Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

941

942

943

944

945

946

947

948

949

950

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service that

restricts Telnet access and packet sizes.

If you have configured remote authorization, then Dell Networking OS ignores the access class you have

configured for the VTY line. Dell Networking OS instead gets this access class information from the TACACS+

server. Dell Networking OS needs to know the username and password of the incoming user before it can

fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class

denies the connection, Dell Networking OS closes the Telnet session immediately.

The following example shows how to configure the access-class from a TACACS+ server. This causes the

configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the TACACS

+ server, Dell Networking OS downloads it and applies it. If the user is found to be coming from the 10.0.0.0

subnet, Dell Networking OS also immediately closes the Telnet connection. Notice that no matter where the

user is coming from, they see the login prompt.

Example of Specifying a TACACS+ Server Host

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Dell(conf-std-nacl)#deny any

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key dell

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#authorization exec tacauthor

Dell(config-line-vty)#

Dell(config-line-vty)#access-class deny10

Dell(config-line-vty)#end

Command Authorization

The AAA command authorization feature configures Dell Networking OS to send each configuration

command to a TACACS server for authorization before it is added to the running configuration.

By default, the AAA authorization commands configure the system to check both EXEC mode and

CONFIGURATION mode commands. To enable only EXEC mode command checking, use the no aaa

authorization config-commands command.

Security 942