Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsNetworking S3100 Series

681

682

683

684

685

686

687

688

689

690

Server-Side Configuration

Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS

server.

• TACACS+ — When using TACACS+, Dell EMC Networking sends an initial packet with service type SVC_ENABLE, and then sends a

second packet with just the password. The TACACS server must have an entry for username $enable$.

• RADIUS — When using RADIUS authentication, the Dell OS sends an authentication packet with the following:

Username: $enab15$

Password: <password-entered-by-user>

Therefore, the RADIUS server must have an entry for this username.

Configuring Re-Authentication

Starting from Dell EMC Networking OS 9.11(0.0), the system enables re-authentication of user whenever there is a change in the

authenticators.

The change in authentication happens when:

• Add or remove an authentication server (RADIUS/TACACS+)

• Modify an AAA authentication/authorization list

• Change to role-only (RBAC) mode

The re-authentication is also applicable for authenticated 802.1x devices. When there is a change in the authetication servers, the

supplicants connected to all the ports are forced to re-authenticate.

1. Enable the re-authentication mode.

CONFIGURATION mode

aaa reauthentication enable

2. You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server.

CONFIGURATION mode

aaa authentication login method-list-name

Example:

DellEMC(config)#aaa authentication login vty_auth_list radius

Force all logged-in users to re-authenticate (y/n)?

3. You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list..

CONFIGURATION mode

radius-server host IP Address

Example:

DellEMC(config)#radius-server host 192.100.0.12

Force all logged-in users to re-authenticate (y/n)?

DellEMC(config)#no radius-server host 192.100.0.12

Force all logged-in users to re-authenticate (y/n)?

Obscuring Passwords and Keys

By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the

service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys,

router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the

configuration file and by default are displayed in the encrypted form when the configuration is displayed. Enabling the service

obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command prevents a user from

reading these passwords and keys by obscuring this information with asterisks.

Password obscuring masks the password and keys for display only but does not change the contents of the file. The string of asterisks is

the same length as the encrypted string for that line of configuration. To verify that you have successfully obscured passwords and keys,

use the show running-config command or show startup-config command.

682

Security