Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.0ER - Page 458

Password strength, Role-based access control

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 458 highlights

You can enable this feature so that user re-authentication is required when any of these actions are performed. In these cases, logged-in users are logged out of the switch and all OS10 sessions are terminated. By default, user re-authentication is disabled. Enable user re-authentication • Enable user re-authentication in CONFIGURATION mode. aaa re-authenticate enable Enter the no form of the command to disable user re-authentication. Password strength By default, the password you configure with the username password command must be at least nine alphanumeric characters. To increase password strength, you can create password rules using the password-attributes command. When you enter the command, at least one parameter is required. When you enter the character-restriction parameter, at least one option is required. • Create rules for stronger passwords in CONFIGURATION mode. password-attributes {[min-length number] [character-restriction {[upper number] [lower number][numeric number] [special-char number]}} - min-length number - Enter the minimum number of required alphanumeric characters (6 to 32; default 9). - character-restriction - Enter a requirement for the alphanumeric characters in a password: ◦ upper number - Minimum number of uppercase characters required (0 to 31; default 0). ◦ lower number - Minimum number of lowercase characters required (0 to 31; default 0). ◦ numeric number - Minimum number of numeric characters required (0 to 31; default 0). ◦ special-char number - Minimum number of special characters required (0 to 31; default 0). Create password rules OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 Display password rules OS10(config)# do show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Role-based access control RBAC provides control for access and authorization. Users are granted permissions based on defined roles - not on their individual system user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter an enable password because you are automatically placed in EXEC mode. OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter, and set the actions the user can perform. This allows greater flexibility when assigning permissions for each command to each role. Using RBAC is easier and more efficient to administer user rights. If a user's role matches one of the allowed user roles for that command, command authorization is granted. A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each role's permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events, audits, and security system logs. 458 System management

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.0E(R3)	3
Getting Started	20
Download OS10 image and license	21
Installation	22
Automatic installation	23
Manual installation	23
Log into OS10	24
Install OS10 license	24
Remote access	26
Configure Management IP address	26
Management Route Configuration	26
Configure user name and password	27
Upgrade OS10	28
CLI Basics	28
User accounts	28
Key CLI features	28
CLI command modes	29
CLI command hierarchy	29
CLI command categories	29
CONFIGURATION Mode	30
Command help	30
Check device status	32
Candidate configuration	34
Change to transaction-based configuration	37
Copy running configuration	37
Restore startup configuration	38
Reload system image	38
Filter show commands	39
Alias command	39
Batch mode commands	43
Linux shell commands	43
SSH commands	44
OS9 environment commands	44
Common commands	45
alias	45
alias (multi-line)	46
batch	47
boot	47
commit	47
configure	48
copy	48
default (alias)	49
delete	50
description (alias)	50
dir	51
discard	51
do	52
feature config-os9-style	52
exit	53
license	53
line (alias)	54
lock	54
management route	54
move	55
no	55
reload	56
show alias	56
show boot	57
show candidate-configuration	58
show environment	60
show inventory	60
show ip management-route	61
show ipv6 management-route	61
show license status	62
show running-configuration	63
show startup-configuration	65
show system	66
show version	68
start	68
system	68
system identifier	69
terminal	69
traceroute	70
unlock	71
write	71
Interfaces	72
Ethernet interfaces	72
L2 mode configuration	72
L3 mode configuration	73
Fibre Channel interfaces	73
Management interface	75
VLAN interfaces	75
User-configured default VLAN	76
VLAN scale profile	76
Loopback interfaces	77
Port-channel interfaces	77
Create port-channel	78
Add port member	78
Minimum links	79
Assign Port Channel IP Address	79
Remove or disable port-channel	79
Load balance traffic	80
Change hash algorithm	80
Configure interface ranges	80
Switch-port profiles	81
S4148-ON series port profiles	82
S4148U-ON port profiles	83
Unified port groups	84
Configure breakout mode	85
Breakout auto-configuration	86
Reset default configuration	87
Forward error correction	88
Energy-efficient Ethernet	89
Enable energy-efficient Ethernet	89
Clear interface counters	90
View EEE status/statistics	90
EEE commands	91
View interface configuration	94
Interface commands	95
channel-group	95
default interface	96
default vlan-id	98
description (Interface)	99
duplex	99
enable auto-breakout	100
fec	100
interface breakout	101
interface ethernet	101
interface loopback	102
interface mgmt	102
interface null	102
interface port-channel	103
interface range	103
interface vlan	104
link-bundle-utilization	104
mgmt	104
mode	105
mode l3	106
mtu	106
port-group	107
scale-profile vlan	107
show discovered-expanders	107
show interface	108
show inventory media	109
show link-bundle-utilization	110
show port-channel summary	110
show port-group	111
show switch-operating-mode	111
show switch-port-profile	112
show unit-provision	112
show vlan	112
shutdown	113
speed (Fibre Channel)	113
speed (Management)	114
switch-port-profile	114
switchport access vlan	116
switchport mode	117
switchport trunk allowed vlan	117
unit-provision	118
Fibre channel	119
Fibre Channel over Ethernet	119
Configure FIP snooping	120
Terminology	121
Virtual fabric	121
Fibre Channel zoning	124
F_Port on Ethernet	126
F_Port, NPG, and FCoE commands	126
clear fcoe database	126
clear fcoe statistics	126
fc alias	127
fc zone	127
fc zoneset	128
fcoe	128
fcoe max-sessions-per-enodemac	129
feature fc	129
feature fc npg	129
feature fip-snooping	130
fip-snooping enable	130
fip-snooping fc-map	130
fip-snooping port-mode fcf	131
member (alias)	131
member (zone)	132
member (zoneset)	132
name	132
show fc alias	133
show fc ns switch	133
show fc statistics	134
show fc switch	135
show fc zone	135
show fc zoneset	136
show fcoe enode	137
show fcoe fcf	137
show fcoe sessions	138
show fcoe statistics	138
show fcoe system	139
show fcoe vlan	139
show npg devices	139
show running-config vfabric	140
show vfabric	141
vfabric	142
vfabric (interface)	142
vlan	142
zone default-zone permit	143
zoneset activate	143
Layer 2	144
802.1X	144
Port authentication	145
EAP over RADIUS	146
Configure 802.1X	146
Enable 802.1X	147
Identity retransmissions	148
Failure quiet period	149
Port control mode	149
Reauthenticate port	150
Configure timeouts	151
802.1X commands	152
Link aggregation control protocol	157
Modes	157
Configuration	157
Interfaces	158
Rates	158
Sample configuration	159
LACP commands	162
Link layer discovery protocol	168
Protocol data units	168
Optional TLVs	169
Organizationally-specific TLVs	170
Media endpoint discovery	171
Network connectivity device	171
LLDP-MED capabilities TLV	171
Network policies TLVs	172
Define network policies	173
Packet timer values	173
Disable and re-enable LLDP	174
Disable and re-enable LLDP on management ports	175
Advertise TLVs	175
Network policy advertisement	176
Fast start repeat count	176
View LLDP configuration	177
Adjacent agent advertisements	178
Time to live	179
LLDP commands	179
Media Access Control	191
Static MAC Address	191
MAC Address Table	192
Clear MAC Address Table	192
MAC Commands	193
Multiple spanning-tree protocol	195
Configure MST protocol	196
Create instances	196
Root selection	198
Non-Dell hardware	198
Region name or revision	198
Modify parameters	199
Interface parameters	200
Forward traffic	200
Spanning-tree extensions	201
Debug configurations	203
MST commands	203
Rapid per-VLAN spanning-tree plus	213
Load balance and root selection	214
Enable RPVST+	214
Select root bridge	215
Root assignment	216
Loop guard	217
Global parameters	217
RPVST+ commands	218
Rapid spanning-tree protocol	226
Enable globally	226
Global parameters	227
Interface parameters	228
Root bridge selection	229
EdgePort forward traffic	230
Spanning-tree extensions	230
RSTP commands	232
Virtual LANs	238
Default VLAN	238
Create or remove VLANs	239
Access mode	240
Trunk mode	241
Assign IP address	241
View VLAN configuration	242
VLAN commands	244
Port monitoring	245
Local port monitoring	245
Remote port monitoring	246
Encapsulated remote port monitoring	248
Flow-based monitoring	249
Remote port monitoring on VLT	250
Port monitoring commands	251
Layer 3	257
Border gateway protocol	257
Sessions and peers	258
Route reflectors	259
Multiprotocol BGP	260
Attributes	260
Selection criteria	260
Weight and local preference	261
Multiexit discriminators	262
Origin	262
AS path and next-hop	263
Best path selection	263
More path support	264
Advertise cost	264
4-Byte AS numbers	265
AS number migration	265
Configure border gateway protocol	266
Enable BGP	266
Configure Dual Stack	268
Peer templates	268
Neighbor fall-over	270
Fast external fallover	271
Passive peering	273
Local AS	273
AS number limit	274
Redistribute routes	275
Additional paths	275
MED attributes	276
Local preference attribute	276
Weight attribute	277
Enable multipath	278
Route-map filters	278
Route reflector clusters	278
Aggregate routes	279
Confederations	280
Route dampening	281
Timers	282
Neighbor soft-reconfiguration	282
BGP commands	283
Equal cost multi-path	308
Load balancing	308
ECMP commands	308
IPv4 routing	311
Assign interface IP address	311
Configure static routing	312
Address resolution protocol	313
IPv4 routing commands	313
IPv6 routing	317
Enable or disable IPv6	317
IPv6 addresses	318
Stateless autoconfiguration	319
Neighbor discovery	320
Duplicate address discovery	321
Static IPv6 routing	322
IPv6 destination unreachable	322
IPv6 hop-by-hop options	323
View IPv6 information	323
IPv6 commands	323
Internet group management protocol	334
IGMP snooping	334
IGMP snooping commands	337
Open shortest path first	342
Autonomous system areas	342
Areas, networks, and neighbors	343
Router types	344
Designated and backup designated routers	345
Link-state advertisements	345
Router priority	346
Shortest path first throttling	347
OSPFv2	348
OSPFv3	379
Object tracking manager	398
Interface tracking	399
Host tracking	400
Set tracking delays	401
Object tracking	401
View tracked objects	401
OTM commands	402
Policy-based routing	405
Policy-based route-maps	405
Access-list to match route-map	405
Set address to match route-map	405
Assign route-map to interface	406
View PBR information	406
PBR commands	407
Virtual routing and forwarding	409
Configure management VRF	409
VRF commands	411
Virtual router redundancy protocol	415
Configuration	416
Create virtual router	417
Group version	417
Virtual IP addresses	418
Configure virtual IP address	418
Set group priority	419
Authentication	420
Disable preempt	420
Advertisement interval	421
Interface/object tracking	422
Configure tracking	422
VRRP commands	423
UFT modes	429
Configure UFT modes	430
UFT commands	430
hardware forwarding-table mode	430
show hardware forwarding-table mode	431
show hardware forwarding-table mode all	431
System management	432
Dynamic host configuration protocol	432
Packet format and options	432
Configure Server	433
Automatic address allocation	434
Hostname resolution	435
Manual binding entries	436
View DHCP Information	437
System domain name and list	437
DHCP commands	438
DNS commands	443
Network time protocol	445
Enable NTP	445
Broadcasts	446
Source IP address	446
Authentication	447
NTP commands	448
System clock	453
System Clock commands	453
User session management	454
User session management commands	454
Telnet server	456
Telnet commands	456
Security	457
User re-authentication	457
Password strength	458
Role-based access control	458
Assign user role	459
RADIUS authentication	459
TACACS+ authentication	460
SSH Server	461
Virtual terminal line	461
Enable login statistics	462
Security commands	462
Simple network management protocol	475
SNMP commands	475
Uplink Failure Detection	476
Configure uplink failure detection	477
UFD commands	478
OS10 image upgrade	482
Boot system partition	482
Upgrade commands	483
Access Control Lists	488
IP ACLs	488
MAC ACLs	489
IP fragment handling	489
IP fragments ACL	489
L3 ACL rules	490
Permit ACL with L3 information only	490
Deny ACL with L3 information only	490
Permit all packets from host	490
Permit only first fragments and non-fragmented packets from host	490
Assign sequence number to filter	491
User-provided sequence number	491
Auto-generated sequence number	491
L2 and L3 ACLs	491
Assign and apply ACL filters	492
Ingress ACL filters	493
Egress ACL filters	493
Clear access-list counters	494
IP prefix-lists	494
Route-maps	495
Match routes	496
Set conditions	496
continue Clause	497
ACL flow-based monitoring	497
Flow-based mirroring	497
Enable flow-based monitoring	498
ACL commands	499
clear ip access-list counters	499
clear ipv6 access-list counters	499
clear mac access-list counters	500
deny	500
deny (IPv6)	501
deny (MAC)	501
deny icmp	502
deny icmp (IPv6)	503
deny ip	503
deny ipv6	504
deny tcp	504
deny tcp (IPv6)	505
deny udp	506
deny udp (IPv6)	507
description	508
ip access-group	508
ip access-list	508
ip as-path access-list	509
ip community-list standard deny	510
ip community–list standard permit	510
ip extcommunity-list standard deny	511
ip extcommunity-list standard permit	511
ip prefix-list description	511
ip prefix-list deny	512
ip prefix-list permit	512
ip prefix-list seq deny	513
ip prefix-list seq permit	513
ipv6 access-group	514
ipv6 access-list	514
ipv6 prefix-list deny	514
ipv6 prefix-list description	515
ipv6 prefix-list permit	515
ipv6 prefix-list seq deny	516
ipv6 prefix-list seq permit	516
mac access-group	517
mac access-list	517
permit	517
permit (IPv6)	518
permit (MAC)	519
permit icmp	519
permit icmp (IPv6)	520
permit ip	521
permit ipv6	521
permit tcp	522

Match case Limit results 1 per page

You can enable this feature so that user re-authentication is required when any of these actions are performed. In these cases, logged-in

users are logged out of the switch and all OS10 sessions are terminated. By default, user re-authentication is disabled.

Enable user re-authentication

•

Enable user re-authentication in CONFIGURATION mode.

aaa re-authenticate enable

Enter the

form of the command to disable user re-authentication.

Password strength

By default, the password you

conﬁgure

with the

username password

command must be at least nine alphanumeric characters.

To increase password strength, you can create password rules using the

password-attributes

command. When you enter the

command, at least one parameter is required. When you enter the

character-restriction

parameter, at least one option is required.

•

Create rules for stronger passwords in CONFIGURATION mode.

password-attributes {[min-length

number

] [character-restriction {[upper

number

]

[lower

number

][numeric

number

] [special-char

number

]}}

–

min-length

number

— Enter the minimum number of required alphanumeric characters (6 to 32; default 9).

–

character-restriction

— Enter a requirement for the alphanumeric characters in a password:

◦

upper

number

— Minimum number of uppercase characters required (0 to 31; default 0).

◦

lower

number

— Minimum number of lowercase characters required (0 to 31; default 0).

◦

numeric

number

— Minimum number of numeric characters required (0 to 31; default 0).

◦

special-char

number

— Minimum number of special characters required (0 to 31; default 0).

Create password rules

OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2

Display password rules

OS10(config)# do show running-configuration password-attributes

password-attributes min-length 7 character-restriction upper 4 numeric 2

Role-based access control

RBAC provides control for access and authorization. Users are granted permissions based on

deﬁned

roles — not on their individual system

user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single

role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter

an enable password because you are automatically placed in EXEC mode.

OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add

commands a user can enter, and set the actions the user can perform. This allows greater

ﬂexibility

when assigning permissions for each

command to each role. Using RBAC is easier and more

eﬃcient

to administer user rights. If a user’s role matches one of the allowed user

roles for that command, command authorization is granted.

A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each

role’s permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events,

audits, and security system logs.

458

System management