Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S5000

841

842

843

844

845

846

847

848

849

850

debug tacacs+

TACACS+ Remote Authentication

Dell Networking OS takes the access class from the TACACS+ server. Access class is the class of service

that restricts Telnet access and packet sizes.

If you have configured remote authorization, then Dell Networking OS ignores the access class you have

configured for the VTY line. Dell Networking OS instead gets this access class information from the

TACACS+ server. Dell Networking OS needs to know the username and password of the incoming user

before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the

access class denies the connection, Dell Networking OS closes the Telnet session immediately.

The following example shows how to configure the access-class from a TACACS+ server. This causes the

configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the

TACACS+ server, Dell Networking OS downloads it and applies it. If the user is found to be coming from

the 10.0.0.0 subnet, Dell Networking OS also immediately closes the Telnet connection. Notice that no

matter where the user is coming from, they see the login prompt.

Example of Specifying a TACACS+ Server Host

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Dell(conf-std-nacl)#deny any

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key dell

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#authorization exec tacauthor

Dell(config-line-vty)#

Dell(config-line-vty)#access-class deny10

Dell(config-line-vty)#end

Command Authorization

The AAA command authorization feature configures Dell Networking OS to send each configuration

command to a TACACS server for authorization before it is added to the running configuration.

By default, the AAA authorization commands configure the system to check both EXEC mode and

CONFIGURATION mode commands. To enable only EXEC mode command checking, use the no aaa

authorization config-commands command.

If rejected by the AAA server, the command is not added to the running config, and a message displays:

04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure

Command

authorization failed for user (denyall) on vty0 ( 10.11.9.209 )

Security

841