Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsOS9

741

742

743

744

745

746

747

748

749

750

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

DellEMC(conf)#

DellEMC(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

DellEMC(conf)#tacacs-server key angeline

DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

DellEMC(conf)#username angeline password angeline

DellEMC(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

● View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access

and packet sizes.

If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets

this access class information from the TACACS+ server. The system must know the username and password of the incoming

user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class

denies the connection, the system closes the Telnet session immediately. The following example demonstrates how to configure

the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have

configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from

the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the user is coming

from, they see the login prompt.

When configuring a TACACS+ server host, you can set different communication parameters, such as the key password.

Example of Specifying a TACACS+ Server Host

DellEMC(conf)#

DellEMC(conf)#aaa authentication login tacacsmethod tacacs+

DellEMC(conf)#aaa authentication exec tacacsauthorization tacacs+

DellEMC(conf)#tacacs-server host 25.1.1.2 key Force

DellEMC(conf)#

DellEMC(conf)#line vty 0 9

DellEMC(config-line-vty)#login authentication tacacsmethod

DellEMC(config-line-vty)#end

Security

743