Dell PowerEdge M420 Reference Manual page 197

User Access Control
In addition to authenticating a user, the CLI also assigns the user access to
one of two security levels. Level 1 has read-only access. This level allow the
user to read information but not configure the switch. The access to this level
cannot be modified. Level 15 is the special access level assigned to the
superuser of the switch. This level has full access to all functions within the
switch and can not be modified.
If the user account is created and maintained locally, each user is given an
access level at the time of account creation. If the user is authenticated
through remote authentication servers, the authentication server is
configured to pass the user access level to the CLI when the user is
authenticated. When Radius is used, the
returns the access level for the user. Two vendor specific options are
supported. These are CISCO-AV-Pairs(Shell:priv-lvl=x) and Dell Radius VSA
(user-group=x). TACACS+ provides the appropriate level of access.
The following rules and specifications apply:
• The user determines whether remote authentication servers or locally
defined user authentication accounts are used.
• If authentication servers are used, the user can identify at least two remote
servers (the user may choose to configure only one server) and what
protocol to use with the server, TACACS+ or Radius. One of the servers is
primary and the other is the secondary server (the user is not required to
specify a secondary server). If the primary server fails to respond in a
configurable time period, the CLI automatically attempts to authenticate
the user with the secondary server.
• The user is able to specify what happens when both primary and secondary
servers fail to respond. In this case, the user is able to indicate that the CLI
should either use the local user accounts or reject all requests.
• Even if the user configures the CLI to fail login when the remote
authentication servers are down, the CLI allows the user to log in to the
serial interface authenticated by locally managed account data.
Vendor-Specific Option
Using the CLI
field
197