Users Guide

ManualsBrandsDell ManualsComputer equipmentPowerEdge M IO Aggregator

171

172

173

174

175

176

177

178

179

180

Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS

uses UDP as the transport protocol between the RADIUS server host and the client.

For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.

RADIUS Authentication

Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specied as one of the login

authentication methods in the aaa authentication login command.

When conguring AAA authorization, you can congure to limit the attributes of services available to a user. When you enable

authorization, the network access server uses conguration information from the user prole to issue the user's session. The user’s

access is limited based on the conguration attributes. RADIUS exec-authorization stores a user-shell prole and that is applied

during user login. You may name the relevant named-lists with either a unique name or the default name. When you enable

authorization by the RADIUS server, the server returns the following information to the client:

• Idle Time

• ACL Conguration Information

• Auto-Command

• Privilege Levels

After gaining authorization for the rst time, you may congure these attributes.

NOTE: RADIUS authentication/authorization is done for every login. There is no dierence between rst-time login and

subsequent logins.

Idle Time

Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used.

RADIUS species idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time

values (congured or default) is used. The idle-time value is updated if both of the following happens:

• The administrator changes the idle-time of the line on which the user has logged in.

• The idle-time is lower than the RADIUS-returned idle-time.

ACL Conguration Information

The RADIUS server can specify an ACL. If an ACL is congured on the RADIUS server, and if that ACL is present, the user may be

allowed access based on that ACL.

If the ACL is absent, authorization fails, and a message is logged indicating this.

RADIUS can specify an ACL for the user if both of the following are true:

• If an ACL is absent.

• If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged.

NOTE: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS) are supported.

Authorization is denied in cases using Extended ACLs.

Auto-Command

You can congure the system through the RADIUS server to automatically execute a command when you connect to a specic line.

The auto-command command is executed when the user is authenticated and before the prompt appears to the user.

• Automatically execute a command.

auto-command

Privilege Levels

Through the RADIUS server, you can congure a privilege level for the user to enter into when they connect to a session.

This value is congured on the client system.

176

Security