Manualshelf

Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch
891892893894895896897898899900
Monitoring RADIUS
To view information on RADIUS transactions, use the following command.
View RADIUS transactions to troubleshoot problems.
EXEC Privilege mode
debug radius
Microsoft Challenge-Handshake Authentication Protocol Support for
RADIUS Authentication
Dell Networking OS supports Microsoft Challenge-Handshake Authentication Protocol (MS-CHAPv2) with RADIUS authentication.
RADIUS is used to authenticate Telnet, SSH, console, REST, and OMI access to the switch based on the AAA conguration. By default, the
RADIUS client in the switch uses PAP (Password Authentication Protocol) for sending the login credentials to the RADIUS server. The
user-password attribute is added to the access-request message that is sent to the RADIUS server. Depending on the success or failure of
authentication, the RADIUS server sends back an access-accept or access-reject message respectively.
MS-CHAPv2 is secure than PAP. MS-CHAPv2 does not send user-password in the Access-Request message. It implements mutual
authentication based on the random challenges. MS-CHAP-Challenge and MS-CHAP2-Response attributes are sent in the Access-
Request message from the switch to the RADIUS Server. RADIUS Server validates the attributes and sends back MS-CHAPv2-Success
attribute in the Access-Accept message. If the validation fails, then RADIUS Server sends back the Access-Reject Message.
Enabling MS-CHAPv2 with the RADIUS authentication
Before enabling MS-CHAPv2 authentication on the switch, you must rst Enable MS-CHAPv2 support in RADIUS Server.
To enable MS-CHAPv2 for the RADIUS authentication:
1 Enable RADIUS.
CONFIGURATION mode
aaa authentication login default radius local
2 Specify the protocol for authentication.
CONFIGURATION mode
aaa radius auth-method mschapv2
3 Establish a host address and password.
CONFIGURATION mode
radius-server host H key K
4 Log in to switch using console or telnet or ssh with a valid user role.
When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is
used, the system prompts you to enter a one-time password as a second step of authentication. If a valid one-time password is supplied,
the authentication succeeds enabling you to access the switch.
894
Security