Reference Guide

ManualsBrandsDell ManualsComputer equipmentForce10 Z9000

601

602

603

604

605

606

607

608

609

610

To view the configuration, use the show config in LINE mode or the show running-config tacacs+

command in EXEC Privilege mode.

If authentication fails using the primary method, FTOS employs the second method (or third method, if necessary)

automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, FTOS proceeds to the next

authentication method. In the following example, the TACACS+ is incorrect, but the user is still authenticated by the

secondary method.

First bold line: Server key purposely changed to incorrect value.

Second bold line: User authenticated using the secondary method.

Example of a Failed Authentication

FTOS(conf)#

FTOS(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

FTOS(conf)#

FTOS(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

FTOS(conf)#

tacacs-server key angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

FTOS(conf)#username angeline password angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication and Authorization

FTOS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access

and packet sizes.

If you have configured remote authorization, FTOS ignores the access class you have configured for the VTY line. FTOS

instead gets this access class information from the TACACS+ server. FTOS must know the username and password of

the incoming user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt.

If the access class denies the connection, FTOS closes the Telnet session immediately.

The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration

ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, FTOS

608