Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.0ER - Page 457

Security, User re-authentication

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 457 highlights

Parameters • management - Configures the management VRF to be used to reach the Telnet server. Default Command Mode Usage Information Example The Telnet server is reachable on the default VRF. CONFIGURATION By default, the Telnet server is disabled. To enable the Telnet server, enter the telnet enable command. To configure the Telnet server to be reachable on the management VRF instance, use the ip telnet server vrf management command. OS10(config)# ip telnet server vrf management Supported Releases 10.4.0E(R1) or later Security Accounting, authentication, and authorization (AAA) services secure networks against unauthorized access. In addition to local authentication, OS10 supports remote authentication dial-in service (RADIUS) and terminal access controller access control system (TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication requests to a server that contains all user authentication and network service access information. A RADIUS or TACACS+ server provides accounting, authentication (user credentials verification), and authorization (user privilege-level) services. You can configure the security protocol used for different login methods and users. The server uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, only the local authentication method is used. The authentication methods in the method list are executed in the order in which they are configured. You can re-enter the methods to change the order. The local authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+ authentication, the privilege-level you configured for the user on the RADIUS or TACACS+ server is applied. NOTE: You must configure the group name (level) on the RADIUS server using the vendor-specific attribute or the authentication fails. • Configure the AAA authentication method in CONFIGURATION mode. aaa authentication {local | radius | tacacs} - local - Use the username and password database defined in the local configuration. - radius - (Optional) Use the RADIUS servers configured with the radius-server host command as the primary authentication method. - tacacs - (Optional) Use the TACACS+ servers configured with the tacacs-server host command as the primary authentication method. Configure AAA authentication OS10(config)# aaa authentication radius local User re-authentication To prevent users from accessing resources and performing tasks for which they are not authorized, OS10 allows you to require users to reauthenticate by logging in again when an authentication method or server changes, such as: • Adding or removing a RADIUS server (radius-server host command) • Adding or removing an authentication method (aaa authentication {local | radius} command) System management 457

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.0E(R3)	3
Getting Started	20
Download OS10 image and license	21
Installation	22
Automatic installation	23
Manual installation	23
Log into OS10	24
Install OS10 license	24
Remote access	26
Configure Management IP address	26
Management Route Configuration	26
Configure user name and password	27
Upgrade OS10	28
CLI Basics	28
User accounts	28
Key CLI features	28
CLI command modes	29
CLI command hierarchy	29
CLI command categories	29
CONFIGURATION Mode	30
Command help	30
Check device status	32
Candidate configuration	34
Change to transaction-based configuration	37
Copy running configuration	37
Restore startup configuration	38
Reload system image	38
Filter show commands	39
Alias command	39
Batch mode commands	43
Linux shell commands	43
SSH commands	44
OS9 environment commands	44
Common commands	45
alias	45
alias (multi-line)	46
batch	47
boot	47
commit	47
configure	48
copy	48
default (alias)	49
delete	50
description (alias)	50
dir	51
discard	51
do	52
feature config-os9-style	52
exit	53
license	53
line (alias)	54
lock	54
management route	54
move	55
no	55
reload	56
show alias	56
show boot	57
show candidate-configuration	58
show environment	60
show inventory	60
show ip management-route	61
show ipv6 management-route	61
show license status	62
show running-configuration	63
show startup-configuration	65
show system	66
show version	68
start	68
system	68
system identifier	69
terminal	69
traceroute	70
unlock	71
write	71
Interfaces	72
Ethernet interfaces	72
L2 mode configuration	72
L3 mode configuration	73
Fibre Channel interfaces	73
Management interface	75
VLAN interfaces	75
User-configured default VLAN	76
VLAN scale profile	76
Loopback interfaces	77
Port-channel interfaces	77
Create port-channel	78
Add port member	78
Minimum links	79
Assign Port Channel IP Address	79
Remove or disable port-channel	79
Load balance traffic	80
Change hash algorithm	80
Configure interface ranges	80
Switch-port profiles	81
S4148-ON series port profiles	82
S4148U-ON port profiles	83
Unified port groups	84
Configure breakout mode	85
Breakout auto-configuration	86
Reset default configuration	87
Forward error correction	88
Energy-efficient Ethernet	89
Enable energy-efficient Ethernet	89
Clear interface counters	90
View EEE status/statistics	90
EEE commands	91
View interface configuration	94
Interface commands	95
channel-group	95
default interface	96
default vlan-id	98
description (Interface)	99
duplex	99
enable auto-breakout	100
fec	100
interface breakout	101
interface ethernet	101
interface loopback	102
interface mgmt	102
interface null	102
interface port-channel	103
interface range	103
interface vlan	104
link-bundle-utilization	104
mgmt	104
mode	105
mode l3	106
mtu	106
port-group	107
scale-profile vlan	107
show discovered-expanders	107
show interface	108
show inventory media	109
show link-bundle-utilization	110
show port-channel summary	110
show port-group	111
show switch-operating-mode	111
show switch-port-profile	112
show unit-provision	112
show vlan	112
shutdown	113
speed (Fibre Channel)	113
speed (Management)	114
switch-port-profile	114
switchport access vlan	116
switchport mode	117
switchport trunk allowed vlan	117
unit-provision	118
Fibre channel	119
Fibre Channel over Ethernet	119
Configure FIP snooping	120
Terminology	121
Virtual fabric	121
Fibre Channel zoning	124
F_Port on Ethernet	126
F_Port, NPG, and FCoE commands	126
clear fcoe database	126
clear fcoe statistics	126
fc alias	127
fc zone	127
fc zoneset	128
fcoe	128
fcoe max-sessions-per-enodemac	129
feature fc	129
feature fc npg	129
feature fip-snooping	130
fip-snooping enable	130
fip-snooping fc-map	130
fip-snooping port-mode fcf	131
member (alias)	131
member (zone)	132
member (zoneset)	132
name	132
show fc alias	133
show fc ns switch	133
show fc statistics	134
show fc switch	135
show fc zone	135
show fc zoneset	136
show fcoe enode	137
show fcoe fcf	137
show fcoe sessions	138
show fcoe statistics	138
show fcoe system	139
show fcoe vlan	139
show npg devices	139
show running-config vfabric	140
show vfabric	141
vfabric	142
vfabric (interface)	142
vlan	142
zone default-zone permit	143
zoneset activate	143
Layer 2	144
802.1X	144
Port authentication	145
EAP over RADIUS	146
Configure 802.1X	146
Enable 802.1X	147
Identity retransmissions	148
Failure quiet period	149
Port control mode	149
Reauthenticate port	150
Configure timeouts	151
802.1X commands	152
Link aggregation control protocol	157
Modes	157
Configuration	157
Interfaces	158
Rates	158
Sample configuration	159
LACP commands	162
Link layer discovery protocol	168
Protocol data units	168
Optional TLVs	169
Organizationally-specific TLVs	170
Media endpoint discovery	171
Network connectivity device	171
LLDP-MED capabilities TLV	171
Network policies TLVs	172
Define network policies	173
Packet timer values	173
Disable and re-enable LLDP	174
Disable and re-enable LLDP on management ports	175
Advertise TLVs	175
Network policy advertisement	176
Fast start repeat count	176
View LLDP configuration	177
Adjacent agent advertisements	178
Time to live	179
LLDP commands	179
Media Access Control	191
Static MAC Address	191
MAC Address Table	192
Clear MAC Address Table	192
MAC Commands	193
Multiple spanning-tree protocol	195
Configure MST protocol	196
Create instances	196
Root selection	198
Non-Dell hardware	198
Region name or revision	198
Modify parameters	199
Interface parameters	200
Forward traffic	200
Spanning-tree extensions	201
Debug configurations	203
MST commands	203
Rapid per-VLAN spanning-tree plus	213
Load balance and root selection	214
Enable RPVST+	214
Select root bridge	215
Root assignment	216
Loop guard	217
Global parameters	217
RPVST+ commands	218
Rapid spanning-tree protocol	226
Enable globally	226
Global parameters	227
Interface parameters	228
Root bridge selection	229
EdgePort forward traffic	230
Spanning-tree extensions	230
RSTP commands	232
Virtual LANs	238
Default VLAN	238
Create or remove VLANs	239
Access mode	240
Trunk mode	241
Assign IP address	241
View VLAN configuration	242
VLAN commands	244
Port monitoring	245
Local port monitoring	245
Remote port monitoring	246
Encapsulated remote port monitoring	248
Flow-based monitoring	249
Remote port monitoring on VLT	250
Port monitoring commands	251
Layer 3	257
Border gateway protocol	257
Sessions and peers	258
Route reflectors	259
Multiprotocol BGP	260
Attributes	260
Selection criteria	260
Weight and local preference	261
Multiexit discriminators	262
Origin	262
AS path and next-hop	263
Best path selection	263
More path support	264
Advertise cost	264
4-Byte AS numbers	265
AS number migration	265
Configure border gateway protocol	266
Enable BGP	266
Configure Dual Stack	268
Peer templates	268
Neighbor fall-over	270
Fast external fallover	271
Passive peering	273
Local AS	273
AS number limit	274
Redistribute routes	275
Additional paths	275
MED attributes	276
Local preference attribute	276
Weight attribute	277
Enable multipath	278
Route-map filters	278
Route reflector clusters	278
Aggregate routes	279
Confederations	280
Route dampening	281
Timers	282
Neighbor soft-reconfiguration	282
BGP commands	283
Equal cost multi-path	308
Load balancing	308
ECMP commands	308
IPv4 routing	311
Assign interface IP address	311
Configure static routing	312
Address resolution protocol	313
IPv4 routing commands	313
IPv6 routing	317
Enable or disable IPv6	317
IPv6 addresses	318
Stateless autoconfiguration	319
Neighbor discovery	320
Duplicate address discovery	321
Static IPv6 routing	322
IPv6 destination unreachable	322
IPv6 hop-by-hop options	323
View IPv6 information	323
IPv6 commands	323
Internet group management protocol	334
IGMP snooping	334
IGMP snooping commands	337
Open shortest path first	342
Autonomous system areas	342
Areas, networks, and neighbors	343
Router types	344
Designated and backup designated routers	345
Link-state advertisements	345
Router priority	346
Shortest path first throttling	347
OSPFv2	348
OSPFv3	379
Object tracking manager	398
Interface tracking	399
Host tracking	400
Set tracking delays	401
Object tracking	401
View tracked objects	401
OTM commands	402
Policy-based routing	405
Policy-based route-maps	405
Access-list to match route-map	405
Set address to match route-map	405
Assign route-map to interface	406
View PBR information	406
PBR commands	407
Virtual routing and forwarding	409
Configure management VRF	409
VRF commands	411
Virtual router redundancy protocol	415
Configuration	416
Create virtual router	417
Group version	417
Virtual IP addresses	418
Configure virtual IP address	418
Set group priority	419
Authentication	420
Disable preempt	420
Advertisement interval	421
Interface/object tracking	422
Configure tracking	422
VRRP commands	423
UFT modes	429
Configure UFT modes	430
UFT commands	430
hardware forwarding-table mode	430
show hardware forwarding-table mode	431
show hardware forwarding-table mode all	431
System management	432
Dynamic host configuration protocol	432
Packet format and options	432
Configure Server	433
Automatic address allocation	434
Hostname resolution	435
Manual binding entries	436
View DHCP Information	437
System domain name and list	437
DHCP commands	438
DNS commands	443
Network time protocol	445
Enable NTP	445
Broadcasts	446
Source IP address	446
Authentication	447
NTP commands	448
System clock	453
System Clock commands	453
User session management	454
User session management commands	454
Telnet server	456
Telnet commands	456
Security	457
User re-authentication	457
Password strength	458
Role-based access control	458
Assign user role	459
RADIUS authentication	459
TACACS+ authentication	460
SSH Server	461
Virtual terminal line	461
Enable login statistics	462
Security commands	462
Simple network management protocol	475
SNMP commands	475
Uplink Failure Detection	476
Configure uplink failure detection	477
UFD commands	478
OS10 image upgrade	482
Boot system partition	482
Upgrade commands	483
Access Control Lists	488
IP ACLs	488
MAC ACLs	489
IP fragment handling	489
IP fragments ACL	489
L3 ACL rules	490
Permit ACL with L3 information only	490
Deny ACL with L3 information only	490
Permit all packets from host	490
Permit only first fragments and non-fragmented packets from host	490
Assign sequence number to filter	491
User-provided sequence number	491
Auto-generated sequence number	491
L2 and L3 ACLs	491
Assign and apply ACL filters	492
Ingress ACL filters	493
Egress ACL filters	493
Clear access-list counters	494
IP prefix-lists	494
Route-maps	495
Match routes	496
Set conditions	496
continue Clause	497
ACL flow-based monitoring	497
Flow-based mirroring	497
Enable flow-based monitoring	498
ACL commands	499
clear ip access-list counters	499
clear ipv6 access-list counters	499
clear mac access-list counters	500
deny	500
deny (IPv6)	501
deny (MAC)	501
deny icmp	502
deny icmp (IPv6)	503
deny ip	503
deny ipv6	504
deny tcp	504
deny tcp (IPv6)	505
deny udp	506
deny udp (IPv6)	507
description	508
ip access-group	508
ip access-list	508
ip as-path access-list	509
ip community-list standard deny	510
ip community–list standard permit	510
ip extcommunity-list standard deny	511
ip extcommunity-list standard permit	511
ip prefix-list description	511
ip prefix-list deny	512
ip prefix-list permit	512
ip prefix-list seq deny	513
ip prefix-list seq permit	513
ipv6 access-group	514
ipv6 access-list	514
ipv6 prefix-list deny	514
ipv6 prefix-list description	515
ipv6 prefix-list permit	515
ipv6 prefix-list seq deny	516
ipv6 prefix-list seq permit	516
mac access-group	517
mac access-list	517
permit	517
permit (IPv6)	518
permit (MAC)	519
permit icmp	519
permit icmp (IPv6)	520
permit ip	521
permit ipv6	521
permit tcp	522

Match case Limit results 1 per page

Parameters

•

management

—

Conﬁgures

the management VRF to be used to reach the Telnet server.

Default

The Telnet server is reachable on the default VRF.

Command Mode

CONFIGURATION

Usage Information

By default, the Telnet server is disabled. To enable the Telnet server, enter the

telnet enable

command. To

conﬁgure

the Telnet server to be reachable on the management VRF instance, use the

ip telnet server

vrf management

command.

Example

OS10(config)# ip telnet server vrf management

Supported Releases

10.4.0E(R1) or later

Security

Accounting, authentication, and authorization (AAA) services secure networks against unauthorized access. In addition to local

authentication, OS10 supports remote authentication dial-in service (RADIUS) and terminal access controller access control system

(TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication

requests to a server that contains all user authentication and network service access information.

A RADIUS or TACACS+ server provides accounting, authentication (user credentials

veriﬁcation),

and authorization (user privilege-level)

services. You can

conﬁgure

the security protocol used for

diﬀerent

methods to

deﬁne

the types of authentication and the sequence in which they apply. By default, only the

local

authentication method is

used.

The authentication methods in the method list are executed in the order in which they are

conﬁgured.

You can re-enter the methods to

change the order. The

local

authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+

authentication, the privilege-level you

conﬁgured

for the user on the RADIUS or TACACS+ server is applied.

NOTE:

You must

conﬁgure

the group name (level) on the RADIUS server using the

vendor-speciﬁc

attribute or the

authentication fails.

•

Conﬁgure

the AAA authentication method in CONFIGURATION mode.

aaa authentication {local | radius | tacacs}

–

local

— Use the username and password database

deﬁned

in the local

conﬁguration.

–

radius

— (Optional) Use the RADIUS servers

conﬁgured

with the

radius-server host

command as the primary

authentication method.

–

tacacs

— (Optional) Use the TACACS+ servers

conﬁgured

with the

tacacs-server host

command as the primary

authentication method.

Conﬁgure

AAA authentication

OS10(config)# aaa authentication radius local

User re-authentication

To prevent users from accessing resources and performing tasks for which they are not authorized, OS10 allows you to require users to re-

authenticate by logging in again when an authentication method or server changes, such as:

•

Adding or removing a RADIUS server (

radius-server host

command)

•

Adding or removing an authentication method (

aaa authentication {local | radius}

command)

System management

457