Administrator Guide

ManualsBrandsDell ManualsserversDell Force10 MXL Blade

691

692

693

694

695

696

697

698

699

700

Dell(config-line-vty)#access-class deny10

Dell(config-line-vty)#end

Specifying a TACACS+ Server Host

To specify a TACACS+ server host and congure its communication parameters, use the following command.

• Enter the host name or IP address of the TACACS+ server host.

CONFIGURATION mode

tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key]

Congure the optional communication parameters for the specic host:

– port port-number: the range is from 0 to 65535. Enter a TCP port number. The default is 49.

– timeout seconds: the range is from 0 to 1000. Default is 10 seconds.

– key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key congured on the

TACACS+ server host. This parameter must be the last parameter you congure.

If you do not congure these optional parameters, the default global values are applied.

Example of Connecting with a TACACS+ Server Host

To specify multiple TACACS+ server hosts, congure the tacacs-server host command multiple times. If you congure

multiple TACACS+ server hosts, the system attempts to connect with them in the order in which they were congured.

To view the TACACS+ conguration, use the show running-config tacacs+ command in EXEC Privilege mode.

To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command.

freebsd2# telnet 2200:2200:2200:2200:2200::2202

Trying 2200:2200:2200:2200:2200::2202...

Connected to 2200:2200:2200:2200:2200::2202.

Escape character is '^]'.

Password:

Dell#

Command Authorization

The AAA command authorization feature congures the Dell Networking OS to send each conguration command to a TACACS

server for authorization before it is added to the running conguration.

By default, the AAA authorization commands congure the system to check both EXEC mode and CONFIGURATION mode

commands. To enable only EXEC mode command checking, use the no aaa authorization config-commands command.

If rejected by the AAA server, the command is not added to the running cong, and a message displays:

04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command

authorization failed for user (denyall) on vty0 ( 10.11.9.209 )

Protection from TCP Tiny and Overlapping Fragment Attacks

Tiny and overlapping fragment attack is a class of attack where congured ACL entries — denying TCP port-specic trac — is

bypassed and trac is sent to its destination although denied by the ACL.

RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is congured into the line cards and enabled by

default.

Security

691