Home » Dell Manuals » Hubs & Switches » Dell S4148U-ON » Manual Viewer

Dell S4148U-ON OS10 Enterprise Edition User Guide Release 10.4.0E R2 - Page 454

Assign user role, RADIUS authentication

Get Dell S4148U-ON PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 454 highlights

Assign user role To limit OS10 system access, assign a role when you configure each user. For password requirements, see Configure user name and password. • Enter a user name, password, and role in CONFIGURATION mode. username username password password role role • username username - Enter a text string (up to 32 alphanumeric characters; 1 character minimum). • password password - Enter a text string (up to 32 alphanumeric characters; 9 characters minimum). • role role - Enter a user role: • sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. • secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. • netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. • netoperator - Access to EXEC mode to view the current configuration. A network operator cannot modify any configuration setting on a switch. Create user role OS10(config)# username smith password silver403! newuser role sysadmin View users OS10(config)# do show users Index Line User Role Application Idle Location Login-Time Lock 1 ttyS0 admin sysadmin login/clish . - 2016-04-14 02:06:00 RADIUS authentication To configure a RADIUS server for authentication, enter the server's IP address or host name. You can change the UDP port number on the server and the key used to authenticate the OS10 switch on the server. • Configure a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812; the switch uses radius_server as the key to log in to a RADIUS server. radius-server host {hostname | ip-address} [auth-port port-number | key authentication-key] Re-enter the radius-server host command multiple times to configure more than one RADIUS server. If you configure multiple RADIUS servers, OS10 attempts to connect in the order you configured them. An OS10 switch connects with the configured RADIUS servers one at a time, until a RADIUS server responds with an accept or reject response. Configure global settings for the timeout and retransmit attempts allowed on RADIUS servers by using the radius-server retransmit and radius-server timeout commands. By default, OS10 supports three RADIUS authentication attempts and times out after five seconds. • Configure the number of times OS10 retransmits a RADIUS authentication request in CONFIGURATION mode (0 to 100 retries; default 3). radius-server retransmit retries 454 System management

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.0E(R2)	3
Getting Started	20
Download OS10 image and license	21
Installation	22
Automatic installation	23
Manual installation	23
Log into OS10	24
Install OS10 license	24
Remote access	25
Configure Management IP address	26
Management Route Configuration	26
Configure user name and password	27
Upgrade OS10	27
CLI Basics	27
User accounts	28
Key CLI features	28
CLI command modes	28
CLI command hierarchy	29
CLI command categories	29
CONFIGURATION Mode	29
Command help	30
Check device status	31
Candidate configuration	33
Change to transaction-based configuration	36
Copy running configuration	36
Restore startup configuration	37
Reload system image	37
Filter show commands	38
Alias command	38
Batch mode commands	42
Linux shell commands	43
SSH commands	43
OS9 environment commands	44
Common commands	44
alias	44
alias (multi-line)	45
batch	46
boot	46
commit	47
configure	47
copy	47
default (alias)	49
delete	49
description (alias)	50
dir	50
discard	51
do	51
feature config-os9-style	51
exit	52
license	52
line (alias)	53
lock	53
management route	54
move	54
no	55
reload	55
show alias	55
show boot	57
show candidate-configuration	57
show environment	59
show inventory	60
show ip management-route	60
show ipv6 management-route	61
show license status	61
show running-configuration	62
show startup-configuration	64
show system	65
show version	67
start	67
system	68
system identifier	68
terminal	68
traceroute	69
unlock	70
write	70
Interfaces	71
Ethernet interfaces	71
Unified port groups	71
L2 mode configuration	72
L3 mode configuration	73
Fibre Channel interfaces	73
Management interface	75
VLAN interfaces	75
User-configured default VLAN	76
Loopback interfaces	76
Port-channel interfaces	77
Create port-channel	77
Add port member	78
Minimum links	78
Assign Port Channel IP Address	79
Remove or disable port-channel	79
Load balance traffic	79
Change hash algorithm	80
Configure interface ranges	80
Switch-port profiles	81
S4148-ON series port profiles	82
S4148U-ON port profiles	83
Configure breakout mode	84
Breakout auto-configuration	85
Reset default configuration	85
Forward error correction	87
Energy-efficient Ethernet	87
Enable energy-efficient Ethernet	88
Clear interface counters	88
View EEE status/statistics	88
EEE commands	89
View interface configuration	92
Interface commands	94
channel-group	94
default interface	94
default vlan-id	96
description (Interface)	97
duplex	97
enable auto-breakout	98
fec	98
interface breakout	99
interface ethernet	99
interface loopback	100
interface mgmt	100
interface null	100
interface port-channel	101
interface range	101
interface vlan	102
link-bundle-utilization	102
mgmt	102
mode	103
mtu	103
port-group	104
show interface	104
show link-bundle-utilization	106
show port-channel summary	106
show port-group	107
show switch-port-profile	107
show vlan	108
shutdown	108
speed (Fibre Channel)	109
speed (Management)	109
switch-port-profile	110
switchport access vlan	112
switchport mode	112
switchport trunk allowed vlan	113
Fibre channel	114
Fibre Channel over Ethernet	114
Configure FIP snooping	115
Terminology	116
Virtual fabric	116
Fibre Channel zoning	119
F_Port on Ethernet	120
F_Port, NPG, and FCoE commands	121
clear fcoe database	121
clear fcoe statistics	121
fc alias	122
fc zone	122
fc zoneset	122
fcoe	123
fcoe max-sessions-per-enodemac	123
feature fc	124
feature fc npg	124
feature fip-snooping	124
fip-snooping enable	125
fip-snooping fc-map	125
fip-snooping port-mode fcf	126
member (alias)	126
member (zone)	126
member (zoneset)	127
name	127
show fc alias	128
show fc ns switch	128
show fc statistics	129
show fc switch	130
show fc zone	130
show fc zoneset	131
show fcoe enode	132
show fcoe fcf	132
show fcoe sessions	133
show fcoe statistics	133
show fcoe system	134
show fcoe vlan	134
show npg devices	134
show running-config vfabric	135
show vfabric	136
vfabric	137
vfabric (interface)	137
vlan	137
zone default-zone permit	138
zoneset activate	138
Layer 2	139
802.1X	139
Port authentication	140
EAP over RADIUS	141
Configure 802.1X	141
Enable 802.1X	142
Identity retransmissions	143
Failure quiet period	144
Port control mode	144
Reauthenticate port	145
Configure timeouts	146
802.1X commands	147
Link aggregation control protocol	152
Modes	152
Configuration	152
Interfaces	153
Rates	153
Sample configuration	154
LACP commands	157
Link layer discovery protocol	163
Protocol data units	163
Optional TLVs	164
Organizationally-specific TLVs	165
Media endpoint discovery	166
Network connectivity device	166
LLDP-MED capabilities TLV	166
Network policies TLVs	167
Define network policies	168
Packet timer values	168
Disable and re-enable LLDP	169
Disable and re-enable LLDP on management ports	170
Advertise TLVs	170
Network policy advertisement	171
Fast start repeat count	171
View LLDP configuration	172
Adjacent agent advertisements	173
Time to live	174
LLDP commands	174
Media Access Control	186
Static MAC Address	186
MAC Address Table	187
Clear MAC Address Table	187
MAC Commands	188
Multiple spanning-tree protocol	190
Configure MST protocol	191
Create instances	191
Root selection	193
Non-Dell hardware	193
Region name or revision	193
Modify parameters	194
Interface parameters	195
Forward traffic	195
Spanning-tree extensions	196
Debug configurations	198
MST commands	198
Rapid per-VLAN spanning-tree plus	208
Load balance and root selection	209
Enable RPVST+	209
Select root bridge	210
Root assignment	211
Loop guard	212
Global parameters	212
RPVST+ commands	213
Rapid spanning-tree protocol	221
Enable globally	221
Global parameters	222
Interface parameters	223
Root bridge selection	224
EdgePort forward traffic	225
Spanning-tree extensions	225
RSTP commands	227
Virtual LANs	233
Default VLAN	233
Create or remove VLANs	234
Access mode	235
Trunk mode	236
Assign IP address	236
View VLAN configuration	237
VLAN commands	239
Port monitoring	240
Local port monitoring	240
Remote port monitoring	241
Encapsulated remote port monitoring	243
Flow-based monitoring	244
Remote port monitoring on VLT	245
Port monitoring commands	246
Layer 3	252
Border gateway protocol	252
Sessions and peers	253
Route reflectors	254
Multiprotocol BGP	255
Attributes	255
Selection criteria	255
Weight and local preference	256
Multiexit discriminators	257
Origin	257
AS path and next-hop	258
Best path selection	258
More path support	259
Advertise cost	259
4-Byte AS numbers	260
AS number migration	260
Configure border gateway protocol	261
Enable BGP	261
Configure Dual Stack	263
Peer templates	263
Neighbor fall-over	265
Fast external fallover	266
Passive peering	268
Local AS	268
AS number limit	269
Redistribute routes	270
Additional paths	270
MED attributes	271
Local preference attribute	271
Weight attribute	272
Enable multipath	273
Route-map filters	273
Route reflector clusters	273
Aggregate routes	274
Confederations	275
Route dampening	276
Timers	277
Neighbor soft-reconfiguration	277
BGP commands	278
Equal cost multi-path	303
Load balancing	303
ECMP commands	303
IPv4 routing	306
Assign interface IP address	306
Configure static routing	307
Address resolution protocol	308
IPv4 routing commands	308
IPv6 routing	312
Enable or disable IPv6	312
IPv6 addresses	313
Stateless autoconfiguration	314
Neighbor discovery	315
Duplicate address discovery	316
Static IPv6 routing	317
IPv6 destination unreachable	317
IPv6 hop-by-hop options	318
View IPv6 information	318
IPv6 commands	318
Internet group management protocol	329
IGMP snooping	329
IGMP snooping commands	332
Open shortest path first	337
Autonomous system areas	337
Areas, networks, and neighbors	338
Router types	339
Designated and backup designated routers	340
Link-state advertisements	340
Router priority	341
Shortest path first throttling	342
OSPFv2	343
OSPFv3	374
Object tracking manager	393
Interface tracking	394
Host tracking	395
Set tracking delays	396
Object tracking	396
View tracked objects	396
OTM commands	397
Policy-based routing	400
Policy-based route-maps	400
Access-list to match route-map	400
Set address to match route-map	401
Assign route-map to interface	401
View PBR information	401
PBR commands	402
Virtual routing and forwarding	404
Configure management VRF	405
VRF commands	406
Virtual router redundancy protocol	410
Configuration	411
Create virtual router	412
Group version	412
Virtual IP addresses	413
Configure virtual IP address	413
Set group priority	414
Authentication	415
Disable preempt	415
Advertisement interval	416
Interface/object tracking	417
Configure tracking	417
VRRP commands	418
UFT modes	424
Configure UFT modes	425
UFT commands	425
hardware forwarding-table mode	425
show hardware forwarding-table mode	426
show hardware forwarding-table mode all	426
System management	427
Dynamic host configuration protocol	427
Packet format and options	427
Configure Server	428
Automatic address allocation	429
Hostname resolution	430
Manual binding entries	431
View DHCP Information	432
System domain name and list	432
DHCP commands	433
DNS commands	438
Network time protocol	440
Enable NTP	440
Broadcasts	441
Source IP address	441
Authentication	442
NTP commands	443
System clock	448
System Clock commands	448
User session management	449
User session management commands	449
Telnet server	451
Telnet commands	451
Security	452
User re-authentication	452
Password strength	453
Role-based access control	453
Assign user role	454
RADIUS authentication	454
TACACS+ authentication	455
SSH Server	456
Virtual terminal line	456
Enable login statistics	457
Security commands	457
Simple network management protocol	470
SNMP commands	470
OS10 image upgrade	471
Boot system partition	472
Upgrade commands	473
Access Control Lists	477
IP ACLs	477
MAC ACLs	478
IP fragment handling	478
IP fragments ACL	478
L3 ACL rules	479
Permit ACL with L3 information only	479
Deny ACL with L3 information only	479
Permit all packets from host	479
Permit only first fragments and non-fragmented packets from host	479
Assign sequence number to filter	480
User-provided sequence number	480
Auto-generated sequence number	480
L2 and L3 ACLs	480
Assign and apply ACL filters	481
Ingress ACL filters	482
Egress ACL filters	482
Clear access-list counters	483
IP prefix-lists	483
Route-maps	484
Match routes	485
Set conditions	485
continue Clause	486
ACL flow-based monitoring	486
Flow-based mirroring	486
Enable flow-based monitoring	487
ACL commands	488
clear ip access-list counters	488
clear ipv6 access-list counters	488
clear mac access-list counters	489
deny	489
deny (IPv6)	490
deny (MAC)	490
deny icmp	491
deny icmp (IPv6)	492
deny ip	492
deny ipv6	493
deny tcp	493
deny tcp (IPv6)	494
deny udp	495
deny udp (IPv6)	496
description	497
ip access-group	497
ip access-list	497
ip as-path deny	498
ip as-path permit	498
ip community-list standard deny	499
ip community–list standard permit	499
ip extcommunity-list standard deny	500
ip extcommunity-list standard permit	500
ip prefix-list description	500
ip prefix-list deny	501
ip prefix-list permit	501
ip prefix-list seq deny	502
ip prefix-list seq permit	502
ipv6 access-group	503
ipv6 access-list	503
ipv6 prefix-list deny	503
ipv6 prefix-list description	504
ipv6 prefix-list permit	504
ipv6 prefix-list seq deny	505
ipv6 prefix-list seq permit	505
mac access-group	506
mac access-list	506
permit	506
permit (IPv6)	507
permit (MAC)	508
permit icmp	508
permit icmp (IPv6)	509
permit ip	510
permit ipv6	510
permit tcp	511
permit tcp (IPv6)	512
permit udp	512
permit udp (IPv6)	513
remark	514
seq deny	514
seq deny (IPv6)	515
seq deny (MAC)	516
seq deny icmp	517
seq deny icmp (IPv6)	517
seq deny ip	518

Match case Limit results 1 per page

Assign user role

To limit OS10 system access, assign a role when you

conﬁgure

each user. For password requirements, see

Conﬁgure

user name and

password

•

Enter a user name, password, and role in CONFIGURATION mode.

username

password

role

•

username

— Enter a text string (up to 32 alphanumeric characters; 1 character minimum).

•

password

— Enter a text string (up to 32 alphanumeric characters; 9 characters minimum).

•

role

— Enter a user role:

•

sysadmin

— Full access to all commands in the system, exclusive access to commands that manipulate the

ﬁle

system, and

access to the system shell. A system administrator can create user IDs and user roles.

•

secadmin

— Full access to

conﬁguration

commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

•

netadmin

— Full access to

conﬁguration

commands that manage

traﬃc

ﬂowing

through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access

conﬁguration

commands for security features or view security

information.

•

netoperator

— Access to EXEC mode to view the current

conﬁguration.

A network operator cannot modify any

conﬁguration

setting on a switch.

Create user role

OS10(config)# username smith password silver403! newuser role sysadmin

View users

OS10(config)# do show users

Index Line

User

Role

Application Idle

Location Login-Time

Lock

----- ----- ------- -------- ----------- ----- ---------------------- ----

ttyS0 admin

sysadmin login/clish .

2016-04-14 02:06:00

RADIUS authentication

conﬁgure

a RADIUS server for authentication, enter the server's IP address or host name. You can change the UDP port number on the

server and the key used to authenticate the OS10 switch on the server.

•

Conﬁgure

a RADIUS authentication server in CONFIGURATION mode. By default, a RADIUS server uses UDP port 1812; the switch

uses

radius_server

as the key to log in to a RADIUS server.

radius-server host {

hostname

ip-address

} [auth-port

port-number

| key

authentication-key

]

Re-enter the

radius-server host

command multiple times to

conﬁgure

more than one RADIUS server. If you

conﬁgure

multiple

RADIUS servers, OS10 attempts to connect in the order you

conﬁgured

them. An OS10 switch connects with the

conﬁgured

RADIUS

servers one at a time, until a RADIUS server responds with an accept or reject response.

Conﬁgure

global settings for the timeout and retransmit attempts allowed on RADIUS servers by using the

radius-server

retransmit

and

radius-server timeout

commands. By default, OS10 supports three RADIUS authentication attempts and times

out after

ﬁve

seconds.

•

Conﬁgure

the number of times OS10 retransmits a RADIUS authentication request in CONFIGURATION mode (0 to 100 retries; default

3).

radius-server retransmit

retries

454

System management