Users Guide

ManualsBrandsDell ManualsAccess PlatformsEMC Networking MX7116n

471

472

473

474

475

476

477

478

479

480

TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication

server. RADIUS encrypts only passwords.

• Congure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for

authentication.

tacacs-server host {hostname | ip-address} key authentication-key [auth-port port-number]

Re-enter the tacacs-server host command multiple times to congure more than one TACACS+ server. If you congure multiple

TACACS+ servers, OS10 attempts to connect in the order you congured them. An OS10 switch connects with the congured TACACS+

servers one at a time, until a RADIUS server responds with an accept or reject response.

Congure the global timeout used on all TACACS+ servers by using the tacacs-server timeout command. By default, OS10 times

out an authentication attempt on a TACACS+ server after ve seconds.

• Enter the timeout value used to wait for an authentication response from TACACS+ servers in CONFIGURATION mode (1 to 1000

seconds; default 5).

tacacs-server timout seconds

Congure TACACS+ server

OS10(config)# tacacs-server host 1.2.4.5 key mysecret

View TACACS+ server conguration

OS10# show running-configuration

...

tacacs-server host 1.2.4.5 key mysecret

...

Delete TACACS+ server

OS10# no tacacs server host 1.2.4.5

SSH Server

The secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection.

Congure SSH server

• The SSH server is enabled by default. You can disable the SSH server using no ip ssh server enable.

• Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response-

authentication

command.

• Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command.

• Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command.

• Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command.

• Congure the list of cipher algorithms using ip ssh server cipher cipher-list.

• Congure Key Exchange algorithms using ip ssh server kex key-exchange-algorithm.

• Congure hash message authentication code (HMAC) algorithms using ip ssh server mac hmac-algorithm.

• Congure the SSH server listening port using ip ssh server port port-number.

• Congure the SSH server to be reachable on the management VRF using ip ssh server vrf.

• Congure the SSH login timeout using the ip ssh server login-grace-time seconds command (0 to 300; default 60). To

reset the default SSH prompt timer, enter no ip ssh server login-grace-time.

• Congure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command (0

to 10; default 6). To reset the default, enter no ip ssh server max-auth-tries.

The max-auth-tries value includes all authentication attempts, including public-key and password. If both public-key based

authentication and password authentication are enabled, the public-key authentication is the default and is tried rst. If it fails, the

476

System management