Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 520

Assign user role, RADIUS authentication

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 520 highlights

role, and many users can have the same role. A user role authenticates and authorizes a user at login, and places you in EXEC mode (see CLI basics). OS10 supports four pre-defined roles: sysadmin, secadmin, netadmin, and netoperator. Each user role assigns permissions that determine the commands a user can enter, and the actions a user can perform. RBAC provides an easy and efficient way to administer user rights. If a user's role matches one of the allowed user roles for a command, command authorization is granted. The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role's permissions to allow you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs. Assign user role To limit OS10 system access, assign a role when you configure each user. • Enter a user name, password, and role in CONFIGURATION mode. username username password password role role - username username - Enter a text string (up to 32 alphanumeric characters; 1 character minimum). - password password - Enter a text string (up to 32 alphanumeric characters; 9 characters minimum). - role role - Enter a user role: ◦ sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ◦ secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. ◦ netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. ◦ netoperator - Access to EXEC mode to view the current configuration. A network operator cannot modify any configuration setting on a switch. Create user and assign role OS10(config)# username smith password silver403! newuser role sysadmin View users OS10# show users Index Line User 1 ttyS root 2 pts/0 admin Role Application Idle root -bash >24h sysadmin bash 1.1s Login-Time 2018-05-23 T23:05:03Z 2018-05-30 T20:04:27Z Location console 10.14.1.214[ssh] RADIUS authentication To configure a RADIUS server for authentication, enter the server's IP address or host name, and the key used to authenticate the OS10 switch on a RADIUS host. You can enter the authentication key in plain text or encrypted format. You can change the UDP port number on the server. • Configure a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812. radius-server host {hostname | ip-address} key {0 authentication-key | 9 authentication-key | authentication-key} [auth-port port-number] Re-enter the radius-server host command multiple times to configure more than one RADIUS server. If you configure multiple RADIUS servers, OS10 attempts to connect in the order you configured them. An OS10 switch connects with the configured RADIUS 520 System management

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.1.0	3
Getting Started	22
Supported Hardware	22
Download OS10 image and license	23
Installation using ONIE	24
Automatic installation	25
Manual installation	26
Log into OS10	27
Install OS10 license	27
Zero-touch deployment	28
ZTD DHCP server configuration	30
ZTD provisioning script	31
ZTD CLI batch file	32
Post-ZTD script	32
ZTD commands	32
Remote access	34
Configure Management IP address	34
Management Route Configuration	35
Configure user name and password	35
Upgrade OS10	36
CLI Basics	36
User accounts	36
Key CLI features	37
CLI command modes	37
CLI command hierarchy	38
CLI command categories	38
CONFIGURATION Mode	38
Command help	38
Check device status	40
Candidate configuration	42
Change to transaction-based configuration	45
Copy running configuration	45
Restore startup configuration	46
Reload system image	46
Filter show commands	47
Alias command	47
Batch mode	51
Linux shell commands	52
SSH commands	52
OS9 environment commands	53
Common commands	53
alias	53
alias (multi-line)	55
batch	55
boot	56
commit	56
configure	56
copy	57
default (alias)	58
delete	58
description (alias)	59
dir	59
discard	60
do	60
feature config-os9-style	61
exit	61
license	61
line (alias)	62
lock	62
management route	63
move	63
no	64
reload	64
show alias	65
show boot	66
show candidate-configuration	66
show environment	68
show inventory	69
show ip management-route	69
show ipv6 management-route	70
show license status	70
show running-configuration	71
show startup-configuration	73
show system	74
show version	76
start	76
system	77
system identifier	77
terminal	77
traceroute	78
unlock	79
write	79
Interfaces	81
Ethernet interfaces	81
Unified port groups	81
L2 mode configuration	82
L3 mode configuration	83
Fibre Channel interfaces	83
Management interface	85
VLAN interfaces	85
User-configured default VLAN	86
VLAN scale profile	86
Loopback interfaces	87
Port-channel interfaces	87
Create port-channel	88
Add port member	88
Minimum links	89
Assign Port Channel IP Address	89
Remove or disable port-channel	89
Load balance traffic	90
Change hash algorithm	90
Configure interface ranges	90
Switch-port profiles	91
S4148-ON series port profiles	92
S4148U-ON port profiles	93
Configure breakout mode	94
Breakout auto-configuration	95
Forward error correction	96
Energy-efficient Ethernet	97
Enable energy-efficient Ethernet	97
Clear EEE counters	97
View EEE status/statistics	98
EEE commands	98
View interface configuration	101
Interface commands	104
channel-group	104
default vlan-id	105
description (Interface)	105
duplex	106
feature auto-breakout	106
fec	107
interface breakout	107
interface ethernet	108
interface loopback	108
interface mgmt	108
interface null	109
interface port-channel	109
interface range	110
interface vlan	110
link-bundle-utilization	111
mode	111
mode l3	112
mtu	112
port-group	113
scale-profile vlan	113
show discovered-expanders	114
show interface	114
show inventory media	115
show link-bundle-utilization	116
show port-channel summary	116
show port-group	117
show switch-operating-mode	118
show switch-port-profile	118
show unit-provision	118
show vlan	119
shutdown	119
speed (Fibre Channel)	119
speed (Management)	120
switch-port-profile	121
switchport access vlan	123
switchport mode	123
switchport trunk allowed vlan	124
unit-provision	124
Fibre Channel	125
Terminology	126
Virtual fabric	126
Fibre Channel zoning	129
F_Port on Ethernet	130
F_Port commands	131
fc alias	131
fc zone	131
fc zoneset	132
feature fc	132
member (alias)	132
member (zone)	133
member (zoneset)	133
show fc alias	134
show fc interface-area-id mapping	134
show fc ns switch	134
show fc zone	135
show fc zoneset	136
zone default-zone permit	137
zoneset activate	137
NPG commands	138
fc port-mode F	138
feature fc npg	138
show npg devices	139
F_Port and NPG commands	140
clear fc statistics	140
fcoe	140
name	141
show fc statistics	141
show fc switch	142
show running-config vfabric	142
show vfabric	143
vfabric	144
vfabric (interface)	144
vlan	144
FIP-snooping commands	145
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	146
fip-snooping port-mode fcf	146
FCoE commands	146
clear fcoe database	146
clear fcoe statistics	147
fcoe max-sessions-per-enodemac	147
fcoe priority-bits	148
lldp tlv-select dcbxp-appln fcoe	148
show fcoe enode	148
show fcoe fcf	149
show fcoe sessions	149
show fcoe statistics	150
show fcoe system	150
show fcoe vlan	151
Layer 2	152
802.1X	152
Port authentication	153
EAP over RADIUS	154
Configure 802.1X	154
Enable 802.1X	155
Identity retransmissions	156
Failure quiet period	157
Port control mode	157
Reauthenticate port	158
Configure timeouts	159
802.1X commands	160
Link Aggregation Control Protocol	165
Modes	165
Configuration	165
Interfaces	166
Rates	166
Sample configuration	167
LACP fallback	170
LACP commands	173
Link Layer Discovery Protocol	180
Protocol data units	180
Optional TLVs	181
Organizationally-specific TLVs	182
Media endpoint discovery	183
Network connectivity device	183
LLDP-MED capabilities TLV	183
Network policies TLVs	184
Define network policies	185
Packet timer values	185
Disable and re-enable LLDP	186
Disable and re-enable LLDP on management ports	187
Advertise TLVs	187
Network policy advertisement	188
Fast start repeat count	188
View LLDP configuration	189
Adjacent agent advertisements	190
Time to live	191
LLDP commands	191
Media Access Control	203
Static MAC Address	203
MAC Address Table	204
Clear MAC Address Table	204
MAC Commands	205
Multiple Spanning-Tree Protocol	207
Configure MSTP	208
Create instances	208
Root selection	210
Non-Dell hardware	210
Region name or revision	210
Modify parameters	211
Interface parameters	212
Forward traffic	212
Spanning-tree extensions	213
MST commands	215
Rapid per-VLAN spanning-tree plus	224
Load balance and root selection	225
Enable RPVST+	225
Select root bridge	226
Root assignment	227
Loop guard	228
Global parameters	228
RPVST+ commands	229
Rapid Spanning-Tree Protocol	236
Enable globally	237
Global parameters	238
Interface parameters	239
Root bridge selection	240
EdgePort forward traffic	240
Spanning-tree extensions	241
RSTP commands	243
Virtual LANs	249
Default VLAN	249
Create or remove VLANs	249
Access mode	251
Trunk mode	251
Assign IP address	252
View VLAN configuration	253
VLAN commands	254
Port monitoring	255
Local port monitoring	256
Remote port monitoring	256
Encapsulated remote port monitoring	258
Flow-based monitoring	259
Remote port monitoring on VLT	260
Port monitoring commands	262
Layer 3	267
Virtual routing and forwarding	267
Configure management VRF	267
Configure non-default VRF instances	269
Sample VRF configuration	272
View VRF instance information	276
VRF commands	277
Bidirectional Forwarding Detection	282
BFD session states	283
BFD three-way handshake	284
BFD configuration	285
Configure BFD globally	285
BFD for BGP	286
BFD commands	290
Border Gateway Protocol	293
Sessions and peers	294
Route reflectors	295
Multiprotocol BGP	296
Attributes	296
Selection criteria	297
Weight and local preference	297
Multiexit discriminators	298
Origin	298
AS path and next-hop	299
Best path selection	299
More path support	300
Advertise cost	300
4-Byte AS numbers	301
AS number migration	301
Configure Border Gateway Protocol	302
Enable BGP	302
Configure Dual Stack	305
Peer templates	305
Neighbor fall-over	308
Configure password	310
Fast external fallover	311
Passive peering	313
Local AS	313
AS number limit	314
Redistribute routes	315
Additional paths	315
MED attributes	316
Local preference attribute	316
Weight attribute	317
Enable multipath	318
Route-map filters	318
Route reflector clusters	318
Aggregate routes	319
Confederations	320
Route dampening	321
Timers	322
Neighbor soft-reconfiguration	322
BGP commands	323
Equal cost multi-path	355
Load balancing	355
ECMP commands	356
IPv4 routing	358
Assign interface IP address	358
Configure static routing	359
Address Resolution Protocol	360
IPv4 routing commands	360
IPv6 routing	365
Enable or disable IPv6	365
IPv6 addresses	366
Stateless autoconfiguration	367
Neighbor Discovery	368
Duplicate address discovery	369
Static IPv6 routing	370
IPv6 destination unreachable	370
IPv6 hop-by-hop options	371
View IPv6 information	371
IPv6 commands	371
Internet Group Management Protocol	384
IGMP snooping	384
IGMP snooping commands	385
Multicast Listener Discovery Protocol	392
MLD snooping	393
MLD snooping commands	394
Open shortest path first	401
Autonomous system areas	401
Areas, networks, and neighbors	401
Router types	402
Designated and backup designated routers	403
Link-state advertisements	403
Router priority	404
Shortest path first throttling	405
OSPFv2	406
OSPFv3	437
Object tracking manager	457
Interface tracking	458
Host tracking	459
Set tracking delays	460
Object tracking	460
View tracked objects	460
OTM commands	461
Policy-based routing	464
Policy-based route-maps	464
Access-list to match route-map	464
Set address to match route-map	464
Assign route-map to interface	465
View PBR information	465
PBR commands	466
Virtual Router Redundancy Protocol	468
Configuration	469
Create virtual router	470
Group version	470
Virtual IP addresses	471
Configure virtual IP address	471
Set group priority	472
Authentication	473
Disable preempt	473
Advertisement interval	474
Interface/object tracking	475
Configure tracking	475
VRRP commands	476
UFT modes	482
Configure UFT modes	482
IPv6 extended prefix routes	483
UFT commands	484
hardware forwarding-table mode	484
hardware l3 ipv6-extended-prefix	484
show hardware forwarding-table mode	485
show hardware forwarding-table mode all	485
show hardware l3	485
System management	487
Dynamic Host Configuration Protocol	487
Packet format and options	487
DHCP server	489
Automatic address allocation	489
Hostname resolution	490
Manual binding entries	491
DHCP relay agent	492
View DHCP Information	493
System domain name and list	493
DHCP commands	494
DNS commands	500
IPv4 DHCP limitations	502
Network Time Protocol	503
Enable NTP	504
Broadcasts	504
Source IP address	505
Authentication	505
NTP commands	506
System clock	511
System Clock commands	511
System banners	513
Login banner	513
MOTD banner	513
System banner commands	514
User session management	515
User session management commands	515
Telnet server	516
Telnet commands	517
Security	518
User re-authentication	519
Password strength	519
Role-based access control	519
Assign user role	520
RADIUS authentication	520
TACACS+ authentication	521
TACACS+ unknown or missing user role	522
SSH server	522
Virtual terminal line	523
Enable AAA accounting	524
Enable user lockout	524
Limit concurrent login sessions	525
Enable login statistics	525
Security commands	526
Simple Network Management Protocol	543
SNMP commands	543
Uplink Failure Detection	546
Configure uplink failure detection	547
UFD commands	549
OS10 image upgrade	553
Boot system partition	554
Upgrade commands	555
OpenFlow	559
OpenFlow logical switch instance	560
OpenFlow controller	560
OpenFlow version 1.3	560
Ports	560
Flow table	561
Group table	561
Meter table	561
Instructions	561
Action set	562
Action types	562
Counters	563
OpenFlow protocol	564
OpenFlow use cases	578
Configure OpenFlow	578
Establish TLS connection	579
OpenFlow commands	580
controller	580
dpid-mac-address	581
in-band-mgmt	581
max-backoff	582
mode openflow-only	582
openflow	583
probe-interval	583
protocol-version	583
rate-limit packet_in	584
show openflow	585
show openflow flows	586
show openflow ports	586
show openflow switch	588
show openflow switch controllers	588
switch	589
OpenFlow-only mode commands	589

Match case Limit results 1 per page

role, and many users can have the same role. A user role authenticates and authorizes a user at login, and places you in EXEC mode (see

CLI basics

OS10 supports four

pre-deﬁned

roles: sysadmin, secadmin, netadmin, and netoperator. Each user role assigns permissions that determine

the commands a user can enter, and the actions a user can perform. RBAC provides an easy and

eﬃcient

way to administer user rights. If a

user’s role matches one of the allowed user roles for a command, command authorization is granted.

The OS10 RBAC model provides separation of duty as well as greater security. It places some limitations on each role’s permissions to allow

you to partition tasks. For greater security, only some user roles can view events, audits, and security system logs.

Assign user role

To limit OS10 system access, assign a role when you

conﬁgure

each user.

•

Enter a user name, password, and role in CONFIGURATION mode.

username

password

role

–

username

— Enter a text string (up to 32 alphanumeric characters; 1 character minimum).

–

password

— Enter a text string (up to 32 alphanumeric characters; 9 characters minimum).

–

role

— Enter a user role:

◦

sysadmin

— Full access to all commands in the system, exclusive access to commands that manipulate the

ﬁle

system, and

access to the system shell. A system administrator can create user IDs and user roles.

◦

secadmin

— Full access to

conﬁguration

commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

◦

netadmin

— Full access to

conﬁguration

commands that manage

traﬃc

ﬂowing

through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access

conﬁguration

commands for security features or view security

information.

◦

netoperator

— Access to EXEC mode to view the current

conﬁguration.

A network operator cannot modify any

conﬁguration

setting on a switch.

Create user and assign role

OS10(config)# username smith password silver403! newuser role sysadmin

View users

OS10# show users

Index Line

User

Role

Application Idle

Location

----- ----

------

----------- ----

---------------------

-------------

ttyS

root

-bash

>24h

2018-05-23 T23:05:03Z

console

pts/0 admin

sysadmin bash

1.1s

2018-05-30 T20:04:27Z

10.14.1.214[ssh]

RADIUS authentication

conﬁgure

a RADIUS server for authentication, enter the server's IP address or host name, and the key used to authenticate the OS10

switch on a RADIUS host. You can enter the authentication key in plain text or encrypted format. You can change the UDP port number on

the server.

•

Conﬁgure

a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812.

radius-server host {

hostname

ip-address

}

key {0

authentication-key

| 9

authentication-key

} [auth-port

port-number

]

Re-enter the

radius-server host

command multiple times to

conﬁgure

more than one RADIUS server. If you

conﬁgure

multiple

RADIUS servers, OS10 attempts to connect in the order you

conﬁgured

them. An OS10 switch connects with the

conﬁgured

RADIUS

520

System management