Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

811

812

813

814

815

816

817

818

819

820

First bold line: Server key purposely changed to incorrect value.

Second bold line: User authenticated using the secondary method.

Dell(conf)#

Dell(conf)#do show run aaa

aaa authentication enable default tacacs+ enable

aaa authentication enable LOCAL enable tacacs+

aaa authentication login default tacacs+ local

aaa authentication login LOCAL local tacacs+

aaa authorization exec default tacacs+ none

aaa authorization commands 1 default tacacs+ none

aaa authorization commands 15 default tacacs+ none

aaa accounting exec default start-stop tacacs+

aaa accounting commands 1 default start-stop tacacs+

aaa accounting commands 15 default start-stop tacacs+

Dell(conf)#

Dell(conf)#do show run tacacs+

tacacs-server key 7 d05206c308f4d35b

tacacs-server host 10.10.10.10 timeout 1

Dell(conf)#

tacacs-server key angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on

vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

%RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line

vty0 (10.11.9.209)

Dell(conf)#username angeline password angeline

Dell(conf)#%RPM0-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline

on vty0 (10.11.9.209)

%RPM0-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password

authentication success on vty0 ( 10.11.9.209 )

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

• View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication

Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and

packet sizes.

If you have congured remote authorization, then Dell Networking OS ignores the access class you have congured for the VTY line. Dell

Networking OS instead gets this access class information from the TACACS+ server. Dell Networking OS needs to know the username and

password of the incoming user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the

access class denies the connection, Dell Networking OS closes the Telnet session immediately.

The following example shows how to congure the access-class from a TACACS+ server. This causes the congured access-class on the

VTY line to be ignored. If you have congured a deny10 ACL on the TACACS+ server, Dell Networking OS downloads it and applies it. If

the user is found to be coming from the 10.0.0.0 subnet, Dell Networking OS also immediately closes the Telnet connection. Notice that no

matter where the user is coming from, they see the login prompt.

Example of Specifying a TACACS+ Server Host

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Security

815