Tacacs+ Remote Authentication - Dell Z9500 Configuration Manual
Z-series core and aggregation switche
Hide thumbs
Also See for Z9500:
- Command reference manual (1905 pages) ,
- Reference manual (1849 pages) ,
- Installation manual (47 pages)
Table of Contents
Advertisement
proceeds to the next authentication method. In the following example, the TACACS+ is incorrect, but the user is still
authenticated by the secondary method.
First bold line: Server key purposely changed to incorrect value.
Second bold line: User authenticated using the secondary method.
Dell(conf)#
Dell(conf)#do show run aaa
!
aaa authentication enable default tacacs+ enable
aaa authentication enable LOCAL enable tacacs+
aaa authentication login default tacacs+ local
aaa authentication login LOCAL local tacacs+
aaa authorization exec default tacacs+ none
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 1 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
Dell(conf)#
Dell(conf)#do show run tacacs+
!
tacacs-server key 7 d05206c308f4d35b
tacacs-server host 10.10.10.10 timeout 1
Dell(conf)#tacacs-server key angeline
Dell(conf)#%SYSTEM-P:CP Dell SEC-5-LOGIN_SUCCESS: Login successful for user admin on
vty0 (10.11.9.209)
%SYSTEM-P:CP% SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line
vty0 (10.11.9.209)
Dell(conf)#username angeline password angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on
vty0 (10.11.9.209) %SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
Monitoring TACACS+
To view information on TACACS+ transactions, use the following command.
•
View TACACS+ transactions to troubleshoot problems.
EXEC Privilege mode
debug tacacs+
TACACS+ Remote Authentication
The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and
packet sizes.
If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets
this access class information from the TACACS+ server. The system must know the username and password of the incoming
user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class
denies the connection, the system closes the Telnet session immediately. The following example demonstrates how to
configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If
you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be
coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the
user is coming from, they see the login prompt.
When configuring a TACACS+ server host, you can set different communication parameters, such as the key password.
Security
743
Advertisement
Table of Contents
Troubleshooting
