API Guide
User re-authentication
To prevent users from accessing resources and performing tasks that they are not authorized to perform, OS10 allows you to
require users to re-authenticate by logging in again when an authentication method or server changes, such as:
● Adding or removing a RADIUS server using the radius-server host command
● Adding or removing an authentication method using the aaa authentication login {console | default}
{local | group radius | group tacacs+} command
By default, user re-authentication is disabled. You can enable this feature so that user re-authentication is required when any of
these actions are performed. In these cases, logged-in users are logged out of the switch and all OS10 sessions terminate.
Enable user re-authentication
● Enable user re-authentication in CONFIGURATION mode.
aaa re-authenticate enable
The no version of this command disables user re-authentication.
AAA with RADIUS authentication
To configure a RADIUS server for authentication, enter the server IP address or hostname, and the key that is used to
authenticate the OS10 switch on a RADIUS host. You can enter the authentication key in plain text or encrypted format. You
can change the User Datagram Protocol (UDP) port number on the server.
● Configure a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812.
radius-server host {hostname | ip-address} key {0 authentication-key | 9
authentication-key | authentication-key} [auth-port port-number]
To configure more than one RADIUS server, re-enter the radius-server host command multiple times. If you configure
multiple RADIUS servers, OS10 attempts to connect in the order you configured them. An OS10 switch connects with the
configured RADIUS servers one at a time, until a RADIUS server responds with an accept or reject response. The switch tries to
connect with a server for the configured number of retransmit retries and timeout period.
Configure global settings for the timeout and retransmit attempts that are allowed on RADIUS servers. By default, OS10
supports three RADIUS authentication attempts and times out after five seconds. No source interface is configured. The default
VRF instance is used to contact RADIUS servers.
NOTE:
You cannot configure both a nondefault VRF instance (including management VRF) and a source interface at the
same time for RADIUS authentication.
NOTE: A RADIUS server that is configured with a hostname is not supported on a nondefault VRF.
● Configure the number of times OS10 retransmits a RADIUS authentication request in CONFIGURATION mode, from 0 to 100
retries; the default is 3.
radius-server retransmit retries
● Configure the timeout period used to wait for an authentication response from a RADIUS server in CONFIGURATION mode,
from 0 to 1000 seconds; the default is 5.
radius-server timeout seconds
● (Optional) Specify an interface whose IP address is used as the source IP address for user authentication with RADIUS
servers in CONFIGURATION mode. By default, no source interface is configured. OS10 selects the source IP address of any
interface from which a packet is sent to a RADIUS server.
An interface may have two IPv4 addresses and multiple IPv6 addresses. The selected OS10 source interface matches the
version of the RADIUS server IP address: IPv4 or IPv6.
○ For an IPv4 RADIUS server, the primary IPv4 address is used.
○ For an IPv6 server, any of the global IPv6 addresses that are configured on the interface are used.
1028
Security