Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R2 - Page 355

SSH Server, Security commands, aaa authentication

Add to My Manuals
Save this manual to your list of manuals

Page 355 highlights

SSH Server The secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection. Configure SSH server • The SSH server is enabled by default. You can disable the SSH server using no ip ssh server enable. • Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response- authentication command. • Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command. • Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command. • Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command. • Configure the list of cipher algorithms using ip ssh server cipher cipher-list. • Configure Key Exchange algorithms using ip ssh server kex key-exchange-algorithm. • Configure hash message authentication code (HMAC) algorithms using ip ssh server mac hmac-algorithm. • Configure the SSH server listening port using ip ssh server port port-number. • Configure the SSH server to be reachable on the management VRF using ip ssh server vrf. • Configure the SSH login timeout using the ip ssh server login-grace-time seconds command (0 to 300; default 60). To reset the default SSH prompt timer, enter no ip ssh server login-grace-time. • Configure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command (0 to 10; default 6). To reset the default, enter no ip ssh server max-auth-tries. The max-auth-tries value includes all authentication attempts, including public-key and password. If both public-key based authentication and password authentication are enabled, the public-key authentication is the default and is tried first. If it fails, the number of max-auth-tries is reduced by one. In this case, if you configured ip ssh server max-auth-tries 1, the password prompt does not display. Security commands aaa authentication Configures the AAA authentication method for user access. Syntax aaa authentication {local | radius | tacacs} Parameters • local - Use local (RBAC) access control. • radius - Use the RADIUS servers configured with the radius-server host command. • tacacs - Use the TACACS+ servers configured with the tacacs-server host command. Default Command Mode Usage Information Example Local authentication CONFIGURATION There is no no version of this command. To reset the authentication method to local, enter the aaa authentication local command. OS10(config)# aaa authentication radius Supported Releases 10.2.0E or later System management 355

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R2)	3
Getting Started	18
Download OS10 image and license	18
Installation	20
Automatic installation	21
Manual installation	21
Log into OS10	22
Install OS10 license	22
Remote access	23
Configure Management IP address	24
Management Route Configuration	24
Configure user name and password	25
Upgrade OS10	25
CLI Basics	25
User accounts	25
Key CLI features	26
CLI command modes	26
CLI command hierarchy	26
CLI command categories	27
CONFIGURATION Mode	27
Command help	27
Check device status	29
Candidate configuration	31
Change to transaction-based configuration	34
Back up or restore configuration	34
Reload system image	35
Filter show commands	35
Alias command	36
Batch mode commands	38
Linux shell commands	38
SSH commands	39
OS9 environment commands	39
Common commands	40
alias	40
batch	41
boot	42
commit	42
configure	42
copy	43
delete	44
dir	44
discard	45
do	45
feature config-os9-style	46
exit	46
license	47
lock	47
management route	48
move	48
no	49
reload	49
show alias	49
show boot	50
show candidate-configuration	51
show environment	53
show inventory	54
show ip management-route	54
show ipv6 management-route	55
show license status	55
show running-configuration	56
show startup-configuration	58
show system	59
show version	61
start	62
system	62
system identifier	62
terminal	63
traceroute	63
unlock	64
write	65
Interfaces	66
Ethernet interfaces	66
L2 mode configuration	66
L3 mode configuration	67
Management interface	67
VLAN interfaces	68
Loopback interfaces	68
Port-channel interfaces	69
Create port-channel	69
Add port member	69
Minimum links	70
Assign Port Channel IP Address	70
Remove or disable port-channel	71
Load balance traffic	71
Change hash algorithm	72
Configure interface ranges	72
Forward error correction	73
View interface configuration	74
Interface commands	75
channel-group	75
description (Interface)	76
duplex	76
fec	77
interface breakout	77
interface ethernet	78
interface loopback	78
interface mgmt	79
interface null	79
interface port-channel	79
interface range	80
interface vlan	80
link-bundle-utilization	81
mgmt	81
mtu	81
show interface	82
show link-bundle-utilization	83
show port-channel summary	84
show vlan	84
shutdown	85
speed (Management)	85
switchport access vlan	86
switchport mode	86
switchport trunk allowed vlan	87
Layer 2	88
802.1X	88
Port authentication	89
EAP over RADIUS	90
Configure 802.1X	90
Enable 802.1X	91
Identity retransmissions	92
Failure quiet period	93
Port control mode	93
Reauthenticate port	94
Configure timeouts	95
802.1X commands	96
Link aggregation control protocol	101
Modes	101
Configuration	101
Interfaces	102
Rates	102
Sample configuration	103
LACP commands	106
Link layer discovery protocol	112
Protocol data units	112
Optional TLVs	113
Organizationally-specific TLVs	114
Media endpoint discovery	115
Network connectivity device	115
LLDP-MED capabilities TLV	115
Network policies TLVs	116
Define network policies	117
Packet timer values	117
Disable and re-enable LLDP	118
Advertise TLVs	119
Network policy advertisement	119
Fast start repeat count	120
View LLDP configuration	120
Adjacent agent advertisements	121
Time to live	122
LLDP commands	123
Media Access Control	134
Static MAC Address	135
MAC Address Table	135
Clear MAC Address Table	135
MAC Commands	136
Multiple spanning-tree protocol	138
Configure MST protocol	139
Create instances	140
Root selection	141
Non-Dell hardware	142
Region name or revision	142
Modify parameters	142
Interface parameters	143
Forward traffic	144
Spanning-tree extensions	144
MST commands	146
Rapid per-VLAN spanning-tree plus	154
Load balance and root selection	155
Enable RPVST+	156
Select root bridge	156
Root assignment	158
Loop guard	158
Global parameters	159
RPVST+ commands	159
Rapid spanning-tree protocol	166
Enable globally	166
Global parameters	167
Interface parameters	168
Root bridge selection	169
EdgePort forward traffic	170
Spanning-tree extensions	170
RSTP commands	172
Virtual LANs	177
Default VLAN	178
Create or remove VLANs	178
Access mode	179
Trunk mode	180
Assign IP address	181
View VLAN configuration	182
VLAN commands	183
Port monitoring	184
Local port monitoring	184
Remote port monitoring	185
Port monitoring commands	187
Layer 3	190
Border gateway protocol	190
Sessions and peers	191
Route reflectors	192
Multiprotocol BGP	193
Attributes	193
Selection criteria	193
Weight and local preference	194
Multiexit discriminators	195
Origin	195
AS path and next-hop	196
Best path selection	196
More path support	197
Advertise cost	197
4-Byte AS numbers	198
AS number migration	198
Configure border gateway protocol	199
Enable BGP	199
Configure Dual Stack	201
Peer templates	201
Neighbor fall-over	203
Fast external fallover	204
Passive peering	206
Local AS	206
AS number limit	207
Redistribute routes	208
Additional paths	208
MED attributes	209
Local preference attribute	209
Weight attribute	210
Enable multipath	211
Route-map filters	211
Route reflector clusters	211
Aggregate routes	212
Confederations	213
Route dampening	214
Timers	215
Neighbor soft-reconfiguration	215
BGP commands	216
Equal cost multi-path	241
Load balancing	241
ECMP commands	241
IPv4 routing	244
Assign interface IP address	244
Configure static routing	245
Address resolution protocol	246
IPv4 routing commands	246
IPv6 routing	250
Stateless autoconfiguration	250
IPv6 addresses	251
Static IPv6 routing	252
View IPv6 information	253
IPv6 commands	253
Open shortest path first	256
Autonomous system areas	257
Areas, networks, and neighbors	257
Router types	258
Designated and backup designated routers	259
Link-state advertisements	259
Router priority	260
OSPFv2	261
OSPFv3	291
Object tracking manager	303
Interface tracking	304
Host tracking	305
Set tracking delays	306
Object tracking	306
View tracked objects	306
OTM commands	307
Policy-based routing	310
Policy-based route-maps	310
Access-list to match route-map	310
Set address to match route-map	310
Assign route-map to interface	311
View PBR information	311
PBR commands	312
Virtual router redundancy protocol	314
Configuration	315
Create virtual router	316
Group version	316
Virtual IP addresses	317
Configure virtual IP address	317
Set group priority	318
Authentication	319
Disable preempt	319
Advertisement interval	320
Interface/object tracking	321
Configure tracking	321
VRRP commands	322
System management	328
Dynamic host configuration protocol	328
Packet format and options	328
Configure Server	329
Automatic address allocation	330
Hostname resolution	331
Manual binding entries	332
View DHCP Information	333
System domain name and list	333
DHCP commands	334
DNS commands	339
Network time protocol	341
Enable NTP	341
Broadcasts	342
Source IP address	342
Authentication	343
NTP commands	344
System clock	348
System Clock commands	348
User session management	349
User session management commands	350
Telnet server	351
Telnet commands	351
Security	352
Role-based access control	352
RADIUS authentication	353
RADIUS server settings	353
System-defined user roles	354
Assign user role	354
SSH Server	355
Security commands	355
Simple network management protocol	363
SNMP commands	363
OS10 image upgrade	365
Boot system partition	366
Upgrade commands	366
Access Control Lists	372
IP ACLs	372
MAC ACLs	373
IP fragment handling	373
IP fragments ACL	373
L3 ACL rules	374
Permit ACL with L3 information only	374
Deny ACL with L3 information only	374
Permit all packets from host	374
Permit only first fragments and non-fragmented packets from host	374
Assign sequence number to filter	375
User-provided sequence number	375
Auto-generated sequence number	375
L2 and L3 ACLs	375
Assign and apply ACL filters	376
Ingress ACL filters	377
Egress ACL filters	377
Clear access-list counters	378
IP prefix-lists	378
Route-maps	379
Match routes	380
Set conditions	380
continue Clause	381
ACL flow-based monitoring	381
Flow-based mirroring	381
Enable flow-based monitoring	382
ACL commands	383
clear ip access-list counters	383
clear ipv6 access-list counters	383
clear mac access-list counters	384
deny	384
deny (IPv6)	385
deny (MAC)	385
deny icmp	386
deny icmp (IPv6)	386
deny ip	387
deny ipv6	387
deny tcp	388
deny tcp (IPv6)	389
deny udp	389
deny udp (IPv6)	390
description	391
ip access-group	391
ip access-list	392
ip as-path deny	392
ip as-path permit	392
ip community-list standard deny	393
ip community–list standard permit	393
ip extcommunity-list standard deny	394
ip extcommunity-list standard permit	394
ip prefix-list description	395
ip prefix-list deny	395
ip prefix-list permit	395
ip prefix-list seq deny	396
ip prefix-list seq permit	396
ipv6 access-group	397
ipv6 access-list	397
ipv6 prefix-list deny	398
ipv6 prefix-list description	398
ipv6 prefix-list permit	398
ipv6 prefix-list seq deny	399
ipv6 prefix-list seq permit	399
mac access-group	400
mac access-list	400
permit	400
permit (IPv6)	401
permit (MAC)	402
permit icmp	402
permit icmp (IPv6)	403
permit ip	403
permit ipv6	404
permit tcp	404
permit tcp (IPv6)	405
permit udp	406
permit udp (IPv6)	406
remark	407
seq deny	408
seq deny (IPv6)	408
seq deny (MAC)	409
seq deny icmp	410
seq deny icmp (IPv6)	410
seq deny ip	411
seq deny ipv6	411
seq deny tcp	412
seq deny tcp (IPv6)	413
seq deny udp	414
seq deny udp (IPv6)	415
seq permit	416
seq permit (IPv6)	416
seq permit (MAC)	417
seq permit icmp	417
seq permit icmp (IPv6)	418
seq permit ip	419
seq permit ipv6	419
seq permit tcp	420
seq permit tcp (IPv6)	421
seq permit udp	422
seq permit udp (IPv6)	423
show access-group	423
show access-lists	424
show ip as-path-access-list	425
show ip community-list	426
show ip extcommunity-list	426
show ip prefix-list	426
Route-map commands	427
continue	427
match as-path	427
match community	428
match extcommunity	428
match interface	428
match ip address	429
match ip next-hop	429
match ipv6 address	430
match ipv6 next-hop	430
match metric	430
match origin	431
match route-type	431
match tag	432
route-map	432
set comm-list delete	432
set community	433
set extcomm-list delete	433
set extcommunity	434
set local-preference	434
set metric	434
set metric-type	435
set next-hop	436
set origin	436
set tag	436
set weight	437
show route-map	437
Quality of service	438
Configure quality of service	438
Class-map configuration	440
Policy-map configuration	440
Interface policy-map	441
Control-plane policy-map	442
System policy-map	442
Ingress traffic classification	442
Queue selection	443
Strict priority queuing	444
Class of service or dot1p classification	445
DSCP classification	446
MAC address classification	446
VLAN classification	447
IP access-group classification	448
IP precedence classification	448
Mark traffic	449
Class of service marking	449
DSCP marking	450
Group marking	450
Traffic metering	451
Bandwidth allocation	451
Service-policy rate-shaping	452
Policy-based rate-policing	453
Storm control	454
Control-plane policing	454
Configure control-plane policing	455
Assign service-policy	456
View configuration	456
Queue management	457
Verify configuration	458
Egress queue statistics	459
QoS commands	459
bandwidth	460
class	460
class-map	460
clear interface	461
clear qos statistics	461
clear qos statistics type	462
control-plane	462
flowcontrol	463
match	463
match cos	464
match dscp	464
match precedence	465
match queue	465
match vlan	465
pause	466
police	467
policy-map	467

Match case Limit results 1 per page

SSH Server

The secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection.

Conﬁgure

SSH server

•

The SSH server is enabled by default. You can disable the SSH server using

no ip ssh server enable

•

Challenge response authentication is disabled by default. To enable, use the

ip ssh server challenge-response-

authentication

command.

•

Host-based authentication is disabled by default. To enable, use the

ip ssh server hostbased-authentication

command.

•

Password authentication is enabled by default. To disable, use the

no ip ssh server password-authentication

command.

•

Public key authentication is enabled by default. To disable, use the

no ip ssh server pubkey-authentication

command.

•

Conﬁgure

the list of cipher algorithms using

ip ssh server cipher

cipher-list

•

Conﬁgure

Key Exchange algorithms using

ip ssh server kex

key-exchange-algorithm

•

Conﬁgure

hash message authentication code (HMAC) algorithms using

ip ssh server mac

hmac-algorithm

•

Conﬁgure

the SSH server listening port using

ip ssh server port

port-number

•

Conﬁgure

the SSH server to be reachable on the management VRF using

ip ssh server vrf

•

Conﬁgure

the SSH login timeout using the

ip ssh server login-grace-time

seconds

command (0 to 300; default 60). To

reset the default SSH prompt timer, enter

no ip ssh server login-grace-time

•

Conﬁgure

the maximum number of authentication attempts using the

ip ssh server max-auth-tries

number

command (0

to 10; default 6). To reset the default, enter

no ip ssh server max-auth-tries

The

max-auth-tries

value includes all authentication attempts, including public-key and password. If both public-key based

authentication and password authentication are enabled, the public-key authentication is the default and is tried

ﬁrst.

If it fails, the

number of

max-auth-tries

is reduced by one. In this case, if you

conﬁgured

ip ssh server max-auth-tries 1

, the

password prompt does not display.

Security commands

aaa authentication

Conﬁgures

the AAA authentication method for user access.

Syntax

aaa authentication {local | radius | tacacs}

Parameters

•

local

— Use local (RBAC) access control.

•

radius

— Use the RADIUS servers

conﬁgured

with the

radius-server host

command.

•

tacacs

— Use the TACACS+ servers

conﬁgured

with the

tacacs-server host

command.

Default

Local authentication

Command Mode

CONFIGURATION

Usage Information

There is no

version of this command. To reset the authentication method to

local

, enter the

aaa

authentication local

command.

Example

OS10(config)# aaa authentication radius

Supported Releases

10.2.0E or later

System management

355