Reference Guide

To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands.
Dell(config)# aaa authentication enable default radius tacacs
Radius and TACACS server has to be properly setup for this.
Dell(config)# radius-server host x.x.x.x key <some-password>
Dell(config)# tacacs-server host x.x.x.x key <some-password>
To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the
following commands.
Dell(config)# aaa authentication enable mymethodlist radius tacacs
Dell(config)# line vty 0 9
Dell(config-line-vty)# enable authentication mymethodlist
Server-Side Configuration
Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or
RADIUS server.
TACACS+ When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE, and then sends a
second packet with just the password. The TACACS server must have an entry for username $enable$.
RADIUS When using RADIUS authentication, the switch sends an authentication packet with the following:
Username: $enab15$
Password: <password-entered-by-user>
Therefore, the RADIUS server must have an entry for this username.
Obscuring Passwords and Keys
By default, the service password-encryption command stores encrypted passwords. For greater security, you can also
use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS,
TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are
stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed.
Enabling the service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This
command prevents a user from reading these passwords and keys by obscuring this information with asterisks.
Password obscuring masks the password and keys for display only but does not change the contents of the file. The string of
asterisks is the same length as the encrypted string for that line of configuration. To verify that you have successfully obscured
passwords and keys, use the show running-config command or show startup-config command.
If you are using role-based access control (RBAC), only the system administrator and security administrator roles can enable
the service obscure-password command.
To enable the obscuring of passwords and keys, use the following command.
Turn on the obscuring of passwords and keys in the configuration.
CONFIGURATION mode
service obscure-passwords
Example of Obscuring Password and Keys
Dell(config)# service obscure-passwords
AAA Authorization
The system enables AAA new-model by default.
You can set authorization to be either local or remote. Different combinations of authentication and authorization yield
different results. By default, the system sets both to local.
Security
665