Home » Dell Manuals » Hubs & Switches » Dell MX9116n » Manual Viewer

Dell MX9116n EMC SmartFabric OS10 User Guide - Page 930

Unknown user role, SSH server

Add to My Manuals
Save this manual to your list of manuals

Page 930 highlights

Delete TACACS+ server OS10# no tacacs-server host 1.2.4.5 Unknown user role When a RADIUS or TACACS+ server authenticates a user, it may return an unknown user role, or the role may be missing. In these cases, OS10 assigns the netoperator role and associated permissions to the user by default. You can reconfigure the default assigned role. In addition, you can configure an unknown RADIUS or TACACS+ user-role name to inherit the permissions of an existing OS10 systemdefined role. • Reconfigure the default OS10 user role in CONFIGURATION mode. userrole {default | name} inherit existing-role-name • default inherit - Reconfigure the default permissions assigned to an authenticated user with a missing or unknown role. • name inherit - Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32 characters maximum. • existing-role-name - Assign the permissions associated with an existing OS10 user role: • sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. • secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. • netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. • netoperator - Access only to EXEC mode to view the current configuration. A network operator cannot modify configuration settings on a switch. Reconfigure permissions for an unknown user role OS10(config)# userrole default inherit sysadmin Configure permissions for a RADIUS or TACACS+ user role OS10(config)# userrole tacacsadmin inherit netadmin SSH server In OS10, the secure shell server allows an SSH client to access an OS10 switch through a secure, encrypted connection. The SSH server authenticates remote clients using RADIUS challenge/response, a trusted host file, locally-stored passwords, and public keys. Configure SSH server • The SSH server is enabled by default. You can disable the SSH server using the no ip ssh server enable command. • Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response- authentication command. • Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command. • Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command. • Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command. • Password-less login is disabled by default. To enable, use the username sshkey or username sshkey filename commands. • Configure the list of cipher algorithms using the ip ssh server cipher cipher-list command. • Configure key exchange algorithms using the ip ssh server kex key-exchange-algorithm command. • Configure hash message authentication code (HMAC) algorithms using the ip ssh server mac hmac-algorithm command. • Configure the SSH server listening port using the ip ssh server port port-number command. • Configure the SSH server to be reachable on the management VRF using the ip ssh server vrf command. • Configure the SSH login timeout using the ip ssh server login-grace-time seconds command, from 0 to 300; default 60. To reset the default SSH prompt timer, use the no ip ssh server login-grace-time command. 930 Security

Section	Page
Dell EMC SmartFabric OS10 User Guide Release 10.5.0	3
Change history	28
Getting Started	31
Switch with factory-installed OS10	31
Log in	32
Check OS10 version	32
OS10 upgrade	33
Download OS10 image for upgrade	33
Install OS10 upgrade	33
Install firmware upgrade	35
Upgrade commands	35
boot system	35
image cancel	36
image copy	36
image download	36
image install	37
show boot	37
show image firmware	38
show image status	39
show version	39
Check OS10 license	40
Re-install license	40
Switch without OS installed	40
Uninstall existing OS	41
Download OS10 image	41
Installation using ONIE	42
Automatic installation	43
Manual installation	44
Log in	45
Install OS10 license	46
Switch deployment options	48
Manual CLI configuration	48
ZTD-automated switch deployment	48
Ansible-automated switch provisioning	48
Remote access	48
Configure Management IP address	48
Configure Management route	49
Configure user name and password	49
CLI Basics	51
CONFIGURATION mode	52
Check device status	52
Command help	54
Candidate configuration	54
Copy running configuration	57
Restore startup configuration	57
Reload system image	58
Filter show commands	58
Common OS10 commands	59
boot	59
commit	59
configure	59
copy	60
delete	61
dir	62
discard	63
do	63
end	63
exit	64
hostname	64
license	64
lock	65
management route	65
move	66
no	66
ping	67
ping6	68
reload	70
show boot	70
show candidate-configuration	71
show environment	73
show inventory	73
show ip management-route	74
show ipv6 management-route	74
show license status	75
show running-configuration	75
show startup-configuration	77
show system	78
show version	80
start	80
system	81
system-cli disable	81
system-user linuxadmin disable	81
system identifier	82
terminal	82
traceroute	82
unlock	83
username password role	84
write	85
Advanced CLI tasks	86
Command alias	86
Multi-line alias	87
alias	89
alias (multi-line)	90
default (alias)	91
description (alias)	91
line (alias)	91
show alias	92
Batch mode	93
batch	93
Linux shell commands	94
Using OS9 commands	95
feature config-os9-style	96
Zero-touch deployment	97
ZTD DHCP server configuration	99
ZTD provisioning script	99
ZTD CLI batch file	100
Post-ZTD script	100
ZTD commands	101
reload ztd	101
show ztd-status	101
ztd cancel	102
OS10 provisioning	103
Using Ansible	103
Example: Configure an OS10 switch using Ansible	104
SmartFabric Services	107
SmartFabric Services personalities	107
SmartFabric Services for leaf and spine	107
SmartFabric Services for PowerEdge MX	108
SmartFabric Services for leaf and spine	109
SmartFabric Services Components	110
SmartFabric Services logical entities	111
Uplinks	112
Uplink bonding options	112
Spanning tree considerations	113
Dynamic onboarding for integrated devices	113
Statically onboarded server	113
Static onboarding for nonintegrated devices	113
Enable SmartFabric Services on the switches	113
Enable SmartFabric Services using GUI	114
SmartFabric Services Graphical User Interface	114
Configure SmartFabric Services initial setup	115
Update Default Fabric, Switch Names, and Descriptions wizard	115
Create Uplink for External Network Connectivity wizard	116
Configure Layer 2 uplink	116
Configure Layer 3 VLAN uplink	116
Configure Layer 3 Routed uplink	117
Breakout Switch Ports wizard	117
Configure Jump Host wizard	118
Update Network Configuration wizard	118
Onboard a Server onto the Fabric wizard	118
Edit Default Fabric Settings wizard	118
Fabric operations and life cycle management	119
SmartFabric commands	119
smartfabric l3fabric enable	119
show smartfabric cluster	120
show smartfabric cluster member	120
show smartfabric details	121
show smartfabric networks	121
show smartfabric nodes	122
show smartfabric personality	123
show smartfabric uplinks	123
show smartfabric validation-error	124
SmartFabric Director	125
Enable SmartFabric Director mode on a switch	125
Support for SmartFabric Director	125
gRPC Network Management Interface agent	125
Lifecycle Management using SmartFabric Director	127
SmartFabric Director commands	128
switch-operating mode	128
gnmi-security-profile	129
show switch-operating-mode	129
show sfd status	129
System management	131
System banners	131
Login banner	131
MOTD banner	132
System banner commands	132
banner login	132
banner motd	132
User session management	133
User session management commands	134
exec-timeout	134
kill-session	134
show sessions	134
Telnet server	135
Telnet commands	135
ip telnet server enable	135
ip telnet server vrf	135
Simple Network Management Protocol	136
SNMP security models and levels	136
MIBs	136
SNMPv3	137
SNMP engine ID	138
SNMP groups and users	138
SNMP views	138
Configure SNMP	138
Configure SNMP engine ID	138
Configure SNMP views	139
Configure SNMP groups	139
Configure SNMP users	140
Generate SNMPv3 localized keys	140
Configure SNMP traps	141
Configure SNMP informs	141
SNMP commands	142
show snmp community	142
show snmp engineID	142
show snmp group	143
show snmp user	143
show snmp view	143
snmp-server community	144
snmp-server contact	144
snmp-server enable traps	145
snmp-server engineID	145
snmp-server group	146
snmp-server host	147
snmp-server location	148
snmp-server user	148
snmp-server view	150
snmp-server vrf	150
Example: Configure SNMP	150
System clock	151
Time zones and UTC offset reference	152
System Clock commands	167
clock set	167
clock timezone	167
show clock	168
show clock timezone	168
Network Time Protocol	168
Enable NTP	169
Broadcasts	170
Source IP address	170
Authentication	171
Sample NTP configuration	171
NTP commands	174
ntp authenticate	174
ntp authenticate-key	175
ntp broadcast client	175
ntp disable	175
ntp enable vrf	176
ntp master	176
ntp server	176
ntp source	177
ntp trusted-key	177
show ntp associations	177
show ntp status	178
Dynamic Host Configuration Protocol	179
Packet format and options	180
DHCP server	181
Automatic address allocation	181
Hostname resolution	182
Manual binding entries	183
DHCP relay agent	184
Option 82 for security	184
View DHCP Information	185
System domain name and list	185
DHCP snooping	186
DHCP snooping examples	190
DHCP snooping switch as relay agent	192
DHCP snooping in a Layer 2 VLT setup	193
DHCP snooping with DHCP relay agent in a VLT setup	196
Dynamic ARP inspection	199
Source Address Validation	201
DHCP commands	202
default-router address	202
disable	202
dns-server address	203
domain-name	203
hardware-address	203
host	204
ip dhcp server	204
ip helper-address	204
ipv6 helper-address	205
lease	205
netbios-name-server address	205
netbios-node-type	206
network	206
pool	206
range	207
show ip dhcp binding	207
DHCP snooping commands	208
arp inspection	208
arp inspection-trust	208
arp inspection violation logging	208
clear ip arp inspection statistics	209
clear ip dhcp snooping binding	209
ip dhcp snooping (global)	209
ip dhcp snooping (interface)	210
ip dhcp snooping binding	210
ip dhcp snooping trust	211
ip dhcp snooping verify mac-address	211
show ip arp inspection database	211
show ip arp inspection statistics	212
show ip arp inspection logging	212
show ip dhcp snooping binding	212
DNS commands	213
ip domain-list	213
ip domain-name	213
ip host	214
ip name-server	214
show hosts	214
IPv4 DHCP limitations	215
IPv4 DHCP asymmetric routing	215
Interfaces	216
Ethernet interfaces	216
Unified port groups	216
Z9264F-ON port-group profiles	218
Port-groups on S5200F-ON switches	219
L2 mode configuration	226
L3 mode configuration	226
Fibre Channel interfaces	227
Configuring wavelength	229
Management interface	229
Management interface	230
VLAN interfaces	230
User-configured default VLAN	230
VLAN scale profile	231
Loopback interfaces	231
Port-channel interfaces	232
Create port-channel	232
Add port member	232
Minimum links	233
Assign Port Channel IP Address	233
Remove or disable port-channel	234
Load balance traffic	234
Change hash algorithm	235
Configure interface ranges	235
Switch-port profiles	236
S4148-ON Series port profiles	237
S4148U-ON port profiles	237
Configure negotiation modes on interfaces	238
Configure breakout mode	239
Breakout auto-configuration	240
Reset default configuration	241
Forward error correction	242
Energy-efficient Ethernet	243
Enable energy-efficient Ethernet	243
Clear EEE counters	244
View EEE status/statistics	244
EEE commands	245
clear counters interface eee	245
clear counters interface ethernet eee	245
eee	245
show interface eee	246
show interface eee statistics	246
show interface ethernet eee	246
show interface ethernet eee statistics	247
View interface configuration	247
Digital optical monitoring	250
Enable DOM and DOM traps	251
Interface commands	252
channel-group	252
default interface	252
default vlan-id	254
description (Interface)	255
duplex	256
enable dom	256
enable dom traps	256
feature auto-breakout	257
fec	257
interface breakout	258
interface ethernet	258
interface loopback	258
interface mgmt	259
interface null	259
interface port-channel	259
interface range	260
interface vlan	260
link-bundle-utilization	261
mode	261
mode l3	262
mtu	262
negotiation	263
port mode Eth	264
port-group	265
profile	265
scale-profile vlan	266
show discovered-expanders	266
show interface	266
show interface transceiver “Tunable wavelength”	268
show inventory media	268
show link-bundle-utilization	270
show port-channel summary	270
show port-group	271
show switch-port-profile	272
show system	272
show unit-provision	273
show vlan	273
shutdown	274
speed (Fibre Channel)	274
speed (Management)	275
switch-port-profile	275
switchport access vlan	277
switchport mode	277
switchport trunk allowed vlan	278
unit-provision	278
wavelength	279
PowerEdge MX Ethernet I/O modules	280
Operating modes	280
Changing operating modes	282
Restrictions	282
Port groups on I/O modules	282
Double-density QSFP28 interfaces	282
Virtual ports	284
Single-density QSFP28 interfaces	287
Server-facing interfaces	289
Replace MX Ethernet IO modules in SmartFabric	290
Deployment instructions	290
Replace an IOM in SmartFabric	290
Remove and replace the faulty IOM	290
Verify and configure IOM settings	291
Identify the master IOM	291
Log in to the master IOM from the member	292
Initiate the module replacement workflow	292
Connect the new IOM	293
Fibre Channel	294
Fibre Channel over Ethernet	295
Configure FIP snooping	295
Terminology	297
Virtual fabric	297
Fibre Channel zoning	299
F_Port on Ethernet	301
Pinning FCoE traffic to a specific port of a port-channel	301
Sample FSB configuration on VLT network	303
Sample FC Switch configuration on VLT network	305
Sample FSB configuration on non-VLT network	307
Sample FC Switch configuration on non-VLT network	309
Multi-hop FIP-snooping bridge	310
Configuration notes	310
Configure multi-hop FSB	311
Verify multi-hop FSB configuration	317
Sample Multi-hop FSB configuration	318
Configuration guidelines	331
NPIV Proxy Gateway cascading	331
Support for untagged VLAN in FCoE	334
F_Port commands	334
fc alias	334
fc zone	334
fc zoneset	335
feature fc	335
member (alias)	335
member (zone)	336
member (zoneset)	336
show fc alias	337
show fc interface-area-id mapping	337
show fc ns switch	337
show fc zone	338
show fc zoneset	339
zone default-zone permit	340
zoneset activate	340
NPG commands	340
fc port-mode F	341
feature fc npg	341
show npg devices	341
F_Port and NPG commands	342
clear fc statistics	342
fcoe	342
name	343
show fc statistics	343
show fc switch	344
show running-config vfabric	344
show vfabric	344
vfabric	345
vfabric (interface)	345
vlan	346
FIP-snooping commands	346
feature fip-snooping	346
fip-snooping enable	347
fip-snooping fc-map	347
fip-snooping port-mode	347
FCoE commands	348
clear fcoe database	348
clear fcoe statistics	348
fcoe-pinned-port	349
fcoe max-sessions-per-enodemac	349
fcoe priority-bits	349
lldp tlv-select dcbxp-appln fcoe	350
show fcoe enode	350
show fcoe fcf	351
show fcoe pinned-port	351
show fcoe sessions	351
show fcoe statistics	352
show fcoe system	352
show fcoe vlan	353
Layer 2	354
802.1X	354
Port authentication	355
EAP over RADIUS	356
Configure 802.1X	356
Enable 802.1X	357
Identity retransmissions	358
Failure quiet period	358
Port control mode	359
Reauthenticate port	360
Configure timeouts	361
802.1X commands	362
dot1x host-mode	362
dot1x max-req	362
dot1x port-control	363
dot1x re-authentication	363
dot1x timeout quiet-period	363
dot1x timeout re-authperiod	364
dot1x timeout server-timeout	364
dot1x timeout supp-timeout	364
dot1x timeout tx-period	364
show dot1x	365
show dot1x interface	365
Far-end failure detection	366
Enable FEFD globally	368
Enable FEFD on interface	368
Reset FEFD err-disabled interface	368

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101
1,102
1,103
1,104
1,105
1,106
1,107
1,108
1,109
1,110
1,111
1,112
1,113
1,114
1,115
1,116
1,117
1,118
1,119
1,120
1,121
1,122
1,123
1,124
1,125
1,126
1,127
1,128
1,129
1,130
1,131
1,132
1,133
1,134
1,135
1,136
1,137
1,138
1,139
1,140
1,141
1,142
1,143
1,144
1,145
1,146
1,147
1,148
1,149
1,150
1,151
1,152
1,153
1,154
1,155
1,156
1,157
1,158
1,159
1,160
1,161
1,162
1,163
1,164
1,165
1,166
1,167
1,168
1,169
1,170
1,171
1,172
1,173
1,174
1,175
1,176
1,177
1,178
1,179
1,180
1,181
1,182
1,183
1,184
1,185
1,186
1,187
1,188
1,189
1,190
1,191
1,192
1,193
1,194
1,195
1,196
1,197
1,198
1,199
1,200
1,201
1,202
1,203
1,204
1,205
1,206
1,207
1,208
1,209
1,210
1,211
1,212
1,213
1,214
1,215
1,216
1,217
1,218
1,219
1,220
1,221
1,222
1,223
1,224
1,225
1,226
1,227
1,228
1,229
1,230
1,231
1,232
1,233
1,234
1,235
1,236
1,237
1,238
1,239
1,240
1,241
1,242
1,243
1,244
1,245
1,246
1,247
1,248
1,249
1,250
1,251
1,252
1,253
1,254
1,255
1,256
1,257
1,258
1,259
1,260
1,261
1,262
1,263
1,264
1,265
1,266
1,267
1,268
1,269
1,270
1,271
1,272
1,273
1,274
1,275
1,276
1,277
1,278
1,279
1,280
1,281
1,282
1,283
1,284
1,285
1,286
1,287
1,288
1,289
1,290
1,291
1,292
1,293
1,294
1,295
1,296
1,297
1,298
1,299
1,300
1,301
1,302
1,303
1,304
1,305
1,306
1,307
1,308
1,309
1,310
1,311
1,312
1,313
1,314
1,315
1,316
1,317
1,318
1,319
1,320
1,321
1,322
1,323
1,324
1,325
1,326
1,327
1,328
1,329
1,330
1,331
1,332
1,333
1,334
1,335
1,336
1,337
1,338
1,339
1,340

Match case Limit results 1 per page

Delete TACACS+ server

OS10# no tacacs-server host 1.2.4.5

Unknown user role

When a RADIUS or TACACS+ server authenticates a user, it may return an unknown user role, or the role may be missing. In these cases,

OS10 assigns the

netoperator

role and associated permissions to the user by default. You can reconfigure the default assigned role. In

addition, you can configure an unknown RADIUS or TACACS+ user-role name to inherit the permissions of an existing OS10 system-

defined role.

•

Reconfigure the default OS10 user role in CONFIGURATION mode.

userrole {default |

name

} inherit

existing-role-name

•

default inherit

— Reconfigure the default permissions assigned to an authenticated user with a missing or unknown role.

•

name

inherit

— Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32

characters maximum.

•

existing-role-name

— Assign the permissions associated with an existing OS10 user role:

•

sysadmin

— Full access to all commands in the system, exclusive access to commands that manipulate the file system, and

access to the system shell. A system administrator can create user IDs and user roles.

•

secadmin

— Full access to configuration commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

•

netadmin

— Full access to configuration commands that manage traffic flowing through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security

information.

•

netoperator

— Access only to EXEC mode to view the current configuration. A network operator cannot modify

configuration settings on a switch.

Reconfigure permissions for an unknown user role

OS10(config)# userrole default inherit sysadmin

Configure permissions for a RADIUS or TACACS+ user role

OS10(config)# userrole tacacsadmin inherit netadmin

SSH server

In OS10, the secure shell server allows an SSH client to access an OS10 switch through a secure, encrypted connection. The SSH server

authenticates remote clients using RADIUS challenge/response, a trusted host file, locally-stored passwords, and public keys.

Configure SSH server

•

The SSH server is enabled by default. You can disable the SSH server using the

no ip ssh server enable

command.

•

Challenge response authentication is disabled by default. To enable, use the

ip ssh server challenge-response-

authentication

command.

•

Host-based authentication is disabled by default. To enable, use the

ip ssh server hostbased-authentication

command.

•

Password authentication is enabled by default. To disable, use the

no ip ssh server password-authentication

command.

•

Public key authentication is enabled by default. To disable, use the

no ip ssh server pubkey-authentication

command.

•

Password-less login is disabled by default. To enable, use the

username sshkey

username sshkey filename

commands.

•

Configure the list of cipher algorithms using the

ip ssh server cipher

cipher-list

command.

•

Configure key exchange algorithms using the

ip ssh server kex

key-exchange-algorithm

command.

•

Configure hash message authentication code (HMAC) algorithms using the

ip ssh server mac

hmac-algorithm

command.

•

Configure the SSH server listening port using the

ip ssh server port

port-number

command.

•

Configure the SSH server to be reachable on the management VRF using the

ip ssh server vrf

command.

•

Configure the SSH login timeout using the

ip ssh server login-grace-time

seconds

command, from 0 to 300; default

60. To reset the default SSH prompt timer, use the

no ip ssh server login-grace-time

command.

930

Security