Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4820T

721

722

723

724

725

726

727

728

729

730

CONFIGURATION mode

aaa authentication enable default radius tacacs

2. Establish a host address and password.

CONFIGURATION mode

radius-server host x.x.x.x key some-password

3. Establish a host address and password.

CONFIGURATION mode

tacacs-server host x.x.x.x key some-password

Examples of the enable commands for RADIUS

To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands.

The following example shows enabling authentication from the RADIUS server.

Dell(config)# aaa authentication enable default radius tacacs

Radius and TACACS server has to be properly setup for this.

Dell(config)# radius-server host x.x.x.x key <some-password>

Dell(config)# tacacs-server host x.x.x.x key <some-password>

To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following

commands.

The following example shows enabling local authentication for console and remote authentication for the VTY lines.

Dell(config)# aaa authentication enable mymethodlist radius tacacs

Dell(config)# line vty 0 9

Dell(config-line-vty)# enable authentication mymethodlist

Server-Side Conguration

Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or

RADIUS server.

• TACACS+ — When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then sends a

second packet with just the password. The TACACS server must have an entry for username $enable$.

• RADIUS — When using RADIUS authentication, FTOS sends an authentication packet with the following:

Username: $enab15$

Password: <password-entered-by-user>

Therefore, the RADIUS server must have an entry for this username.

Obscuring Passwords and Keys

By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use

the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS,

TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored

encrypted in the conguration le and by default are displayed in the encrypted form when the conguration is displayed. Enabling

the

service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command

prevents a user from reading these passwords and keys by obscuring this information with asterisks.

Password obscuring masks the password and keys for display only but does not change the contents of the le. The string of

asterisks is the same length as the encrypted string for that line of conguration. To verify that you have successfully obscured

passwords and keys, use the show running-config command or show startup-config command.

If you are using role-based access control (RBAC), only the system administrator and security administrator roles can enable

the service obscure-password command.

Security

729