Home » Dell Manuals » Servers » Dell PowerEdge FX2 » Manual Viewer

Dell PowerEdge FX2 Dell PowerEdge FN I/O Aggregator Configuration Guide 9.6(0 - Page 160

AAA Authentication, Configuration Task List for AAA Authentication

Add to My Manuals
Save this manual to your list of manuals

Page 160 highlights

Monitoring AAA Accounting Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions. CONFIGURATION mode or EXEC Privilege mode show accounting Example of the show accounting Command for AAA Accounting Dell#show accounting Active accounted actions on tty2, User admin Priv 1 Task ID 1, EXEC Accounting record, 00:00:39 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 1 Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Dell# AAA Authentication Dell Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access. In the Dell Networking implementation, the Dell Networking system acts as a RADIUS or TACACS+ client and sends authentication requests to a central remote authentication dial-in service (RADIUS) or Terminal access controller access control system plus (TACACS+) server that contains all user authentication and network service access information. Dell Networking uses local usernames/passwords (stored on the Dell Networking system) or AAA for login authentication. With AAA, you can specify the security protocol or mechanism for different login methods and different users. In Dell Networking OS, AAA uses a list of authentication methods, called method lists, to define the types of authentication and the sequence in which they are applied. You can define a method list or use the default method list. User-defined method lists take precedence over the default method list. NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. NOTE: In the release 9.4.(0.0), RADIUS and TACACS servers support VRF-awareness functionality. You can create RADIUS and TACACS groups and then map multiple servers to a group. The group to which you map multiple servers is bound to a single VRF. Configuration Task List for AAA Authentication The following sections provide the configuration tasks. • Configure Login Authentication for Terminal Lines • Configuring AAA Authentication Login Methods 160 Security

Section	Page
Dell PowerEdge FN I/O Aggregator Configuration Guide 9.6(0.0)	3
About this Guide	13
Audience	13
Conventions	13
Information Symbols	14
Related Documents	14
Before You Start	15
IOA Operational Modes	15
Standalone mode	15
VLT mode	15
Programmable MUX mode	15
Stacking mode	16
Default Settings	16
Other Auto-Configured Settings	16
Data Center Bridging Support	17
FCoE Connectivity and FIP Snooping	17
iSCSI Operation	18
Link Aggregation	18
Link Tracking	18
Configuring VLANs	18
Uplink LAG	19
Server-Facing LAGs	19
Where to Go From Here	19
Configuration Fundamentals	20
Accessing the Command Line	20
CLI Modes	20
Navigating CLI Modes	21
The do Command	22
Undoing Commands	23
Obtaining Help	23
Entering and Editing Commands	24
Command History	25
Filtering show Command Outputs	25
Multiple Users in Configuration Mode	26
Data Center Bridging (DCB)	27
Ethernet Enhancements in Data Center Bridging	27
Priority-Based Flow Control	28
Configuring Priority-Based Flow Control	29
Enhanced Transmission Selection	31
Configuring Enhanced Transmission Selection	33
Data Center Bridging Exchange Protocol (DCBx)	33
Data Center Bridging in a Traffic Flow	34
Data Center Bridging: Auto-DCB-Enable Mode	34
QoS dot1p Traffic Classification and Queue Assignment	36
How Priority-Based Flow Control is Implemented	37
How Enhanced Transmission Selection is Implemented	38
ETS Operation with DCBx	39
Bandwidth Allocation for DCBX CIN	39
DCBX Operation	39
DCBx Operation	40
DCBx Port Roles	40
DCB Configuration Exchange	41
Configuration Source Election	42
Propagation of DCB Information	42
Auto-Detection of the DCBx Version	43
DCBX Example	43
DCBX Prerequisites and Restrictions	44
DCBX Error Messages	45
Debugging DCBX on an Interface	45
Verifying the DCB Configuration	46
Hierarchical Scheduling in ETS Output Policies	56
Troubleshooting PFC, ETS, and DCBx Operation	56
Dynamic Host Configuration Protocol (DHCP)	59
Assigning an IP Address using DHCP	59
Debugging DHCP Client Operation	61
DHCP Client	63
How DHCP Client is Implemented	63
DHCP Client on a Management Interface	64
DHCP Client on a VLAN	64
DHCP Packet Format and Options	65
Option 82	66
Releasing and Renewing DHCP-based IP Addresses	67
Viewing DHCP Statistics and Lease Information	67
FIP Snooping	69
Fibre Channel over Ethernet	69
Ensuring Robustness in a Converged Ethernet Network	69
FIP Snooping on Ethernet Bridges	70
How FIP Snooping is Implemented	72
FIP Snooping on VLANs	73
FC-MAP Value	73
Bridge-to-FCF Links	73
Impact on other Software Features	73
FIP Snooping Prerequisites	73
FIP Snooping Restrictions	74
Configuring FIP Snooping	74
Displaying FIP Snooping Information	75
FIP Snooping Example	81
Debugging FIP Snooping	82
IGMP Overview	83
Internet Group Management Protocol (IGMP)	83
IGMP Version 2	83
Joining a Multicast Group	84
Leaving a Multicast Group	84
IGMP Version 3	84
Joining and Filtering Groups and Sources	85
Leaving and Staying in Groups	86
IGMP Snooping	87
How IGMP Snooping is Implemented on an Aggregator	87
Displaying IGMP Information	87
Interfaces	90
Basic Interface Configuration	90
Advanced Interface Configuration	90
Interface Auto-Configuration	90
Interface Types	91
Viewing Interface Information	91
Disabling and Re-enabling a Physical Interface	93
Layer 2 Mode	93
Management Interfaces	94
Accessing an Aggregator	94
Configuring a Management Interface	94
Configuring a Static Route for a Management Interface	95
VLAN Membership	96
Default VLAN	96
Port-Based VLANs	96
VLANs and Port Tagging	96
Configuring VLAN Membership	97
Displaying VLAN Membership	98
Adding an Interface to a Tagged VLAN	98
Adding an Interface to an Untagged VLAN	99
Port Channel Interfaces	99
Port Channel Definitions and Standards	100
Port Channel Benefits	100
Port Channel Implementation	100
10GbE Interface in Port Channels	101
Uplink Port Channel: VLAN Membership	101
Server-Facing Port Channel: VLAN Membership	101
Displaying Port Channel Information	101
Interface Range	102
Bulk Configuration Examples	103
Monitor and Maintain Interfaces	104
Flow Control Using Ethernet Pause Frames	105
MTU Size	106
Auto-Negotiation on Ethernet Interfaces	107
Setting Auto-Negotiation Options	108
Viewing Interface Information	109
Clearing Interface Counters	110
Fibre Channel Interface	111
Configuring Fibre Channel Interfaces	111
Enabling Fibre Channel Capability	111
Configuring Fibre Channel Interfaces	111
iSCSI Optimization	112
iSCSI Optimization Overview	112
Monitoring iSCSI Traffic Flows	113
Information Monitored in iSCSI Traffic Flows	114
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer	114
iSCSI Optimization: Operation	114
Configuring iSCSI Optimization	115
Displaying iSCSI Optimization Information	117
Link Aggregation	119
How the LACP is Implemented on an Aggregator	119
Uplink LAG	119
Server-Facing LAGs	119
LACP Modes	120
Auto-Configured LACP Timeout	120
Link Aggregation Control Protocol (LACP)	120
Configuration Tasks for Port Channel Interfaces	120
Creating a Port Channel	121
Adding a Physical Interface to a Port Channel	121
Reassigning an Interface to a New Port Channel	123
Configuring the Minimum Oper Up Links in a Port Channel	124
Configuring VLAN Tags for Member Interfaces	124
Deleting or Disabling a Port Channel	125
Configuring Auto LAG	125
Configuring the Minimum Number of Links to be Up for Uplink LAGs to be Active	127
Optimizing Traffic Disruption Over LAG Interfaces On IOA Switches in VLT Mode	128
Preserving LAG and Port Channel Settings in Nonvolatile Storage	129
Enabling the Verification of Member Links Utilization in a LAG Bundle	129
Monitoring the Member Links of a LAG Bundle	129
Verifying LACP Operation and LAG Configuration	130
Layer 2	133
Managing the MAC Address Table	133
Clearing the MAC Address Entries	133
Displaying the MAC Address Table	134
Network Interface Controller (NIC) Teaming	134
MAC Address Station Move	135
MAC Move Optimization	136
Link Layer Discovery Protocol (LLDP)	137
Protocol Data Units	137
Optional TLVs	138
Management TLVs	139
Organizationally Specific TLVs	139
IEEE Organizationally Specific TLVs	139
LLDP-MED Capabilities TLV	141
LLDP-MED Network Policies TLV	142
Extended Power via MDI TLV	143
LLDP Operation	144
Viewing the LLDP Configuration	144
Viewing Information Advertised by Adjacent LLDP Agents	145
Clearing LLDP Counters	146
Debugging LLDP	146
Relevant Management Objects	147
Port Monitoring	153
Configuring Port Monitoring	153
Important Points to Remember	154
Port Monitoring	155
Security	157
Understanding Banner Settings	157
Accessing the I/O Aggregator Using the CMC Console Only	157
AAA Accounting	158
Configuration Task List for AAA Accounting	158
AAA Authentication	160
Configuration Task List for AAA Authentication	160
RADIUS	163
RADIUS Authentication	163
Configuration Task List for RADIUS	164
TACACS+	167
Configuration Task List for TACACS+	167
TACACS+ Remote Authentication	168
Enabling SCP and SSH	170
Using SCP with SSH to Copy a Software Image	171
Secure Shell Authentication	171
Troubleshooting SSH	174
Telnet	174
VTY Line and Access-Class Configuration	175
VTY Line Local Authentication and Authorization	175
VTY Line Remote Authentication and Authorization	176
VTY MAC-SA Filter Support	176
Simple Network Management Protocol (SNMP)	178
Implementation Information	178
Configuring the Simple Network Management Protocol	178
Important Points to Remember	178
Setting up SNMP	179
Creating a Community	179
Reading Managed Object Values	179
Displaying the Ports in a VLAN using SNMP	180
Fetching Dynamic MAC Entries using SNMP	182
Deriving Interface Indices	183
Monitor Port-Channels	184
Entity MIBS	185
Example of Sample Entity MIBS outputs	185
SNMP Traps for Link Status	186
Standard VLAN MIB	186
Enhancements	186
Fetching the Switchport Configuration and the Logical Interface Configuration	187
Stacking	188
Configuring a Switch Stack	188
Stacking Prerequisites	188
Master Selection Criteria	188
Configuring Priority and stack-group	189
Cabling the Switch Stack	190
Accessing the CLI	190
Configuring and Bringing Up a Stack	190
Adding a Stack Unit	191
Resetting a Unit on a Stack	192
Removing an Aggregator from a Stack and Restoring Quad Mode	192
Merging Two Operational Stacks	193
Verifying a Stack Configuration	193
Using Show Commands	193
Troubleshooting a Switch Stack	194
Failure Scenarios	194
Upgrading a Switch Stack	196
Upgrading a Single Stack Unit	197
Broadcast Storm Control	199
Disabling Broadcast Storm Control	199
Displaying Broadcast-Storm Control Status	199
Configuring Storm Control	199
System Time and Date	200
Setting the Time for the Software Clock	200
Setting the Timezone	200
Setting Daylight Savings Time	201
Setting Daylight Saving Time Once	201
Setting Recurring Daylight Saving Time	202
Uplink Failure Detection (UFD)	204
Feature Description	204
How Uplink Failure Detection Works	205
UFD and NIC Teaming	207
Important Points to Remember	207
Uplink Failure Detection (SMUX mode)	208
Configuring Uplink Failure Detection (PMUX mode)	208
Clearing a UFD-Disabled Interface (in PMUX mode)	210
Displaying Uplink Failure Detection	212
Sample Configuration: Uplink Failure Detection	214
PMUX Mode of the IO Aggregator	216
Link Aggregation	216
Multiple Uplink LAGs with 10G Member Ports	216
Link Layer Discovery Protocol (LLDP)	217
Configure LLDP	218
CONFIGURATION versus INTERFACE Configurations	218
Enabling LLDP	219
Advertising TLVs	219
Viewing the LLDP Configuration	220
Viewing Information Advertised by Adjacent LLDP Agents	221
Configuring LLDPDU Intervals	222
Configuring a Time to Live	223
Debugging LLDP	223
Security	224
RADIUS	224
TACACS+	228
Configuring Storm Control	231
System Time and Date	231
Setting the Time for the Software Clock	231
Setting the Timezone	231
Setting Daylight Savings Time	232
VLAN Configuration on Physical Ports and Port-Channels	234
Virtual Link Trunking (VLT)	236
Overview	236
VLT Terminology	237
Configure Virtual Link Trunking	237
Verifying a VLT Configuration	242
VLT Sample Configurations	245
Troubleshooting VLT	247
NPIV Proxy Gateway	249
NPIV Proxy Gateway Configuration	249
NPIV Proxy Gateway Operations and Capabilities	249
Configuring an NPIV Proxy Gateway	253
Displaying NPIV Proxy Gateway Information	260
Upgrade Procedures	266
Get Help with Upgrades	266
Debugging and Diagnostics	267
Debugging Aggregator Operation	267
All interfaces on the Aggregator are operationally down	267
Broadcast, unknown multicast, and DLF packets switched at a very low rate	268
Flooded packets on all VLANs are received on a server	268
Software show Commands	269
Offline Diagnostics	270
Important Points to Remember	270
Running Offline Diagnostics	270
Trace Logs	271
Auto Save on Crash or Rollover	271
Using the Show Hardware Commands	272
Environmental Monitoring	273
Recognize an Over-Temperature Condition	274
Troubleshoot an Over-Temperature Condition	274
Recognize an Under-Voltage Condition	275
Troubleshoot an Under-Voltage Condition	275
Buffer Tuning	276
Deciding to Tune Buffers	278
Sample Buffer Profile Configuration	281
Troubleshooting Packet Loss	281
Displaying Drop Counters	282
Dataplane Statistics	283
Displaying Drop Counters	284
Restoring the Factory Default Settings	285
Important Points to Remember	285
Standards Compliance	287
IEEE Compliance	287
RFC and I-D Compliance	287
General Internet Protocols	288
General IPv4 Protocols	288
Network Management	289

Match case Limit results 1 per page

Monitoring AAA Accounting

Dell Networking OS does not support periodic interim accounting because the

periodic

command can

cause heavy congestion when many users are logged in to the network.

No specific

show

command exists for TACACS+ accounting.

To obtain accounting records displaying information about users currently logged in, use the following

command.

•

Step through all active sessions and print all the accounting records for the actively accounted

functions.

CONFIGURATION mode or EXEC Privilege mode

show accounting

Example of the

show accounting

Command for AAA Accounting

Dell#show accounting

Active accounted actions on tty2, User admin Priv 1

Task ID 1, EXEC Accounting record, 00:00:39 Elapsed, service=shell

Active accounted actions on tty3, User admin Priv 1

Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell

Dell#

AAA Authentication

Dell Networking OS supports a distributed client/server system implemented through authentication,

authorization, and accounting (AAA) to help secure networks against unauthorized access.

In the Dell Networking implementation, the Dell Networking system acts as a RADIUS or TACACS+ client

and sends authentication requests to a central remote authentication dial-in service (RADIUS) or Terminal

access controller access control system plus (TACACS+) server that contains all user authentication and

network service access information.

Dell Networking uses local usernames/passwords (stored on the Dell Networking system) or AAA for login

authentication. With AAA, you can specify the security protocol or mechanism for different login methods

and different users. In Dell Networking OS, AAA uses a list of authentication methods, called method lists,

to define the types of authentication and the sequence in which they are applied. You can define a

method list or use the default method list. User-defined method lists take precedence over the default

method list.

NOTE:

If a console user logs in with RADIUS authentication, the privilege level is applied from the

RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure

RADIUS authorization.

NOTE:

In the release 9.4.(0.0), RADIUS and TACACS servers support VRF-awareness functionality.

You can create RADIUS and TACACS groups and then map multiple servers to a group. The group

to which you map multiple servers is bound to a single VRF.

Configuration Task List for AAA Authentication

The following sections provide the configuration tasks.

•

Configure Login Authentication for Terminal Lines

•

Configuring AAA Authentication Login Methods

160

Security