORT-LIST)# disable.
Juniper---- > set interfaces PORT-LIST disable
H3C----- >(config)# interface PORT-LIST(port-list)#shutdown
We should upgrade when the network is stable and steady. Ensure that everyone who has access to the switch or the
network is not configuring the switch or the network during this time. You cannot configure a switch during an upgrade.
HP Procurve-- >(config)#copy tftp flash <ip address of TFTP server> <full
filename including .swi> pri or sec
(config)#boot sys flash pri or sec
Juniper---- >
HP Procurve ----- (config)# ip ssh version 2
(config)# ip ssh Telnet Disable--- (config)# no
telnet-server Juniper---- user@switch#
set system services ssh Telnet Disable-------
user@switch#delete system services telnet H3C-------- ssh [Sysname] server enable Telnet
Disable------ [Sysname] telnet server disable
HP Procurve------ (config)#snmp-server
community STRING restricted (config)# snmpv3 enable
(config)# snmpv3 only (config)# snmpv3 restricted-
access (config)# snmpv3 user cacti auth sha AUTHPASS
priv aes PRIVPASS Juniper-----
#set snmp community COMMUNITY_NAME
authorization read-only #set snmp community
COMMUNITY_NAME #set usm local-engine user nms1 authentication-sha
authentication- password $1991poppI
H3C------- [Switch]snmp-agent trap
enabl3 [Switch]snmp-agent targethost
trap address udp-domain 10.0.100.21 udp-port 161 pa
rams securityname public [Comware5]snmp-agent
targethost trap address udp-domain
10.0.100.21 udp-port 161 pa rams securityname public
[Comware5]snmp-agent targethost trap address udp-
domain 10.0.100.21 udp-port 161 pa
rams securityname public [Switch]snmp-agent
[Switch]snmp-agent sys-info version v3 [Switch]snmp-
agent usm-user v3 test managerpriv
authentication-mode md5 password privacy-mode 3des
password HP Procurve-----
Switch(config)# ip authorized-managers IP SUBNET access
manager Juniper----- #set term NAME from
source-address IP/24 #set term NAME from destination-
port ssh #set then accept H3C------
HP Procurve------ (config)# logging
IP-ADDRESS (config)#logging facility syslog
(config)# logging severity Juniper----
user@host# set security log stream trafficlogs host IP H3C-------
[Switch]info-center loghost IP
HP Procurve---- (config)# sntp
server priority 1 IP (config)#
sntp unicast
Juniper----- #set ntp server IP H3C-----
[Switch]ntp-service unicast-server 10.0.100.251
HP Procurve----- (config)# ip ssh (config)# ip ssh
filetransfer Juniper---- #host sftphost IP sftp abc
xyz #crypto key generate dss SSH-server #crypto key generate dss
SFTP-client H3C----- [Sysname] sftp server enable [Sysname] ssh user client001
service-type sftp [Sysname] ssh user client001
authentication-type password
HP Procurve--- (config)# arp-protect (config)#
arpprotect vlan ID (config)# arpprotect trust 9 Juniper----- #set vlan ID arp-
inspection H3C----- (config)#ip arp
inspection vlan 220 (config)#interface f0/9
(config-if)#ip arp inspection trust
HP Procurve---- (config)# banner motd #Enter TEXT message. End with the
character'#' Juniper----- #set message
"MESSAGE" H3C----- [Comware5]header motd #
MESSAGE#
HP Procurve----- (config)# crypto key
generate ssh (config)# ip ssh Juniper------ #set system services ssh #set system root-authentication ssh PASS H3C-------
[Comware5]public-key local create rsa
[Comware5]ssh server enable [Comware5]user-
interface vty 0 4 [Comware5-ui-vty0-
4]authentication-mode scheme [Comware5-ui-vty0-4]protocol
inbound ssh [Comware5]local-user
sshmanager [Comware5-luser-
sshmanager]password simple password
[Comware5-luser-sshmanager]service-type ssh
[Comware5-luser-sshmanager]authorizationattrib
ute level 3
HP Procurve----- (config)# spanningtree bpdu-
protection-timeout 300 (config)#
spanningtree 6 bpdu-protection (config)# spanningtree 6
bpdu-filter Juniper----- # set protocols rstp interface ID
disable# set protocols rstp interface ID
disable# set ethernet-switching-
options bpdu-block interface ID drop
# set ethernet-switching-options bpdu-block interface ID drop H3C--------
[Comware5]stp bpdu-protection
HP Procurve------ (config)# no ip directed-broadcast
Juniper---- #set interfaces ID family inet
targeted-broadcast H3C------- By defult
disable
HP Procurve----- (config-vlan-ID)#no ip arp-proxy-arp Juniper----- set interfaces ge-0/0/3 unit 0 proxy-arp restricted H3C-----
[Comware5]arp protective-down recover enable
[Comware5] arp protective-down recover interval 200
[Comware5]interface Ethernet1/0/1
[Comware5]dhcp-snooping trust
[Comware5]arp detection trust
HP Procurve ------ (config)# connection-rate-filter
sensitivity medium (config)# filter
connection-rate 6 notify-only (config)# filter connection-rate 10 block
(config)# filter connection-rate 20 throttle Juniper----- #set
ethernet-switching-options storm-control interface ge-
0/0/0 bandwidth 15000 H3C------ No
exact H3C feature compared to this ProVision
feature. Comware 5 ARP Defense & ARP
Packet Rate Limit features provide rate limiting
capability of incoming ARP packets. [Switch]arp source-suppression enable [Switch]arp sourcesuppression
limit 15 [Switch-GigabitEthernet1/0/20]arp rate-limit rate 150 drop
HP Procurve------ (config)# dhcp-snooping
(config)# dhcp-snooping authorized-server
IP (config)# dhcp-snooping database file tftp://10.0.100.21/ProVisio_
dhcp.txt (config)# dhcp-snooping vlan 220
(config)# dhcp-snooping trust 9
Juniper----- # set interface ge-0/0/8 dhcp-
trusted # set vlan employee-vlan examine-dhcp # set vlan employee-
vlan arp-inspection H3C------ [Switch]dhcp-
snooping [Switch]interface g1/0/9 [Switch-
GigabitEthernet1/0/9]dhcpsnooping trust
HP Procurve----- (config)#
HP Procurve----- (config)# console
inactivity-timer 10 Juniper----- #set system login class super-user-
local idle-timeout 10 H3C-------
[Switch]user-interface aux 0 [Switch-
aux0]idletimeout 10
HP Procurve------
(config)# ip accesslist standard 1 (config-std-nacl)#
permit IP IP Juniper---- #set firewall family ethernet-switching filter block-to-server term 1 from source-
address 20.20.20.0/24 #set firewall family ethernet-switching filter block-to-server
term 1 from destination-address 10.10.10.0/24 #set firewall family ethernet-switching filter block-to-server
term 1 then discard H3C------
[Switch]acl number 2000 [Switch-acl-basic-
2000]rule permit source 10.0.100.111
0.0.0.0
HP Procurve----- (config)# hostname "NAME" Juniper----- #set host-name NAME
H3C------ [switch]sysname NAME
HP Procurve------ (config)# radiusserver host IP key
password (config)# aaa
authentication telnet login radius none (config)#
aaa authentication telnet enable
radius none Juniper----- #set system radius-server address IP
#set system radius-server IP secret Radius-secret1 #set system radius-server
IP source-address IP H3C------ (If
you are planning to use SSH, you should configure it before you configure AAA
support.) [Switch-radius-radiusauth]primary
authentication IP 1812
[Switch-radius-radiusauth]primary accounting
IP 1813 [Switch-radius-radiusauth]key
authentication password
[Switch-radius-radiusauth]key accounting password
[Switch-radius-radiusauth]user-name-format
without-domain [Switch-radius-
radiusauth]server-type extended
[Swtich]domain lab Switch-isplab]authentication
login radius-scheme radius-auth
[Switchisplab]authorization
login radius-scheme radius-auth [Switch-isp-lab]accounting
login radius-scheme radiusauth [Switch]domain default
enable lab