Setup Guide
– key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key congured on the
TACACS+ server host. This parameter must be the last parameter you congure.
If you do not congure these optional parameters, the default global values are applied.
Example of Connecting with a TACACS+ Server Host
To specify multiple TACACS+ server hosts, congure the tacacs-server host command multiple times. If you congure multiple
TACACS+ server hosts, Dell EMC Networking OS attempts to connect with them in the order in which they were congured.
To view the TACACS+ conguration, use the show running-config tacacs+ command in EXEC Privilege mode.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command.
freebsd2# telnet 2200:2200:2200:2200:2200::2202
Trying 2200:2200:2200:2200:2200::2202...
Connected to 2200:2200:2200:2200:2200::2202.
Escape character is '^]'.
Login: admin
Password:
DellEMC#
Command Authorization
The AAA command authorization feature congures Dell EMC Networking OS to send each conguration command to a TACACS server
for authorization before it is added to the running conguration.
By default, the AAA authorization commands congure the system to check both EXEC mode and CONFIGURATION mode commands.
Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
If rejected by the AAA server, the command is not added to the running cong, and a message displays:
04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command
authorization failed for user (denyall) on vty0 ( 10.11.9.209 )
Certain TACACS+ servers do not authenticate the device if you use the aaa authorization commands level default local
tacacs+
command. To resolve the issue, use the aaa authorization commands level default tacacs+ local
command.
Protection from TCP Tiny and Overlapping Fragment
Attacks
Tiny and overlapping fragment attack is a class of attack where congured ACL entries — denying TCP port-specic trac — is bypassed
and trac is sent to its destination although denied by the ACL.
RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is congured into the line cards and enabled by
default.
Enabling SCP and SSH
Secure shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. Dell EMC Networking
OS is compatible with SSH versions 2, in both the client and server modes. SSH sessions are encrypted and use authentication. SSH is
enabled by default.
For details about the command syntax, refer to the Security chapter in the Dell EMC Networking OS Command Line Interface Reference
Guide.
Dell EMC Networking OS SCP, which is a remote le copy program that works with SSH.
NOTE
: The Windows-based WinSCP client software is not supported for secure copying between a PC and a Dell EMC
Networking OS-based system. Unix-based SCP client software is supported.
812 Security