Dell MX9116n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 476
SSH Server
View all Dell MX9116n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 476 highlights
TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication server. RADIUS encrypts only passwords. • Configure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for authentication. tacacs-server host {hostname | ip-address} key authentication-key [auth-port port-number] Re-enter the tacacs-server host command multiple times to configure more than one TACACS+ server. If you configure multiple TACACS+ servers, OS10 attempts to connect in the order you configured them. An OS10 switch connects with the configured TACACS+ servers one at a time, until a RADIUS server responds with an accept or reject response. Configure the global timeout used on all TACACS+ servers by using the tacacs-server timeout command. By default, OS10 times out an authentication attempt on a TACACS+ server after five seconds. • Enter the timeout value used to wait for an authentication response from TACACS+ servers in CONFIGURATION mode (1 to 1000 seconds; default 5). tacacs-server timout seconds Configure TACACS+ server OS10(config)# tacacs-server host 1.2.4.5 key mysecret View TACACS+ server configuration OS10# show running-configuration ... tacacs-server host 1.2.4.5 key mysecret ... Delete TACACS+ server OS10# no tacacs server host 1.2.4.5 SSH Server The secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection. Configure SSH server • The SSH server is enabled by default. You can disable the SSH server using no ip ssh server enable. • Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response- authentication command. • Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command. • Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command. • Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command. • Configure the list of cipher algorithms using ip ssh server cipher cipher-list. • Configure Key Exchange algorithms using ip ssh server kex key-exchange-algorithm. • Configure hash message authentication code (HMAC) algorithms using ip ssh server mac hmac-algorithm. • Configure the SSH server listening port using ip ssh server port port-number. • Configure the SSH server to be reachable on the management VRF using ip ssh server vrf. • Configure the SSH login timeout using the ip ssh server login-grace-time seconds command (0 to 300; default 60). To reset the default SSH prompt timer, enter no ip ssh server login-grace-time. • Configure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command (0 to 10; default 6). To reset the default, enter no ip ssh server max-auth-tries. The max-auth-tries value includes all authentication attempts, including public-key and password. If both public-key based authentication and password authentication are enabled, the public-key authentication is the default and is tried first. If it fails, the 476 System management