Administrator Guide
Server-Side Conguration
Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS
server.
• TACACS+ — When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE, and then sends a second
packet with just the password. The TACACS server must have an entry for username $enable$.
• RADIUS — When using RADIUS authentication, the switch sends an authentication packet with the following:
Username: $enab15$
Password: <password-entered-by-user>
Therefore, the RADIUS server must have an entry for this username.
Conguring Re-Authentication
Starting from Dell Networking OS 9.11(0.0), the system enables re-authentication of user whenever there is a change in the authenticators.
The change in authentication happens when:
• Add or remove an authentication server (RADIUS/TACACS+)
• Modify an AAA authentication/authorization list
• Change to role-only (RBAC) mode
The re-authentication is also applicable for authenticated 802.1x devices. When there is a change in the authetication servers, the
supplicants connected to all the ports are forced to re-authenticate.
1 Enable the re-authentication mode.
CONFIGURATION mode
aaa reauthentication enable
2 You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server.
CONFIGURATION mode
aaa authentication login method-list-name
Example:
Dell(config)#aaa authentication login vty_auth_list radius
Force all logged-in users to re-authenticate (y/n)?
3 You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list..
CONFIGURATION mode
radius-server host IP Address
Example:
Dell(config)#radius-server host 192.100.0.12
Force all logged-in users to re-authenticate (y/n)?
Dell(config)#no radius-server host 192.100.0.12
Force all logged-in users to re-authenticate (y/n)?
884
Security