Manualshelf

Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048-ON
781782783784785786787788789790
Security
Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. In addition to local
authentication, OS10 supports remote authentication dial-in user service (RADIUS) and terminal access controller access control system
(TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication
requests to a server that contains all user authentication and network service access information.
A RADIUS or TACACS+ server provides authentication (user credentials verication), authorization (role-based permissions), and
accounting services. You can congure the security protocol used for dierent login methods and users. RADIUS provides very limited
authorization and accounting services compared to TACACS+.
AAA authentication methods
An OS10 switch uses a list of authentication methods to dene the types of authentication and the sequence in which they apply. By
default, only the local authentication method is congured.
The authentication methods in the method list execute in the order in which you congure them. You can re-enter the methods to change
the order. The local authentication method remains enabled even if you remove all congured methods in the list using the no aaa
authentication login {console | default} command.
Congure the AAA authentication method in CONFIGURATION mode.
aaa authentication login {console | default} {local | group radius | group tacacs+}
consoleCongure authentication methods for console logins.
defaultCongure authentication methods for non-console such as SSH and Telnet logins.
local — Use the local username, password, and role entries congured with the username password role command.
group radius — Use the RADIUS servers congured with the radius-server host command.
group tacacs+ — Use the TACACS+ servers congured with the tacacs-server host command.
Congure user role on server
If a console user logs in with RADIUS or TACACS+ authentication, the role you congured for the user on the RADIUS or TACACS+ server
applies. User authentication fails if no role is congured on the authentication server.
In addition, you must congure the user role on the RADIUS or TACACS+ server using the vendor-specic attribute (VSA) or the
authentication fails. Dell's vendor ID is 674. You create a VSA with Name = Dell-group-name, OID = 2, Type = string. Valid
values for
Dell-group-name are sysadmin, secadmin, netadmin, and netoperator. Use the VSA Dell-group-name values when you
create users on a Radius or TACACS+ server.
For detailed information about how to congure vendor-specic attributes on a RADIUS or TACACS+ server, refer to the respective
RADIUS or TACACS+ server documentation.
Congure AAA authentication
OS10(config)# aaa authentication login default group radius local
OS10(config)# do show running-configuration aaa
aaa authentication login default group radius local
aaa authentication login console local
Remove AAA authentication methods
OS10(config)# no aaa authentication login default
OS10(config)# do show running-configuration aaa
10
786 Security