Administrator Guide

ManualsBrandsDell ManualsserversDell Force10 MXL Blade

681

682

683

684

685

686

687

688

689

690

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

Dell(conf)#

Dell(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

Dell(conf)#

tacacs-server key angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

Dell(conf)#username angeline password angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication and Authorization

The Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet

access and packet sizes.

If you have congured remote authorization, the system ignores the access class you have congured for the VTY line. The system

instead gets this access class information from the TACACS+ server. The Dell Networking OS must know the username and

password of the incoming user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt.

If the access class denies the connection, the system closes the Telnet session immediately.

The following example demonstrates how to congure the access-class from a TACACS+ server. This conguration ignores the

congured access-class on the VTY line. If you have congured a deny10 ACL on the TACACS+ server, Dell downloads it and applies

it. If the user is found to be coming from the 10.0.0.0 subnet, Dell also immediately closes the Telnet connection. Note, that no matter

where the user is coming from, they see the login prompt.

When conguring a TACACS+ server host, you can set dierent communication parameters, such as the key password.

Example of Specifying a TACACS+ Server Host

Dell#

Dell(conf)#

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Dell(conf-std-nacl)#deny any

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key Force10

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#authorization exec tacauthor

Dell(config-line-vty)#

690

Security