Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.3.0 - Page 827
X.509v3 certificates, X.509v3
![]() |
View all Dell PowerSwitch S4128F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 827 highlights
• name inherit - Enter the name of the RADIUS or TACACS+ user role that inherits permissions from an OS10 user role; 32 characters maximum. • existing-role-name - Assign the permissions associated with an OS10 user role: - sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. - secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. - netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. - netoperator - Access only to EXEC mode to view the current configuration. A network operator cannot modify any configuration setting on a switch. Default Command Mode Usage Information OS10 assigns the netoperator role to a user authenticated by a RADIUS or TACACS+ server with a missing or unknown role or privilege level. CONFIGURATION • When a RADIUS or TACACS+ server authenticates a user and does not return a role or privilege level, or returns an unknown role or privilege level, OS10 assigns the netoperator role to the user by default. Use this command to reconfigure the default netoperator permissions. • To assign OS10 user role permissions to an unknown user role, enter the RADIUS or TACACS+ name with the inherit existing-role-name value. The no userrole default version of the command resets the role to netoperator. Example OS10(config)# userrole default inherit sysadmin Supported Releases 10.4.0E(R3P3) or later X.509v3 certificates OS10 supports X.509v3 certificates to secure communications between the switch and a host, such as a RADIUS server. Both the switch and the server exchange a public key in a signed X.509v3 certificate issued by a certificate authority (CA) to authenticate each other. The certificate authority uses its private key to sign the switch and host certificates. The information in the certificate allows both devices to prove ownership and the validity of a public key. Assuming the CA is trusted, the switch and authentication server validate each other's identity and set up a secure, encrypted communications channel. User authentication with a public key certificate is usually preferred to password-based authentication, although you can use both at the same time, to: • Avoid the security risk of using low-strength passwords and provide greater resistance to brute-force attacks. • Provide assurance of trusted, provable identities (when using certificates digitally signed by a trusted CA). • Provide security and confidentiality in switch-server communications in addition to user authentication. For example, you can download and install a X.509v3 certificate to enable public-key authentication in RADIUS over TLS authentication, also called as RadSec. OS10 supports a public key infrastructure (PKI), including: • Generation of self-signed certificates and certificate signing requests (CSRs), and their corresponding private keys • Installation and deletion of self-signed certificates and CA-signed certificates • Secure deletion of corresponding private keys • Installation and deletion of CA certificates in the system "trust store" • Display of certificate information Security 827
![](/manual_guide/products/dell-powerswitch-s3048on-os10-enterprise-edition-user-guide-release-10430-cc9d5f5/827.png)