Home » Dell Manuals » Hubs & Switches » Dell MX5108n » Manual Viewer

Dell MX5108n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 473

User re-authentication, Password strength

Add to My Manuals
Save this manual to your list of manuals

Page 473 highlights

(TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication requests to a server that contains all user authentication and network service access information. A RADIUS or TACACS+ server provides accounting, authentication (user credentials verification), and authorization (user privilege-level) services. You can configure the security protocol used for different login methods and users. The server uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, only the local authentication method is used. The authentication methods in the method list are executed in the order in which they are configured. You can re-enter the methods to change the order. The local authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+ authentication, the privilege-level you configured for the user on the RADIUS or TACACS+ server is applied. NOTE: You must configure the group name (level) on the RADIUS server using the vendor-specific attribute or the authentication fails. • Configure the AAA authentication method in CONFIGURATION mode. aaa authentication {local | radius | tacacs} - local - Use the username and password database defined in the local configuration. - radius - (Optional) Use the RADIUS servers configured with the radius-server host command as the primary authentication method. - tacacs - (Optional) Use the TACACS+ servers configured with the tacacs-server host command as the primary authentication method. Configure AAA authentication OS10(config)# aaa authentication radius local User re-authentication To prevent users from accessing resources and performing tasks for which they are not authorized, OS10 allows you to require users to reauthenticate by logging in again when an authentication method or server changes, such as: • Adding or removing a RADIUS server (radius-server host command) • Adding or removing an authentication method (aaa authentication {local | radius} command) You can enable this feature so that user re-authentication is required when any of these actions are performed. In these cases, logged-in users are logged out of the switch and all OS10 sessions are terminated. By default, user re-authentication is disabled. Enable user re-authentication • Enable user re-authentication in CONFIGURATION mode. aaa re-authenticate enable Enter the no form of the command to disable user re-authentication. Password strength By default, the password you configure with the username password command must be at least nine alphanumeric characters. To increase password strength, you can create password rules using the password-attributes command. When you enter the command, at least one parameter is required. When you enter the character-restriction parameter, at least one option is required. • Create rules for stronger passwords in CONFIGURATION mode. password-attributes {[min-length number] [character-restriction {[upper number] [lower number][numeric number] [special-char number]}} System management 473

Section	Page
OS10 Enterprise Edition User Guide — PowerEdge MX I/O Modules Release 10.4.0E(R3S)	3
Getting Started	21
Supported Hardware	21
OS10 image for MX Ethernet I/O modules	21
Download OS10 image and license	22
Installation	23
Automatic installation	24
Manual installation	24
Log into OS10	25
Install OS10 license	26
Remote access	27
Configure Management IP address	27
Management Route Configuration	28
Configure user name and password	28
Upgrade OS10	29
CLI Basics	29
User accounts	29
Key CLI features	29
CLI command modes	30
CLI command hierarchy	30
CLI command categories	30
CONFIGURATION Mode	31
Command help	31
Check device status	33
Candidate configuration	35
Change to transaction-based configuration	38
Copy running configuration	38
Restore startup configuration	39
Reload system image	39
Filter show commands	40
Alias command	40
Batch mode commands	44
Linux shell commands	44
SSH commands	45
OS9 environment commands	46
Common commands	46
alias	46
alias (multi-line)	47
batch	48
boot	48
commit	49
configure	49
copy	49
default (alias)	51
delete	51
description (alias)	52
dir	52
discard	53
do	53
feature config-os9-style	53
exit	54
license	54
line (alias)	55
lock	55
management route	56
move	56
no	57
reload	57
show alias	57
show boot	59
show candidate-configuration	59
show environment	61
show inventory	62
show ip management-route	62
show ipv6 management-route	63
show license status	63
show running-configuration	64
show startup-configuration	66
show system	67
show version	69
start	69
system	70
system identifier	70
terminal	70
traceroute	71
unlock	72
write	72
PowerEdge MX Ethernet I/O modules	74
Operating modes	74
Changing operating modes	76
Restrictions	76
Port groups on I/O modules	76
Double-density QSFP28 interfaces	76
Virtual ports	79
Single-density QSFP28 interfaces	82
Server-facing interfaces	83
Interfaces	85
Ethernet interfaces	85
L2 mode configuration	85
L3 mode configuration	86
Fibre Channel interfaces	86
Management interface	88
VLAN interfaces	88
User-configured default VLAN	89
VLAN scale profile	89
Loopback interfaces	90
Port-channel interfaces	90
Create port-channel	91
Add port member	91
Minimum links	92
Assign Port Channel IP Address	92
Remove or disable port-channel	92
Load balance traffic	93
Change hash algorithm	93
Configure interface ranges	93
Switch-port profiles	94
S4148-ON Series port profiles	95
S4148U-ON port profiles	96
Unified port groups	97
Configure breakout mode	99
Breakout auto-configuration	99
Reset default configuration	100
Forward error correction	101
Energy-efficient Ethernet	102
Enable energy-efficient Ethernet	103
Clear interface counters	103
View EEE status/statistics	103
EEE commands	104
View interface configuration	107
Interface commands	110
channel-group	110
default interface	110
default vlan-id	113
description (Interface)	113
duplex	114
feature auto-breakout	114
fec	115
interface ethernet	115
interface loopback	115
interface mgmt	116
interface null	116
interface port-channel	116
interface range	117
interface vlan	117
link-bundle-utilization	118
mode	118
mode l3	119
mtu	120
port-group	120
scale-profile vlan	121
show discovered-expanders	121
show interface	122
show inventory media	123
show link-bundle-utilization	124
show port-channel summary	124
show port-group	125
show switch-operating-mode	126
show switch-port-profile	126
show unit-provision	126
show vlan	127
shutdown	127
speed (Fibre Channel)	128
speed (Management)	128
switch-port-profile	129
switchport access vlan	131
switchport mode	131
switchport trunk allowed vlan	132
unit-provision	132
Fibre channel	134
Fibre Channel over Ethernet	134
Configure FIP snooping	135
Terminology	136
Virtual fabric	136
Fibre Channel zoning	139
F_Port on Ethernet	141
F_Port, NPG, and FCoE commands	141
clear fcoe database	141
clear fcoe statistics	141
fc alias	142
fc zone	142
fc zoneset	143
fcoe	143
fcoe max-sessions-per-enodemac	144
feature fc	144
feature fc npg	144
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	145
fip-snooping port-mode fcf	146
member (alias)	146
member (zone)	147
member (zoneset)	147
name	147
show fc alias	148
show fc ns switch	148
show fc statistics	149
show fc switch	150
show fc zone	150
show fc zoneset	151
show fcoe enode	152
show fcoe fcf	152
show fcoe sessions	153
show fcoe statistics	153
show fcoe system	154
show fcoe vlan	154
show npg devices	154
show running-config vfabric	155
show vfabric	156
vfabric	157
vfabric (interface)	157
vlan	157
zone default-zone permit	158
zoneset activate	158
Layer 2	159
802.1X	159
Port authentication	160
EAP over RADIUS	161
Configure 802.1X	161
Enable 802.1X	162
Identity retransmissions	163
Failure quiet period	164
Port control mode	164
Reauthenticate port	165
Configure timeouts	166
802.1X commands	167
Link aggregation control protocol	172
Modes	172
Configuration	172
Interfaces	173
Rates	173
Sample configuration	174
LACP commands	177
Link layer discovery protocol	183
Protocol data units	183
Optional TLVs	184
Organizationally-specific TLVs	185
Media endpoint discovery	186
Network connectivity device	186
LLDP-MED capabilities TLV	186
Network policies TLVs	187
Define network policies	188
Packet timer values	188
Disable and re-enable LLDP	189
Disable and re-enable LLDP on management ports	190
Advertise TLVs	190
Network policy advertisement	191
Fast start repeat count	191
View LLDP configuration	192
Adjacent agent advertisements	193
Time to live	194
LLDP commands	194
Media Access Control	206
Static MAC Address	206
MAC Address Table	207
Clear MAC Address Table	207
MAC Commands	208
Multiple spanning-tree protocol	210
Configure MST protocol	211
Create instances	211
Root selection	213
Non-Dell hardware	213
Region name or revision	213
Modify parameters	214
Interface parameters	215
Forward traffic	215
Spanning-tree extensions	216
Debug configurations	218
MST commands	218
Rapid per-VLAN spanning-tree plus	228
Load balance and root selection	229
Enable RPVST+	229
Select root bridge	230
Root assignment	231
Loop guard	232
Global parameters	232
RPVST+ commands	233
Rapid spanning-tree protocol	241
Enable globally	241
Global parameters	242
Interface parameters	243
Root bridge selection	244
EdgePort forward traffic	245
Spanning-tree extensions	245
RSTP commands	247
Virtual LANs	253
Default VLAN	253
Create or remove VLANs	254
Access mode	255
Trunk mode	256
Assign IP address	256
View VLAN configuration	257
VLAN commands	259
Port monitoring	260
Local port monitoring	260
Remote port monitoring	261
Encapsulated remote port monitoring	263
Flow-based monitoring	264
Remote port monitoring on VLT	265
Port monitoring commands	266
Layer 3	272
Border gateway protocol	272
Sessions and peers	273
Route reflectors	274
Multiprotocol BGP	274
Attributes	275
Selection criteria	275
Weight and local preference	276
Multiexit discriminators	277
Origin	277
AS path and next-hop	278
Best path selection	278
More path support	279
Advertise cost	279
4-Byte AS numbers	280
AS number migration	280
Configure border gateway protocol	281
Enable BGP	281
Configure Dual Stack	283
Peer templates	283
Neighbor fall-over	285
Fast external fallover	286
Passive peering	288
Local AS	288
AS number limit	289
Redistribute routes	290
Additional paths	290
MED attributes	291
Local preference attribute	291
Weight attribute	292
Enable multipath	293
Route-map filters	293
Route reflector clusters	293
Aggregate routes	294
Confederations	295
Route dampening	296
Timers	297
Neighbor soft-reconfiguration	297
BGP commands	298
Equal cost multi-path	323
Load balancing	323
ECMP commands	323
IPv4 routing	326
Assign interface IP address	326
Configure static routing	327
Address resolution protocol	328
IPv4 routing commands	328
IPv6 routing	332
Enable or disable IPv6	332
IPv6 addresses	333
Stateless autoconfiguration	334
Neighbor discovery	335
Duplicate address discovery	336
Static IPv6 routing	337
IPv6 destination unreachable	337
IPv6 hop-by-hop options	338
View IPv6 information	338
IPv6 commands	338
Internet group management protocol	349
IGMP snooping	349
IGMP snooping commands	352
Open shortest path first	357
Autonomous system areas	357
Areas, networks, and neighbors	358
Router types	359
Designated and backup designated routers	360
Link-state advertisements	360
Router priority	361
Shortest path first throttling	362
OSPFv2	363
OSPFv3	394
Object tracking manager	413
Interface tracking	414
Host tracking	415
Set tracking delays	416
Object tracking	416
View tracked objects	416
OTM commands	417
Policy-based routing	420
Policy-based route-maps	420
Access-list to match route-map	420
Set address to match route-map	420
Assign route-map to interface	421
View PBR information	421
PBR commands	422
Virtual routing and forwarding	424
Configure management VRF	424
VRF commands	426
Virtual router redundancy protocol	430
Configuration	431
Create virtual router	432
Group version	432
Virtual IP addresses	433
Configure virtual IP address	433
Set group priority	434
Authentication	435
Disable preempt	435
Advertisement interval	436
Interface/object tracking	437
Configure tracking	437
VRRP commands	438
UFT modes	444
Configure UFT modes	444
UFT commands	445
hardware forwarding-table mode	445
show hardware forwarding-table mode	445
show hardware forwarding-table mode all	446
System management	447
Dynamic host configuration protocol	447
Packet format and options	447
DHCP server	448
Automatic address allocation	449
Hostname resolution	450
Manual binding entries	451
DHCP relay agent	451
View DHCP Information	452
System domain name and list	452
DHCP commands	453
DNS commands	458
Network time protocol	460
Enable NTP	460
Broadcasts	461
Source IP address	461
Authentication	462
NTP commands	463
System clock	468
System Clock commands	468
User session management	470
User session management commands	470
Telnet server	471
Telnet commands	472
Security	472
User re-authentication	473
Password strength	473
Role-based access control	474
Assign user role	474
RADIUS authentication	475
TACACS+ authentication	475
SSH Server	476
Virtual terminal line	477
Enable login statistics	477
Security commands	478
Simple network management protocol	490
SNMP commands	490
Uplink Failure Detection	492
Configure uplink failure detection	493
UFD commands	494
OS10 image upgrade	498
Boot system partition	498
Upgrade commands	499
Access Control Lists	504
IP ACLs	504
MAC ACLs	505
IP fragment handling	505
IP fragments ACL	505
L3 ACL rules	506
Permit ACL with L3 information only	506
Deny ACL with L3 information only	506
Permit all packets from host	506
Permit only first fragments and non-fragmented packets from host	506
Assign sequence number to filter	506
User-provided sequence number	507
Auto-generated sequence number	507
L2 and L3 ACLs	507
Assign and apply ACL filters	508
Ingress ACL filters	509
Egress ACL filters	509
Clear access-list counters	510
IP prefix-lists	510
Route-maps	511
Match routes	512
Set conditions	512
continue Clause	513
ACL flow-based monitoring	513
Flow-based mirroring	513
Enable flow-based monitoring	514
ACL commands	515
clear ip access-list counters	515
clear ipv6 access-list counters	515
clear mac access-list counters	516
deny	516
deny (IPv6)	517
deny (MAC)	517
deny icmp	518
deny icmp (IPv6)	519
deny ip	519
deny ipv6	520
deny tcp	520
deny tcp (IPv6)	521
deny udp	522
deny udp (IPv6)	523
description	524
ip access-group	524
ip access-list	524
ip as-path access-list	525
ip community-list standard deny	526
ip community–list standard permit	526
ip extcommunity-list standard deny	527
ip extcommunity-list standard permit	527
ip prefix-list description	527
ip prefix-list deny	528
ip prefix-list permit	528
ip prefix-list seq deny	529
ip prefix-list seq permit	529
ipv6 access-group	530
ipv6 access-list	530
ipv6 prefix-list deny	530
ipv6 prefix-list description	531
ipv6 prefix-list permit	531
ipv6 prefix-list seq deny	532
ipv6 prefix-list seq permit	532

Match case Limit results 1 per page

(TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication

requests to a server that contains all user authentication and network service access information.

A RADIUS or TACACS+ server provides accounting, authentication (user credentials

veriﬁcation),

and authorization (user privilege-level)

services. You can

conﬁgure

the security protocol used for

diﬀerent

methods to

deﬁne

the types of authentication and the sequence in which they apply. By default, only the

local

authentication method is

used.

The authentication methods in the method list are executed in the order in which they are

conﬁgured.

You can re-enter the methods to

change the order. The

local

authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+

authentication, the privilege-level you

conﬁgured

for the user on the RADIUS or TACACS+ server is applied.

NOTE:

You must

conﬁgure

the group name (level) on the RADIUS server using the

vendor-speciﬁc

attribute or the

authentication fails.

•

Conﬁgure

the AAA authentication method in CONFIGURATION mode.

aaa authentication {local | radius | tacacs}

–

local

— Use the username and password database

deﬁned

in the local

conﬁguration.

–

radius

— (Optional) Use the RADIUS servers

conﬁgured

with the

radius-server host

command as the primary

authentication method.

–

tacacs

— (Optional) Use the TACACS+ servers

conﬁgured

with the

tacacs-server host

command as the primary

authentication method.

Conﬁgure

AAA authentication

OS10(config)# aaa authentication radius local

User re-authentication

To prevent users from accessing resources and performing tasks for which they are not authorized, OS10 allows you to require users to re-

authenticate by logging in again when an authentication method or server changes, such as:

•

Adding or removing a RADIUS server (

radius-server host

command)

•

Adding or removing an authentication method (

aaa authentication {local | radius}

command)

You can enable this feature so that user re-authentication is required when any of these actions are performed. In these cases, logged-in

users are logged out of the switch and all OS10 sessions are terminated. By default, user re-authentication is disabled.

Enable user re-authentication

•

Enable user re-authentication in CONFIGURATION mode.

aaa re-authenticate enable

Enter the

form of the command to disable user re-authentication.

Password strength

By default, the password you

conﬁgure

with the

username password

command must be at least nine alphanumeric characters.

To increase password strength, you can create password rules using the

password-attributes

command. When you enter the

command, at least one parameter is required. When you enter the

character-restriction

parameter, at least one option is required.

•

Create rules for stronger passwords in CONFIGURATION mode.

password-attributes {[min-length

number

] [character-restriction {[upper

number

]

[lower

number

][numeric

number

] [special-char

number

]}}

System management

473