Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000
931932933934935936937938939940
RADIUS Authentication and Authorization
Dell Networking OS supports RADIUS for user authentication (text password) at login and can be specified as
one of the login authentication methods in the aaa authentication login command.
When configuring AAA authorization, you can configure to limit the attributes of services available to a user.
When authorization is enabled, the network access server uses configuration information from the user
profile to issue the user's session. The user’s access is limited based on the configuration attributes.
RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the
relevant named-lists with either a unique name or the default name. When the RADIUS server enables
authorization, the server returns the following information to the client:
Idle time
ACL configuration information
Auto-command
Privilege level
After gaining authorization for the first time, you may configure these attributes.
NOTE: RADIUS authentication/authorization is done for every login. There is no difference between first-
time login and subsequent logins.
Idle Time
Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes
is used.
RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of
the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following
happen:
The administrator changes the idle-time of the line on which the user has logged in.
The idle-time is lower than the RADIUS-returned idle-time.
ACL Configuration Information
The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is
present, the user may be allowed access based on that ACL.
If the ACL is absent, authorization fails, and a message is logged indicating this.
RADIUS can specify an ACL for the user if both of the following are true:
If an ACL is absent.
If there is a long delay for an entry, or a denied entry because of an ACL, and a message is logged.
NOTE: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS)
are supported. Authorization is denied in cases using Extended ACLs.
Security 936