Reference Guide
Congure TACACS+ server
OS10(config)# tacacs-server host 1.2.4.5 key mysecret
View TACACS+ server conguration
OS10# show running-configuration
...
tacacs-server host 1.2.4.5 key 9
3a95c26b2a5b96a6b80036839f296babe03560f4b0b7220d6454b3e71bdfc59b
...
Delete TACACS+ server
OS10# no tacacs server host 1.2.4.5
TACACS+ unknown or missing user role
When a TACACS+ server authenticates a user and does not return a role or returns an unknown role, OS10 assigns the netoperator role
to the authenticated user by default. You can recongure the default netoperator role.
• Enter an OS10 user role in CONFIGURATION mode.
userrole default inherit existing-role-name
– existing-role-name — Enter a user role:
◦ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the le system, and
access to the system shell. A system administrator can create user IDs and user roles.
◦ secadmin — Full access to conguration commands that set security policy and system access, such as password strength,
AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic
keys, login statistics, and log information.
◦ netadmin — Full access to conguration commands that manage trac owing through the switch, such as routes,
interfaces, and ACLs. A network administrator cannot access conguration commands for security features or view security
information.
◦ netoperator — Access to EXEC mode to view the current conguration. A network operator cannot modify any
conguration setting on a switch.
Recongure the default user role
OS10(config)# userrole default inherit sysadmin
SSH server
In OS10, the secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection. The SSH
server authenticates remote clients using RADIUS challenge/response, a trusted host le, locally-stored passwords, and public keys.
Congure SSH server
• The SSH server is enabled by default. You can disable the SSH server using no ip ssh server enable.
• Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response-
authentication command.
• Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command.
• Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command.
• Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command.
• Password-less login is disabled by default. To enable, use the username sshkey or username sshkey filename commands.
• Congure the list of cipher algorithms using ip ssh server cipher cipher-list.
522
System management