Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsC9010 Modular Chassis Switch

831

832

833

834

835

836

837

838

839

840

Enable host-based authentication on the server (Dell Networking system) and the client (Unix machine). The following message appears if

you attempt to log in via SSH and host-based is disabled on the client. In this case, verify that host-based authentication is set to “Yes” in

the file ssh_config (root permission is required to edit this file): permission denied (host based).

If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this

case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error.

Telnet

To use Telnet with SSH, first enable SSH, as previously described.

By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the

startup config. To enable or disable the Telnet daemon, use the [no] ip telnet server enable command.

Example of Using Telnet for Remote Login

Dell(conf)#ip telnet server enable

Dell(conf)#no ip telnet server enable

VTY Line and Access-Class Configuration

Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use

— line, local, or remote.

Table 103. VTY Access

Authentication Method VTY access-class support? Username access-class

support?

Remote authorization

support?

Line YES NO NO

Local NO YES NO

TACACS+ YES NO YES

RADIUS YES NO YES

The system provides several ways to configure access classes for VTY lines, including:

• VTY Line Local Authentication and Authorization

• VTY Line Remote Authentication and Authorization

VTY Line Local Authentication and Authorization

The system retrieves the access class from the local database.

To use this feature:

1. Create a username.

2. Enter a password.

3. Assign an access class.

4. Enter a privilege level.

You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization.

Configure local authentication globally and configure access classes on a per-user basis.

The system can assign different access classes to different users by username. Until users attempt to log in, the system does not know if

they will be assigned a VTY line. This means that incoming users always see a login prompt even if you have excluded them from the VTY

line with a deny-all access class. After users identify themselves, the system retrieves the access class from the local database and applies

it. (The system can then close the connection if a user is denied access.)

NOTE:

If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you

configure RADIUS authentication.

The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No

access class is configured for the VTY line. It defaults from the local database.

832

Security