Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4048T-ON

671

672

673

674

675

676

677

678

679

680

Second bold line: User authenticated using the secondary method.

Dell(conf)#

Dell(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

Dell(conf)#

Dell(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

Dell(conf)#tacacs-server key angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

Dell(conf)#username angeline password angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet

sizes.

If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this

access class information from the TACACS+ server. The system must know the username and password of the incoming user before it

can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the

system closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+

server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+

server, the system downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately

closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt.

When configuring a TACACS+ server host, you can set different communication parameters, such as the key password.

Example of Specifying a TACACS+ Server Host

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key Force

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#end

680

Security