Obscuring Passwords And Keys - Dell Force10 Z9000 Configuration Manual
Hide thumbs
Also See for Force10 Z9000:
- Reference manual (1483 pages) ,
- Configuration manual (984 pages) ,
- Manual (56 pages)
Table of Contents
Advertisement
Enabling AAA Authentication — RADIUS
To enable authentication from the RADIUS server, and use TACACS as a backup, use the following commands.
1.
Enable RADIUS and set up TACACS as backup.
CONFIGURATION mode
aaa authentication enable default radius tacacs
2.
Establish a host address and password.
CONFIGURATION mode
radius-server host x.x.x.x key some-password
3.
Establish a host address and password.
CONFIGURATION mode
tacacs-server host x.x.x.x key some-password
Examples of the enable commands for RADIUS
To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands.
The following example shows enabling authentication from the RADIUS server.
Dell(config)# aaa authentication enable default radius tacacs
Radius and TACACS server has to be properly setup for this.
Dell(config)# radius-server host x.x.x.x key <some-password>
Dell(config)# tacacs-server host x.x.x.x key <some-password>
To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following
commands.
The following example shows enabling local authentication for console and remote authentication for the VTY lines.
Dell(config)# aaa authentication enable mymethodlist radius tacacs
Dell(config)# line vty 0 9
Dell(config-line-vty)# enable authentication mymethodlist
Server-Side Configuration
•
TACACS+ — When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then sends a
second packet with just the password. The TACACS server must have an entry for username $enable$.
•
RADIUS — When using RADIUS authentication, FTOS sends an authentication packet with the following:
Username: $enab15$
Password: <password-entered-by-user>
Therefore, the RADIUS server must have an entry for this username.
Obscuring Passwords and Keys
By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use
the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS,
TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored
encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed. Enabling
the service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command
prevents a user from reading these passwords and keys by obscuring this information with asterisks.
632
Security
Advertisement
Table of Contents
Troubleshooting
