Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

781

782

783

784

785

786

787

788

789

790

• If the credentials are invalid, the authentication fails.

NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI.

Handling Access-Challenge Message

To provide a two-step verication in addition to the username and password, NAS prompts for additional information. An Access-Challenge

request is sent from the RADIUS server to NAS.

The RADIUS server returns one of the following responses:

• Access-Challenge—If the user credentials are valid, the NAS server receives an Access-Challenge request from the RADIUS server.

• Access-Accept—NAS validates the username and password. If the credentials are valid, the RADIUS server sends an Access-Request

to the short message service one time password (SMS-OTP) daemon to generate an OTP. The OTP is sent to the user’s e-mail ID or

mobile. If the OTP is valid, the RADIUS server authenticates the 2FA user and sends an Access-Accept response to NAS.

• Access-Reject—NAS validates the OTP and if the OTP is invalid, the RADIUS server does not authenticate the user and sends an

Access-Reject response to NAS.

Conguring Challenge Response Authentication for SSHv2

To congure challenge response authentication for SSHv2, perform the following steps:

1 Enable challenge response authentication for SSHv2.

CONFIGURATION mode

ip ssh challenge-response-authentication enable

2 View the conguration.

EXEC mode

show ip ssh

DellEMC# show ip ssh

SSH server : enabled.

SSH server version : v2.

SSH server vrf : default.

SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-

cbc,3des-cbc.

SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96.

SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1-

sha1,diffie-hellman-group14-sha1.

Password Authentication : enabled.

Hostbased Authentication : disabled.

RSA Authentication : disabled.

Challenge Response Auth : enabled.

Vty Encryption HMAC Remote IP

2 aes128-cbc hmac-md5 10.16.127.141

4 aes128-cbc hmac-md5 10.16.127.141

* 5 aes128-cbc hmac-md5 10.16.127.141

DellEMC#

SMS-OTP Mechanism

A short message service one time password (SMS-OTP) is a free RADIUS module to implement two factor authentication. There are

multiple 2FA mechanisms that can be deployed with the RADIUS. Mechanisms such as the Google authenticator do not rely on the

Access-Challenge message and the SMS-OTP module rely on the Access-challenge message. The main objective of this feature is to

handle the Access-Challenge messages and sends the Access-Request message with user’s response.

790

Security