Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

761

762

763

764

765

766

767

768

769

770

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet

access and packet sizes.

If you have congured remote authorization, then Dell Networking OS ignores the access class you have congured for the VTY line.

Dell Networking OS instead gets this access class information from the TACACS+ server. Dell Networking OS needs to know the

username and password of the incoming user before it can fetch the access class from the server. A user, therefore, at least sees

the login prompt. If the access class denies the connection, Dell Networking OS closes the Telnet session immediately.

The following example shows how to congure the access-class from a TACACS+ server. This causes the congured access-class

on the VTY line to be ignored. If you have congured a

deny10 ACL on the TACACS+ server, Dell Networking OS downloads it and

applies it. If the user is found to be coming from the 10.0.0.0 subnet, Dell Networking OS also immediately closes the Telnet

connection. Notice that no matter where the user is coming from, they see the login prompt.

Example of Specifying a TACACS+ Server Host

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Dell(conf-std-nacl)#deny any

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key dell

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#authorization exec tacauthor

Dell(config-line-vty)#

Dell(config-line-vty)#access-class deny10

Dell(config-line-vty)#end

Command Authorization

The AAA command authorization feature congures Dell Networking OS to send each conguration command to a TACACS server

for authorization before it is added to the running conguration.

By default, the AAA authorization commands congure the system to check both EXEC mode and CONFIGURATION mode

commands. To enable only EXEC mode command checking, use the no aaa authorization config-commands command.

If rejected by the AAA server, the command is not added to the running cong, and a message displays:

04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command

authorization failed for user (denyall) on vty0 ( 10.11.9.209 )

770

Security