Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4820T » Manual Viewer

Dell PowerSwitch S4820T Configuration Guide for the S4820T System 9.14.1.0 - Page 841

Two Factor Authentication (2FA), Handling Access-Challenge Message

View all Dell PowerSwitch S4820T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 841 highlights

0 console 0 admin sysadmin 15 *3 vty 1 sec1 secadmin 14 4 vty 2 ml1 netadmin 12 idle idle idle 172.31.1.4 172.31.1.5 Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: • When the Network access server (NAS) prompts for the username and password, provide the inputs. • If the credentials are valid: - RADIUS server sends a request to the SMS-OTP daemon to generate an OTP for the user. - A challenge authentication is sent from the RADIUS server as Reply-Message attribute. - If the Reply-Message attribute is not sent from the RADIUS server, the default text is the Response. - 2FA is successful only on providing the correct OTP. • If the credentials are invalid, the authentication fails. NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI. Handling Access-Challenge Message To provide a two-step verification in addition to the username and password, NAS prompts for additional information. An Access-Challenge request is sent from the RADIUS server to NAS. The RADIUS server returns one of the following responses: • Access-Challenge-If the user credentials are valid, the NAS server receives an Access-Challenge request from the RADIUS server. • Access-Accept-NAS validates the username and password. If the credentials are valid, the RADIUS server sends an Access-Request to the short message service one time password (SMS-OTP) daemon to generate an OTP. The OTP is sent to the user's e-mail ID or mobile. If the OTP is valid, the RADIUS server authenticates the 2FA user and sends an Access-Accept response to NAS. • Access-Reject-NAS validates the OTP and if the OTP is invalid, the RADIUS server does not authenticate the user and sends an Access-Reject response to NAS. Configuring Challenge Response Authentication for SSHv2 To configure challenge response authentication for SSHv2, perform the following steps: 1 Enable challenge response authentication for SSHv2. CONFIGURATION mode ip ssh challenge-response-authentication enable 2 View the configuration. EXEC mode show ip ssh DellEMC# show ip ssh SSH server SSH server version SSH server vrf SSH server ciphers cbc,3des-cbc. : enabled. : v2. : default. : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128- Security 841

Section	Page
Dell Configuration Guide for the S4820T System 9.14.1.0	3
About this Guide	36
Audience	36
Conventions	36
Related Documents	36
Configuration Fundamentals	37
Accessing the Command Line	37
CLI Modes	37
Navigating CLI Modes	39
The do Command	42
Undoing Commands	42
Obtaining Help	43
Entering and Editing Commands	43
Command History	44
Filtering show Command Outputs	44
Example of the grep Keyword	44
Multiple Users in Configuration Mode	45
Getting Started	46
Console Access	47
Serial Console	47
Accessing the CLI Interface and Running Scripts Using SSH	48
Entering CLI commands Using an SSH Connection	48
Executing Local CLI Scripts Using an SSH Connection	48
Default Configuration	49
Configuring a Host Name	49
Accessing the System Remotely	49
Accessing the System Remotely	49
Configure the Management Port IP Address	49
Configure a Management Route	50
Configuring a Username and Password	50
Configuring the Enable Password	51
Configuration File Management	51
Copy Files to and from the System	52
Mounting an NFS File System	52
Save the Running-Configuration	54
Configure the Overload Bit for a Startup Scenario	55
Viewing Files	55
Managing the File System	56
Enabling Software Features on Devices Using a Command Option	56
View Command History	57
Upgrading Dell EMC Networking OS	57
Using HTTP for File Transfers	57
Verify Software Images Before Installation	58
Management	60
Configuring Privilege Levels	60
Creating a Custom Privilege Level	61
Removing a Command from EXEC Mode	61
Moving a Command from EXEC Privilege Mode to EXEC Mode	61
Allowing Access to CONFIGURATION Mode Commands	61
Allowing Access to Different Modes	61
Applying a Privilege Level to a Username	63
Applying a Privilege Level to a Terminal Line	63
Configuring Logging	63
Audit and Security Logs	64
Configuring Logging Format	66
Display the Logging Buffer and the Logging Configuration	66
Setting Up a Secure Connection to a Syslog Server	67
Log Messages in the Internal Buffer	68
Configuration Task List for System Log Management	68
Disabling System Logging	68
Sending System Messages to a Syslog Server	68
Configuring a UNIX System as a Syslog Server	69
Track Login Activity	69
Restrictions for Tracking Login Activity	69
Configuring Login Activity Tracking	69
Display Login Statistics	70
Limit Concurrent Login Sessions	71
Restrictions for Limiting the Number of Concurrent Sessions	71
Configuring Concurrent Session Limit	71
Enabling the System to Clear Existing Sessions	72
Enabling Secured CLI Mode	73
Changing System Logging Settings	73
Display the Logging Buffer and the Logging Configuration	74
Configuring a UNIX Logging Facility Level	74
Synchronizing Log Messages	75
Enabling Timestamp on Syslog Messages	76
File Transfer Services	76
Configuration Task List for File Transfer Services	77
Enabling the FTP Server	77
Configuring FTP Server Parameters	77
Configuring FTP Client Parameters	78
Terminal Lines	78
Denying and Permitting Access to a Terminal Line	78
Configuring Login Authentication for Terminal Lines	79
Setting Timeout for EXEC Privilege Mode	80
Using Telnet to get to Another Network Device	81
Lock CONFIGURATION Mode	81
Viewing the Configuration Lock Status	81
Recovering from a Forgotten Password	82
Recovering from a Forgotten Enable Password	83
Recovering from a Failed Start	84
Restoring the Factory Default Settings	84
Important Points to Remember	84
Restoring Factory Default Environment Variables	85
Dell EMC Networking OS Security Hardening	86
Dell EMC Networking OS Image Verification	86
Startup Configuration Verification	87
Configuring the root User Password	88
Locking Access to GRUB Interface	89
Enabling User Lockout for Failed Login Attempts	90
802.1X	91
Port-Authentication Process	93
EAP over RADIUS	93
Configuring 802.1X	94
Related Configuration Tasks	94
Important Points to Remember	94
Enabling 802.1X	95
Configuring MAC addresses for a do1x Profile	96
Configuring Request Identity Re-Transmissions	97
Configuring a Quiet Period after a Failed Authentication	97
Forcibly Authorizing or Unauthorizing a Port	98
Re-Authenticating a Port	99
Configuring Timeouts	100
Configuring Dynamic VLAN Assignment with Port Authentication	101
Guest and Authentication-Fail VLANs	102
Configuring a Guest VLAN	102
Configuring an Authentication-Fail VLAN	102
Configuring dot1x Profile	103
Configuring the Static MAB and MAB Profile	104
Configuring Critical VLAN	105
Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM)	106
Optimizing CAM Utilization During the Attachment of ACLs to VLANs	106
Guidelines for Configuring ACL VLAN Groups	107
Configuring ACL VLAN Groups and Configuring FP Blocks for VLAN Parameters	107
Viewing CAM Usage	109
Allocating FP Blocks for VLAN Processes	110
Access Control Lists (ACLs)	112
IP Access Control Lists (ACLs)	113
CAM Usage	114
Implementing ACLs on Dell EMC Networking OS	114
IP Fragment Handling	116
IP Fragments ACL Examples	116
Layer 4 ACL Rules Examples	117
Configure a Standard IP ACL	117
Configuring a Standard IP ACL Filter	118
Configure an Extended IP ACL	119
Configuring Filters with a Sequence Number	119
Configuring Filters Without a Sequence Number	121
Configure Layer 2 and Layer 3 ACLs	121
Assign an IP ACL to an Interface	122
Applying an IP ACL	122
Counting ACL Hits	123
Configure Ingress ACLs	123
Configure Egress ACLs	124
Applying Egress Layer 3 ACLs (Control-Plane)	125
IP Prefix Lists	125
Implementation Information	126
Configuration Task List for Prefix Lists	126
ACL Remarks	129
Configuring a Remark	129
Deleting a Remark	130
ACL Resequencing	131
Resequencing an ACL or Prefix List	131
Route Maps	132
Implementation Information	132
Important Points to Remember	133
Configuration Task List for Route Maps	133
Configuring Match Routes	135
Configuring Set Conditions	136
Configure a Route Map for Route Redistribution	137
Configure a Route Map for Route Tagging	138
Continue Clause	138
Logging of ACL Processes	139
Guidelines for Configuring ACL Logging	139
Configuring ACL Logging	140
Flow-Based Monitoring	140
Behavior of Flow-Based Monitoring	141
Enabling Flow-Based Monitoring	142
Bidirectional Forwarding Detection (BFD)	144
How BFD Works	144
BFD Packet Format	145
BFD Sessions	146
BFD Three-Way Handshake	147
Session State Changes	149
Important Points to Remember	149
Configure BFD	149
Configure BFD for Physical Ports	150
Configure BFD for Static Routes	151
Configure BFD for OSPF	154
Configure BFD for OSPFv3	158
Configure BFD for IS-IS	161
Configure BFD for BGP	163
Configure BFD for VRRP	171
Configuring Protocol Liveness	174
Troubleshooting BFD	174
Border Gateway Protocol version 4 (BGPv4)	176
Autonomous Systems (AS)	176
Sessions and Peers	178
Establish a Session	178
Route Reflectors	179
BGP Attributes for selecting Best Path	180
Best Path Selection Criteria	180
Weight	182
Local Preference	182
Multi-Exit Discriminators (MEDs)	183
Origin	184
AS Path	185
Next Hop	185
Multiprotocol BGP	185
MBGP for IPv4 MulticastBGP Address Family modelIPv4 and IPv6 address family	186
Implement BGP with Dell EMC Networking OS	186
Additional Path (Add-Path) Support	186
Advertise IGP Cost as MED for Redistributed Routes	187
Ignore Router-ID in Best-Path Calculation	187
Four-Byte AS Numbers	187
AS4 Number Representation	188
AS Number Migration	189
BGP4 Management Information Base (MIB)	190
Important Points to Remember	190
Configuration Information	191
Enabling BGP	192
Enabling BGP	193
Configuring AS4 Number Representations	195
Configuring Peer Groups	197
Configuring BGP Fast Fall-Over	199
Configuring Passive Peering	200
Maintaining Existing AS Numbers During an AS Migration	201
Allowing an AS Number to Appear in its Own AS Path	202
Enabling Graceful Restart	203
Enabling Neighbor Graceful Restart	204
Filtering on an AS-Path Attribute	204
Regular Expressions as Filters	206
Redistributing Routes	207
Enabling Additional Paths	208
Configuring IP Community Lists	208
Configuring an IP Extended Community List	209
Filtering Routes with Community Lists	210
Manipulating the COMMUNITY Attribute	211
Changing MED Attributes	212
Changing the LOCAL_PREFERENCE Attribute	212
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes	213
Changing the WEIGHT Attribute	214
Enabling Multipath	214
Filtering BGP Routes	214
Filtering BGP Routes Using Route Maps	216
Filtering BGP Routes Using AS-PATH Information	216
Configuring BGP Route Reflectors	217
Aggregating Routes	218
Configuring BGP Confederations	218
Enabling Route Flap Dampening	219
Changing BGP Timers	221
Route-refresh and Soft-reconfiguration	221
Enabling or disabling BGP neighbors	223
Route Map Continue	224
Enabling MBGP Configurations	224
Configure IPv6 NH Automatically for IPv6 Prefix Advertised over IPv4 Neighbor	225
BGP Regular Expression Optimization	227
Debugging BGP	227
Storing Last and Bad PDUs	228
Capturing PDUs	229
PDU Counters	230
Example-Configuring BGP peer groups	230
Content Addressable Memory (CAM)	237
CAM Allocation	237
Test CAM Usage	239
View CAM Profiles	239
View CAM-ACL Settings	240
View CAM Usage	241
Configuring CAM Threshold and Silence Period	242
Setting CAM Threshold and Silence Period	242
CAM Optimization	243
Troubleshoot CAM Profiling	243
QoS CAM Region Limitation	243
Control Plane Policing (CoPP)	245
Configure Control Plane Policing	246
Configuring CoPP for Protocols	247
Configuring CoPP for CPU Queues	249
CoPP for OSPFv3 Packets	250
Configuring CoPP for OSPFv3	253
Displaying CoPP Configuration	253
Data Center Bridging (DCB)	256
Ethernet Enhancements in Data Center Bridging	256
Priority-Based Flow Control	257
Enhanced Transmission Selection	258
Data Center Bridging Exchange Protocol (DCBx)	259
Data Center Bridging in a Traffic Flow	260
Enabling Data Center Bridging	260
DCB Maps and its Attributes	261
Data Center Bridging: Default Configuration	262
Configuring Priority-Based Flow Control	262
Configuring Lossless Queues	263
Configuring PFC in a DCB Map	264
PFC Configuration Notes	264
PFC Prerequisites and Restrictions	265
Applying a DCB Map on a Port	265
Configuring PFC without a DCB Map	266
Configuring Lossless QueuesExample:	266
Priority-Based Flow Control Using Dynamic Buffer Method	267
Pause and Resume of Traffic	268
Buffer Sizes for Lossless or PFC Packets	268
Behavior of Tagged Packets	268
Configuration Example for DSCP and PFC Priorities	269
Using PFC to Manage Converged Ethernet Traffic	270
Configure Enhanced Transmission Selection	270
ETS Prerequisites and Restrictions	270
Creating an ETS Priority Group	270
ETS Operation with DCBx	271
Configuring Bandwidth Allocation for DCBx CIN	272
Configuring ETS in a DCB Map	273
Hierarchical Scheduling in ETS Output Policies	274
Using ETS to Manage Converged Ethernet Traffic	274
Applying DCB Policies in a Switch Stack	275
Configure a DCBx Operation	275
DCBx Operation	275
DCBx Port Roles	275
DCB Configuration Exchange	277
Configuration Source Election	277
Propagation of DCB Information	278
Auto-Detection and Manual Configuration of the DCBx Version	278
DCBx Example	278
DCBx Prerequisites and Restrictions	279
Configuring DCBx	279
Verifying the DCB Configuration	283
Sample DCB Configuration	291
PFC and ETS Configuration Command Examples	293
QoS dot1p Traffic Classification and Queue Assignment	293
Configuring the Dynamic Buffer Method	294
Dynamic Host Configuration Protocol (DHCP)	296
DHCP Packet Format and Options	296
Assign an IP Address using DHCP	298
Implementation Information	299
Configure the System to be a DHCP Server	299
Configuring the Server for Automatic Address Allocation	300
Specifying a Default Gateway	301
Configure a Method of Hostname Resolution	301
Using DNS for Address Resolution	301
Using NetBIOS WINS for Address Resolution	302
Creating Manual Binding Entries	302
Debugging the DHCP Server	302
Using DHCP Clear Commands	303
Configure the System to be a Relay Agent	303
Configure the System to be a DHCP Client	305
DHCP Client Operation with Other Features	305
DHCP Client on a Management Interface	306
Configure the System for User Port Stacking (Option 230)	307
Configuring DHCP relay source interface	307
Global DHCP relay source IPv4 or IPv6 configuration	307
Interface level DHCP relay source IPv4 or IPv6 configuration	308
Configure Secure DHCP	309
Option 82	309
DHCP Snooping	310
Configuring the DHCP secondary-subnet	314
Drop DHCP Packets on Snooped VLANs Only	315
Dynamic ARP Inspection	315
Configuring Dynamic ARP Inspection	316
Source Address Validation	317
Enabling IP Source Address Validation	317
DHCP MAC Source Address Validation	318
Enabling IP+MAC Source Address Validation	318
Viewing the Number of SAV Dropped Packets	319
Clearing the Number of SAV Dropped Packets	319
Equal Cost Multi-Path (ECMP)	320
ECMP for Flow-Based Affinity	320
Configuring the Hash Algorithm	320
Enabling Deterministic ECMP Next Hop	320
Configuring the Hash Algorithm Seed	321
Link Bundle Monitoring	321
Managing ECMP Group Paths	322
Creating an ECMP Group Bundle	322
Modifying the ECMP Group Threshold	322
RTAG7	323
Flow-based Hashing for ECMP	324
FIP Snooping	327
Fibre Channel over Ethernet	327
Ensure Robustness in a Converged Ethernet Network	327
FIP Snooping on Ethernet Bridges	329
FIP Snooping in a Switch Stack	331
Using FIP Snooping	331
FIP Snooping Prerequisites	331
Important Points to Remember	331
Enabling the FCoE Transit Feature	332
Enable FIP Snooping on VLANs	333
Configure the FC-MAP Value	333
Configure a Port for a Bridge-to-Bridge Link	333
Configure a Port for a Bridge-to-FCF Link	333
Impact on Other Software Features	333
FIP Snooping Restrictions	334
Configuring FIP Snooping	334
Displaying FIP Snooping Information	335
FCoE Transit Configuration Example	340
FIPS Cryptography	342
Configuration Tasks	342
Preparing the System	342
Enabling FIPS Mode	343
Generating Host-Keys	343
Monitoring FIPS Mode Status	343
Disabling FIPS Mode	344
Force10 Resilient Ring Protocol (FRRP)	345
Protocol Overview	345
Ring Status	346
Multiple FRRP Rings	346
Important FRRP Points	347
Important FRRP Concepts	348
Implementing FRRP	349
FRRP Configuration	349
Creating the FRRP Group	349
Configuring the Control VLAN	350
Configuring and Adding the Member VLANs	351
Setting the FRRP Timers	352
Clearing the FRRP Counters	352
Viewing the FRRP Configuration	352
Viewing the FRRP Information	352
Troubleshooting FRRP	353
Configuration Checks	353
Sample Configuration and Topology	353
FRRP Support on VLT	354
Example Scenario	355
Important Points to Remember	356
GARP VLAN Registration Protocol (GVRP)	357
Important Points to Remember	357
Configure GVRP	358
Related Configuration Tasks	358
Enabling GVRP Globally	359
Enabling GVRP on a Layer 2 Interface	359
Configure GVRP Registration	359
Configure a GARP Timer	360
RPM Redundancy	360
High Availability (HA)	362
Component Redundancy	362
RPM Redundancy	362
Automatic and Manual Stack Unit Failover	364
Support for RPM Redundancy by Dell EMC Networking OS Version	365
Synchronization between Management and Standby Units	365
Configuring RPM Redundancy	365
Online Insertion and Removal	366
RPM Online Insertion and Removal	366
Linecard Online Insertion and Removal	367
Hitless Behavior	368
Graceful Restart	368
Software Resiliency	369
Software Component Health Monitoring	369
System Health Monitoring	369
Failure and Event Logging	369
Hot-Lock Behavior	370
Process Restartability	370
Enabling Process Restartability	370
Internet Group Management Protocol (IGMP)	372
IGMP Implementation Information	372
IGMP Protocol Overview	372
IGMP Version 2	372
IGMP Version 3	374
Configure IGMP	377
Related Configuration Tasks	377
Viewing IGMP Enabled Interfaces	378
Selecting an IGMP Version	378
Viewing IGMP Groups	379
Adjusting Timers	379
Adjusting Query and Response Timers	379
Enabling IGMP Immediate-Leave	380
IGMP Snooping	380
IGMP Snooping Implementation Information	380
Configuring IGMP Snooping	381
Removing a Group-Port Association	381
Disabling Multicast Flooding	382
Specifying a Port as Connected to a Multicast Router	382
Configuring the Switch as Querier	382
Fast Convergence after MSTP Topology Changes	383
Egress Interface Selection (EIS) for HTTP and IGMP Applications	383
Protocol Separation	384
Enabling and Disabling Management Egress Interface Selection	385
Handling of Management Route Configuration	385
Handling of Switch-Initiated Traffic	386
Handling of Switch-Destined Traffic	387
Handling of Transit Traffic (Traffic Separation)	387
Mapping of Management Applications and Traffic Type	387
Behavior of Various Applications for Switch-Initiated Traffic	388
Behavior of Various Applications for Switch-Destined Traffic	389
Interworking of EIS With Various Applications	390
Designating a Multicast Router Interface	391
Interfaces	392
Basic Interface Configuration	392
Advanced Interface Configuration	392
Interface Types	393
View Basic Interface Information	393
Resetting an Interface to its Factory Default State	395
Enabling Energy Efficient Ethernet	396
View EEE Information	396
Clear EEE Counters	400
Enabling a Physical Interface	401
Physical Interfaces	401
Configuration Task List for Physical Interfaces	402
Overview of Layer Modes	402
Configuring Layer 2 (Data Link) Mode	402
Configuring Layer 2 (Interface) Mode	403
Configuring Layer 3 (Network) Mode	403
Configuring Layer 3 (Interface) Mode	404
Egress Interface Selection (EIS)	404
Important Points to Remember	404
Configuring EIS	405
Management Interfaces	405
Configuring Management Interfaces	405
Configuring a Management Interface on an Ethernet Port	407
VLAN Interfaces	407
Loopback Interfaces	408
Null Interfaces	409
Port Channel Interfaces	409
Port Channel Definition and Standards	409
Port Channel Benefits	409
Port Channel Implementation	409
Interfaces in Port Channels	410

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1,000
1,001
1,002
1,003
1,004
1,005
1,006
1,007
1,008
1,009
1,010
1,011
1,012
1,013
1,014
1,015
1,016
1,017
1,018
1,019
1,020
1,021
1,022
1,023
1,024
1,025
1,026
1,027
1,028
1,029
1,030
1,031
1,032
1,033
1,034
1,035
1,036
1,037
1,038
1,039
1,040
1,041
1,042
1,043
1,044
1,045
1,046
1,047
1,048
1,049
1,050
1,051
1,052
1,053
1,054
1,055
1,056
1,057
1,058
1,059
1,060
1,061
1,062
1,063
1,064
1,065
1,066
1,067
1,068
1,069
1,070
1,071
1,072
1,073
1,074
1,075
1,076
1,077
1,078
1,079
1,080
1,081
1,082
1,083
1,084
1,085
1,086
1,087
1,088
1,089
1,090
1,091
1,092
1,093
1,094
1,095
1,096
1,097
1,098
1,099
1,100
1,101
1,102
1,103
1,104
1,105
1,106
1,107
1,108
1,109
1,110
1,111
1,112
1,113
1,114
1,115
1,116
1,117
1,118
1,119
1,120
1,121
1,122
1,123
1,124
1,125
1,126
1,127
1,128
1,129
1,130
1,131
1,132
1,133
1,134
1,135
1,136
1,137
1,138
1,139
1,140
1,141
1,142
1,143
1,144
1,145
1,146

Match case Limit results 1 per page

0 console 0

admin

sysadmin

idle

*3 vty 1

sec1

secadmin

idle

172.31.1.4

4 vty 2

ml1

netadmin

idle

172.31.1.5

Two Factor Authentication (2FA)

Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username

and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2.

To perform 2FA, follow these steps:

•

When the Network access server (NAS) prompts for the username and password, provide the inputs.

•

If the credentials are valid:

–

RADIUS server sends a request to the SMS–OTP daemon to generate an OTP for the user.

–

A challenge authentication is sent from the RADIUS server as Reply–Message attribute.

–

If the Reply–Message attribute is not sent from the RADIUS server, the default text is the

Response

–

2FA is successful only on providing the correct OTP.

•

If the credentials are invalid, the authentication fails.

NOTE:

2FA does not support RADIUS authentications done with REST, Web UI, and OMI.

Handling Access-Challenge Message

To provide a two-step

veriﬁcation

in addition to the username and password, NAS prompts for additional information. An Access-Challenge

request is sent from the RADIUS server to NAS.

The RADIUS server returns one of the following responses:

•

Access-Challenge

—If the user credentials are valid, the NAS server receives an Access-Challenge request from the RADIUS server.

•

Access-Accept

—NAS validates the username and password. If the credentials are valid, the RADIUS server sends an Access-Request

to the short message service one time password (SMS-OTP) daemon to generate an OTP. The OTP is sent to the user’s e-mail ID or

mobile. If the OTP is valid, the RADIUS server authenticates the 2FA user and sends an Access-Accept response to NAS.

•

Access-Reject

—NAS validates the OTP and if the OTP is invalid, the RADIUS server does not authenticate the user and sends an

Access-Reject response to NAS.

Conﬁguring

Challenge Response Authentication for SSHv2

conﬁgure

challenge response authentication for SSHv2, perform the following steps:

Enable challenge response authentication for SSHv2.

CONFIGURATION mode

ip ssh challenge-response-authentication enable

View the

conﬁguration.

EXEC mode

show ip ssh

DellEMC# show ip ssh

SSH server

: enabled.

SSH server version

: v2.

SSH server vrf

: default.

SSH server ciphers

: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-

cbc,3des-cbc.

Security

841