White Papers
To use local authentication for enable secret or enable sha256-password on the console, while using remote authentication on
VTY lines, issue the following commands.
The following example shows enabling local authentication for console and remote authentication for the VTY lines.
Dell(config)# aaa authentication enable mymethodlist radius tacacs
Dell(config)# line vty 0 9
Dell(config-line-vty)# enable authentication mymethodlist
Server-Side Conguration
• TACACS+ — When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then sends a second
packet with just the password. The TACACS server must have an entry for username $enable$.
• RADIUS — When using RADIUS authentication, the Dell Networking OS sends an authentication packet with the following:
Username: $enab15$
Password: <password-entered-by-user>
Therefore, the RADIUS server must have an entry for this username.
Conguring Re-Authentication
Starting from Dell EMC Networking OS 9.11(0.0), the system enables re-authentication of user whenever there is a change in the
authenticators.
The change in authentication happens when:
• Add or remove an authentication server (RADIUS/TACACS+)
• Modify an AAA authentication/authorization list
• Change to role-only (RBAC) mode
The re-authentication is also applicable for authenticated 802.1x devices. When there is a change in the authetication servers, the
supplicants connected to all the ports are forced to re-authenticate.
1 Enable the re-authentication mode.
CONFIGURATION mode
aaa reauthentication enable
2 You are prompted to force the users to re-authenticate while adding or removing a RADIUS/TACACS+ server.
CONFIGURATION mode
aaa authentication login method-list-name
Example:
DellEMC(config)#aaa authentication login vty_auth_list radius
Force all logged-in users to re-authenticate (y/n)?
3 You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list..
CONFIGURATION mode
radius-server host IP Address
810
Security