Configuration manual

ManualsBrandsDell ManualsNetworkingForce10 S25-01-GE-24P

961

962

963

964

965

966

967

968

969

970

Security | 965

Figure 46-16. Example Access-Class Configuration Using Local Database

VTY Line Remote Authentication and Authorization

FTOS retrieves the access class from the VTY line.

The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does not

need to know the identity of the incoming user and can immediately apply the access class. If the

authentication method is radius, TACACS+, or line, and you have configured an access class for the VTY

line, FTOS immediately applies it. If the access-class is

deny all or deny for the incoming subnet, FTOS

closes the connection without displaying the login prompt. Figure shows how to deny incoming

connections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as the

authentication mechanism.

Figure 46-17. Example Access Class Configuration Using TACACS+ Without Prompt

VTY MAC-SA Filter Support

FTOS supports MAC access lists which permit or deny users based on their source MAC address. With

this approach, you can implement a security policy based on the source MAC address.

To apply a MAC ACL on a VTY line, use the same

access-class command as IP ACLs (Figure 46-18).

Figure 46-18 shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login

prompt..

Note: See also the section Chapter 8, IP Access Control Lists (ACL), Prefix Lists, and Route-maps.

Force10(conf)#user gooduser password abc privilege 10 access-class permitall

Force10(conf)#user baduser password abc privilege 10 access-class denyall

Force10(conf)#

Force10(conf)#aaa authentication login localmethod local

Force10(conf)#

Force10(conf)#line vty 0 9

Force10(config-line-vty)#login authentication localmethod

Force10(config-line-vty)#end

Force10(conf)#ip access-list standard deny10

Force10(conf-ext-nacl)#permit 10.0.0.0/8

Force10(conf-ext-nacl)#deny any

Force10(conf)#

Force10(conf)#aaa authentication login tacacsmethod tacacs+

Force10(conf)#tacacs-server host 256.1.1.2 key force10

Force10(conf)#

Force10(conf)#line vty 0 9

Force10(config-line-vty)#login authentication tacacsmethod

Force10(config-line-vty)#

Force10(config-line-vty)#access-class deny10

Force10(config-line-vty)#end

(same applies for radius and line authentication)