Vty Line Remote Authentication And Authorization; Vty Mac-Sa Filter Support - Dell Force10 S4810P Configuration Manual
High-density, 1ru 48-port 10gbe switch
Hide thumbs
Also See for Force10 S4810P:
- Manual (60 pages) ,
- Quick start manual (27 pages) ,
- Reference manual (1637 pages)
Table of Contents
Advertisement
Figure 43-16
shows how to allow or deny a Telnet connection to a user. Users will see a login prompt, even
if they cannot login. No access class is configured for the VTY line. It defaults from the local database.
Figure 43-16. Example Access-Class Configuration Using Local Database
FTOS(conf)#user gooduser password abc privilege 10 access-class permitall
FTOS(conf)#user baduser password abc privilege 10 access-class denyall
FTOS(conf)#
FTOS(conf)#aaa authentication login localmethod local
FTOS(conf)#
FTOS(conf)#line vty 0 9
FTOS(config-line-vty)#login authentication localmethod
FTOS(config-line-vty)#end
Note: See also the section
VTY Line Remote Authentication and Authorization
FTOS retrieves the access class from the VTY line.
The Dell Force10 OS takes the access class from the VTY line and applies it to ALL users. FTOS does not
need to know the identity of the incoming user and can immediately apply the access class. If the
authentication method is radius, TACACS+, or line, and you have configured an access class for the VTY
line, FTOS immediately applies it. If the access-class is
the connection without displaying the login prompt. The following example shows how to deny incoming
connections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as the
authentication mechanism.
Figure 43-17. Example Access Class Configuration Using TACACS+ Without Prompt
FTOS(conf)#ip access-list standard deny10
FTOS(conf-ext-nacl)#permit 10.0.0.0/8
FTOS(conf-ext-nacl)#deny any
FTOS(conf)#
FTOS(conf)#aaa authentication login tacacsmethod tacacs+
FTOS(conf)#tacacs-server host 256.1.1.2 key Force10
FTOS(conf)#
FTOS(conf)#line vty 0 9
FTOS(config-line-vty)#login authentication tacacsmethod
FTOS(config-line-vty)#
FTOS(config-line-vty)#access-class deny10
FTOS(config-line-vty)#end
(same applies for radius and line authentication)
VTY MAC-SA Filter Support
FTOS supports MAC access lists which permit or deny users based on their source MAC address. With
this approach, you can implement a security policy based on the source MAC address.
Chapter 7, Access Control Lists
(ACLs).
or
deny all
deny for the incoming subnet
, FTOS closes
Security | 911
Advertisement
Table of Contents
Troubleshooting
