Concept Guide
2 Congure login authentication on the console. This ensures that all users are properly identied through authentication no matter the
access point.
If you do not congure login authentication on the console, the system displays an error when you attempt to enable role-based only
AAA authorization.
3 Specify an authentication method list—RADIUS, TACACS+, or Local.
You must specify at least local authentication. For consistency, the best practice is to dene the same authentication method list
across all lines, in the same order of comparison; for example VTY and console port.
You could also use the default authentication method to apply to all the LINES; for example, console port and VTY.
NOTE: The authentication method list must be in the same order as the authorization method list. For example, if you
congure the authentication method list in the following order—TACACS+, local—Dell EMC Networking recommends
conguring the authorization method list in the same order—TACACS+, local.
4 Specify the authorization method list—RADIUS, TACACS+, or Local. At a minimum, you must specify local authorization.
For consistency, the best practice is to dene the same authorization method list across all lines, in the same order of comparison; for
example, VTY and console port.
You could also use the default authorization method list to apply to all the LINES—console port, VTY.
If you do not, the following error displays when you attempt to enable role-based only AAA authorization:
% Error: Exec authorization must be applied to more than one line to be useful, e.g. console
and vty lines. Could use default authorization method list as alternative.
5 Verify the conguration is applied to the console or VTY line.
DellEMC(conf)#do show running-config line
!
line console 0
login authentication test
authorization exec test
exec-timeout 0 0
line vty 0
login authentication test
authorization exec test
line vty 1
login authentication test
authorization exec test
To enable role-based only AAA authorization, enter the following command in Conguration mode:
DellEMC(conf)#aaa authorization role-only
System-Dened RBAC User Roles
By default, the Dell EMC Networking OS provides 4 system dened user roles. You can create up to 8 additional user roles.
NOTE
: You cannot delete any system dened roles.
The system dened user roles are as follows:
• Network Operator (netoperator) - This user role has no privilege to modify any conguration on the switch. You can access Exec mode
(monitoring) to view the current conguration and status information.
• Network Administrator (netadmin): This user role can congure, display, and debug the network operations on the switch. You can
access all of the commands that are available from the network operator user role. This role does not have access to the commands
that are available to the system security administrator for cryptography operations, AAA, or the commands reserved solely for the
system administrator.
• Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or network
topology. The security administrator commands include FIPS mode enablement, password policies, inactivity timeouts, banner
establishment, and cryptographic key operations for secure access paths.
Security
863