Deployment Guide

ManualsBrandsDell ManualsComputer equipmentPowerEdge M IO Aggregator

191

192

193

194

195

196

197

198

199

200

TACACS server key. The fallback would not occur if the authentication failure is due to invalid credentials. For example, if the TACACS+

server is reachable, but the server key is invalid, Dell EMC Networking OS proceeds to the next authentication method. In the following

example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.

First bold line: Server key purposely changed to incorrect value.

Second bold line: User authenticated using the secondary method.

DellEMC(conf)#

DellEMC(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

DellEMC(conf)#

DellEMC(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet

sizes.

If you have congured remote authorization, the system ignores the access class you have congured for the VTY line and gets this access

class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch

the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the system

closes the Telnet session immediately. The following example demonstrates how to congure the access-class from a TACACS+ server.

This conguration ignores the congured access-class on the VTY line. If you have congured a deny10 ACL on the TACACS+ server, the

system downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet

connection. Note, that no matter where the user is coming from, they see the login prompt.

When conguring a TACACS+ server host, you can set dierent communication parameters, such as the key password.

Example of Specifying a TACACS+ Server Host

DellEMC(conf)#

DellEMC(conf)#aaa authentication login tacacsmethod tacacs+

DellEMC(conf)#aaa authentication exec tacacsauthorization tacacs+

DellEMC(conf)#tacacs-server host 25.1.1.2 key Force

DellEMC(conf)#

DellEMC(conf)#line vty 0 9

200

Security