Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

891

892

893

894

895

896

897

898

899

900

If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically. For

example, if the TACACS+ server is reachable, but the server key is invalid, the system proceeds to the next authentication method. In the

following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.

First bold line: Server key purposely changed to incorrect value.

Second bold line: User authenticated using the secondary method.

Dell(conf)#

Dell(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

Dell(conf)#

Dell(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

Dell(conf)#tacacs-server key angeline

Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

Dell(conf)#username angeline password angeline

Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication and Authorization

The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet

sizes.

If you have congured remote authorization, the system ignores the access class you have congured for the VTY line and gets this access

class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch

the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the system

closes the Telnet session immediately.

The following example demonstrates how to congure the access-class from a TACACS+ server. This conguration ignores the congured

access-class on the VTY line. If you have congured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the

896

Security