Connectivity Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON

791

792

793

794

795

796

797

798

799

800

Delete TACACS+ server

OS10# no tacacs-server host 1.2.4.5

Unknown user role

When a RADIUS or TACACS+ server authenticates a user, it may return an unknown user role, or the role may be missing. In these cases,

OS10 assigns the netoperator role and associated permissions to the user by default. You can recongure the default assigned role. In

addition, you can congure an unknown RADIUS or TACACS+ user-role name to inherit the permissions of an existing OS10 system-dened

role.

• Recongure the default OS10 user role in CONFIGURATION mode.

userrole {default | name} inherit existing-role-name

– default inherit — Recongure the default permissions assigned to an authenticated user with a missing or unknown role.

– name inherit — Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32

characters maximum.

– existing-role-name — Assign the permissions associated with an existing OS10 user role:

◦ sysadmin — Full access to all commands in the system, exclusive access to commands that manipulate the le system, and

access to the system shell. A system administrator can create user IDs and user roles.

◦ secadmin — Full access to conguration commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

◦ netadmin — Full access to conguration commands that manage trac owing through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access conguration commands for security features or view security

information.

◦ netoperator — Access only to EXEC mode to view the current conguration. A network operator cannot modify any

conguration setting on a switch.

Recongure permissions for an unknown user role

OS10(config)# userrole default inherit sysadmin

Congure permissions for a RADIUS or TACACS+ user role

OS10(config)# userrole tacacsadmin inherit netadmin

SSH server

In OS10, the secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection. The SSH

server authenticates remote clients using RADIUS challenge/response, a trusted host le, locally-stored passwords, and public keys.

Congure SSH server

• The SSH server is enabled by default. You can disable the SSH server using the no ip ssh server enable command.

• Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response-

authentication command.

• Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command.

• Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command.

• Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command.

• Password-less login is disabled by default. To enable, use the username sshkey or username sshkey filename commands.

• Congure the list of cipher algorithms using the ip ssh server cipher cipher-list command.

• Congure Key Exchange algorithms using the ip ssh server kex key-exchange-algorithm command.

• Congure hash message authentication code (HMAC) algorithms using the ip ssh server mac hmac-algorithm command.

• Congure the SSH server listening port using the ip ssh server port port-number command.

Security

793