Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R2 - Page 352
Security, Role-based access control
View all Dell S5148F-ON manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 352 highlights
Example (disable) OS10(config)# no ip telnet server enable Supported Releases 10.3.1E or later Security Accounting, authentication, and authorization (AAA) services secure networks against unauthorized access. In addition to local authentication, OS10 supports remote authentication dial-in service (RADIUS) and terminal access controller access control system (TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication requests to a server that contains all user authentication and network service access information. A RADIUS or TACACS+ server provides accounting, authentication (user credentials verification), and authorization (user privilege-level) services. You can configure the security protocol used for different login methods and users. The server uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, only the local authentication method is used. The authentication methods in the method list are executed in the order in which they are configured. You can re-enter the methods to change the order. The local authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+ authentication, the privilege-level you configured for the user on the RADIUS or TACACS+ server is applied. NOTE: You must configure the group name (level) on the RADIUS server using the vendor-specific attribute or the authentication fails. • Configure the AAA authentication method in CONFIGURATION mode. aaa authentication {local | radius | tacacs} - local - Use the username and password database defined in the local configuration. - radius - (Optional) Use the RADIUS servers configured with the radius-server host command as the primary authentication method. - tacacs - (Optional) Use the TACACS+ servers configured with the tacacs-server host command as the primary authentication method. Configure AAA authentication OS10(config)# aaa authentication radius local Role-based access control RBAC provides control for access and authorization. Users are granted permissions based on defined roles - not on their individual system user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter an enable password because you are automatically placed in EXEC mode. OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter, and set the actions the user can perform. This allows greater flexibility when assigning permissions for each command to each role. Using RBAC is easier and more efficient to administer user rights. If a user's role matches one of the allowed user roles for that command, command authorization is granted. A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each role's permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events, audits, and security system logs. 352 System management