Addendum

ManualsBrandsDell ManualsComputer equipmentPowerEdge M IO Aggregator

241

242

243

244

245

246

247

248

249

250

First bold line: Server key purposely changed to incorrect value.

Second bold line: User authenticated using the secondary method.

Example of a Failed Authentication

FTOS(conf)#

FTOS(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

FTOS(conf)#

FTOS(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

FTOS(conf)#

tacacs-server key angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

FTOS(conf)#username angeline password angeline

FTOS(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication and Authorization

FTOS takes the access class from the TACACS+ server. Access class is the class of service that restricts

Telnet access and packet sizes.

If you have configured remote authorization, FTOS ignores the access class you have configured for the

VTY line. FTOS instead gets this access class information from the TACACS+ server. FTOS must know the

username and password of the incoming user before it can fetch the access class from the server. A user,

therefore, at least sees the login prompt. If the access class denies the connection, FTOS closes the

Telnet session immediately.

The following example demonstrates how to configure the access-class from a TACACS+ server. This

configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL

on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the

10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the

user is coming from, they see the login prompt.

242

Security for M I/O Aggregator