Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R1 - Page 349

Security, Role-based access control

Add to My Manuals
Save this manual to your list of manuals

Page 349 highlights

Example (disable) OS10(config)# no ip telnet server enable Supported Releases 10.3.1E or later Security Accounting, authentication, and authorization (AAA) services secure networks against unauthorized access. In addition to local authentication, OS10 supports remote authentication dial-in service (RADIUS) and terminal access controller access control system (TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication requests to a server that contains all user authentication and network service access information. A RADIUS or TACACS+ server provides accounting, authentication (user credentials verification), and authorization (user privilege-level) services. You can configure the security protocol used for different login methods and users. The server uses a list of authentication methods to define the types of authentication and the sequence in which they apply. By default, only the local authentication method is used. The authentication methods in the method list are executed in the order in which they are configured. You can re-enter the methods to change the order. The local authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+ authentication, the privilege-level you configured for the user on the RADIUS or TACACS+ server is applied. NOTE: You must configure the group name (level) on the RADIUS server using the vendor-specific attribute or the authentication fails. • Configure the AAA authentication method in CONFIGURATION mode. aaa authentication {local | radius | tacacs} • local - Use the username and password database defined in the local configuration. • radius - (Optional) Use the RADIUS servers configured with the radius-server host command as the primary authentication method. • tacacs - (Optional) Use the TACACS+ servers configured with the tacacs-server host command as the primary authentication method. Configure AAA authentication OS10(config)# aaa authentication radius local Role-based access control RBAC provides control for access and authorization. Users are granted permissions based on defined roles - not on their individual system user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter an enable password because you are automatically placed in EXEC mode. OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter, and set the actions the user can perform. This allows greater flexibility when assigning permissions for each command to each role. Using RBAC is easier and more efficient to administer user rights. If a user's role matches one of the allowed user roles for that command, command authorization is granted. A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each role's permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events, audits, and security system logs. System management 349

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R1)	3
Getting Started	17
Download OS10 image and license	17
Installation	19
Automatic installation	19
Manual installation	20
Log into OS10	20
Install OS10 license	21
Remote access	22
Configure Management IP address	22
Management Route Configuration	23
Configure user name and password	23
Upgrade OS10	24
CLI Basics	24
User accounts	24
Key CLI features	24
CLI command modes	25
CLI command hierarchy	25
CLI command categories	25
CONFIGURATION Mode	26
Command help	26
Check device status	28
Candidate configuration	30
Change to transaction-based configuration	33
Back up or restore configuration	33
Reload system image	34
Filter show commands	34
Alias command	35
Batch mode commands	36
Linux shell commands	37
SSH commands	38
OS9 environment commands	38
Common commands	39
alias	39
batch	40
boot	40
commit	41
configure	41
copy	42
delete	43
dir	43
discard	44
do	44
feature config-os9-style	45
exit	45
license	46
lock	46
management route	47
move	47
no	48
reload	48
show alias	48
show boot	49
show candidate-configuration	50
show environment	52
show inventory	53
show ip management-route	53
show ipv6 management-route	54
show license status	54
show running-configuration	55
show startup-configuration	57
show system	58
show version	60
start	61
system	61
system identifier	61
terminal	62
traceroute	62
unlock	63
write	64
Interfaces	65
Ethernet interfaces	65
L2 mode configuration	65
L3 mode configuration	66
Management interface	66
VLAN interfaces	67
Loopback interfaces	67
Port-channel interfaces	68
Create port-channel	68
Add port member	68
Minimum links	69
Assign Port Channel IP Address	69
Remove or disable port-channel	70
Load balance traffic	70
Change hash algorithm	71
Configure interface ranges	71
Forward error correction	72
View interface configuration	73
Interface commands	74
channel-group	74
description (Interface)	75
duplex	75
fec	76
interface breakout	76
interface ethernet	77
interface loopback	77
interface mgmt	77
interface null	78
interface port-channel	78
interface range	79
interface vlan	79
link-bundle-utilization	80
mgmt	80
mtu	80
show interface	81
show link-bundle-utilization	82
show port-channel summary	83
show vlan	83
shutdown	84
speed (Management)	84
switchport access vlan	85
switchport mode	85
switchport trunk allowed vlan	86
Layer 2	87
802.1X	87
Port authentication	88
EAP over RADIUS	89
Configure 802.1X	89
Enable 802.1X	90
Identity retransmissions	91
Failure quiet period	92
Port control mode	92
Reauthenticate port	93
Configure timeouts	94
802.1X commands	95
Link aggregation control protocol	100
Modes	100
Configuration	100
Interfaces	101
Rates	101
Sample configuration	102
LACP commands	105
Link layer discovery protocol	111
Protocol data units	111
Optional TLVs	112
Organizationally-specific TLVs	113
Media endpoint discovery	114
Network connectivity device	114
LLDP-MED capabilities TLV	114
Network policies TLVs	115
Define network policies	116
Packet timer values	116
Disable and re-enable LLDP	117
Advertise TLVs	118
Network policy advertisement	118
Fast start repeat count	119
View LLDP configuration	119
Adjacent agent advertisements	120
Time to live	121
LLDP commands	122
Media Access Control	133
Static MAC Address	134
MAC Address Table	134
Clear MAC Address Table	134
MAC Commands	135
Multiple spanning-tree protocol	137
Configure MST protocol	138
Create instances	139
Root selection	140
Non-Dell hardware	141
Region name or revision	141
Modify parameters	141
Interface parameters	142
Forward traffic	143
Spanning-tree extensions	143
MST commands	145
Rapid per-VLAN spanning-tree plus	153
Load balance and root selection	154
Enable RPVST+	155
Select root bridge	155
Root assignment	157
Loop guard	157
Global parameters	158
RPVST+ commands	158
Rapid spanning-tree protocol	165
Enable globally	165
Global parameters	166
Interface parameters	167
Root bridge selection	168
EdgePort forward traffic	169
Spanning-tree extensions	169
RSTP commands	171
Virtual LANs	176
Default VLAN	177
Create or remove VLANs	177
Access mode	178
Trunk mode	179
Assign IP address	180
View VLAN configuration	181
VLAN commands	182
Port monitoring	183
Local port monitoring	183
Port monitoring commands	184
Layer 3	187
Border gateway protocol	187
Sessions and peers	188
Route reflectors	189
Multiprotocol BGP	190
Attributes	190
Selection criteria	190
Weight and local preference	191
Multiexit discriminators	192
Origin	192
AS path and next-hop	193
Best path selection	193
More path support	194
Advertise cost	194
4-Byte AS numbers	195
AS number migration	195
Configure border gateway protocol	196
Enable BGP	196
Configure Dual Stack	198
Peer templates	198
Neighbor fall-over	200
Fast external fallover	201
Passive peering	203
Local AS	203
AS number limit	204
Redistribute routes	205
Additional paths	205
MED attributes	206
Local preference attribute	206
Weight attribute	207
Enable multipath	208
Route-map filters	208
Route reflector clusters	208
Aggregate routes	209
Confederations	210
Route dampening	211
Timers	212
Neighbor soft-reconfiguration	212
BGP commands	213
Equal cost multi-path	238
Load balancing	238
ECMP commands	238
IPv4 routing	241
Assign interface IP address	241
Configure static routing	242
Address resolution protocol	243
IPv4 routing commands	243
IPv6 routing	247
Stateless autoconfiguration	247
IPv6 addresses	248
Static IPv6 routing	249
View IPv6 information	250
IPv6 commands	250
Open shortest path first	254
Autonomous system areas	254
Areas, networks, and neighbors	254
Router types	255
Designated and backup designated routers	256
Link-state advertisements	256
Router priority	257
OSPFv2	258
OSPFv3	288
Object tracking manager	300
Interface tracking	301
Host tracking	302
Set tracking delays	303
Object tracking	303
View tracked objects	303
OTM commands	304
Policy-based routing	307
Policy-based route-maps	307
Access-list to match route-map	307
Set address to match route-map	307
Assign route-map to interface	308
View PBR information	308
PBR commands	309
Virtual router redundancy protocol	311
Configuration	312
Create virtual router	313
Group version	313
Virtual IP addresses	314
Configure virtual IP address	314
Set group priority	315
Authentication	316
Disable preempt	316
Advertisement interval	317
Interface/object tracking	318
Configure tracking	318
VRRP commands	319
System management	325
Dynamic host configuration protocol	325
Packet format and options	325
Configure Server	326
Automatic address allocation	327
Hostname resolution	328
Manual binding entries	329
View DHCP Information	330
System domain name and list	330
DHCP commands	331
DNS commands	336
Network time protocol	338
Enable NTP	338
Broadcasts	339
Source IP address	339
Authentication	340
NTP commands	341
System clock	345
System Clock commands	345
User session management	346
User session management commands	347
Telnet server	348
Telnet commands	348
Security	349
Role-based access control	349
RADIUS authentication	350
RADIUS server settings	350
System-defined user roles	351
Assign user role	351
SSH Server	352
Security commands	352
Simple network management protocol	360
SNMP commands	360
OS10 image upgrade	362
Boot system partition	363
Upgrade commands	363
Access Control Lists	369
IP ACLs	369
MAC ACLs	370
IP fragment handling	370
IP fragments ACL	370
L3 ACL rules	371
Permit ACL with L3 information only	371
Deny ACL with L3 information only	371
Permit all packets from host	371
Permit only first fragments and non-fragmented packets from host	371
Assign sequence number to filter	372
User-provided sequence number	372
Auto-generated sequence number	372
L2 and L3 ACLs	372
Assign and apply ACL filters	373
Ingress ACL filters	374
Egress ACL filters	374
Clear access-list counters	375
IP prefix-lists	375
Route-maps	376
Match routes	377
Set conditions	377
continue Clause	378
ACL flow-based monitoring	378
Flow-based mirroring	378
Enable flow-based monitoring	379
ACL commands	380
clear ip access-list counters	380
clear ipv6 access-list counters	380
clear mac access-list counters	381
deny	381
deny (IPv6)	382
deny (MAC)	382
deny icmp	383
deny icmp (IPv6)	383
deny ip	384
deny ipv6	384
deny tcp	385
deny tcp (IPv6)	386
deny udp	386
deny udp (IPv6)	387
description	388
ip access-group	388
ip access-list	389
ip as-path deny	389
ip as-path permit	389
ip community-list standard deny	390
ip community–list standard permit	390
ip extcommunity-list standard deny	391
ip extcommunity-list standard permit	391
ip prefix-list description	392
ip prefix-list deny	392
ip prefix-list permit	392
ip prefix-list seq deny	393
ip prefix-list seq permit	393
ipv6 access-group	394
ipv6 access-list	394
ipv6 prefix-list deny	395
ipv6 prefix-list description	395
ipv6 prefix-list permit	395
ipv6 prefix-list seq deny	396
ipv6 prefix-list seq permit	396
mac access-group	397
mac access-list	397
permit	397
permit (IPv6)	398
permit (MAC)	399
permit icmp	399
permit icmp (IPv6)	400
permit ip	400
permit ipv6	401
permit tcp	401
permit tcp (IPv6)	402
permit udp	403
permit udp (IPv6)	403
remark	404
seq deny	405
seq deny (IPv6)	405
seq deny (MAC)	406
seq deny icmp	407
seq deny icmp (IPv6)	407
seq deny ip	408
seq deny ipv6	408
seq deny tcp	409
seq deny tcp (IPv6)	410
seq deny udp	411
seq deny udp (IPv6)	412
seq permit	413
seq permit (IPv6)	413
seq permit (MAC)	414
seq permit icmp	414
seq permit icmp (IPv6)	415
seq permit ip	416
seq permit ipv6	416
seq permit tcp	417
seq permit tcp (IPv6)	418
seq permit udp	419
seq permit udp (IPv6)	420
show access-group	420
show access-lists	421
show ip as-path-access-list	422
show ip community-list	423
show ip extcommunity-list	423
show ip prefix-list	423
Route-map commands	424
continue	424
match as-path	424
match community	425
match extcommunity	425
match interface	425
match ip address	426
match ip next-hop	426
match ipv6 address	427
match ipv6 next-hop	427
match metric	427
match origin	428
match route-type	428
match tag	429
route-map	429
set comm-list delete	429
set community	430
set extcomm-list delete	430
set extcommunity	431
set local-preference	431
set metric	431
set metric-type	432
set next-hop	433
set origin	433
set tag	433
set weight	434
show route-map	434
Quality of service	435
Configure quality of service	435
Class-map configuration	437
Policy-map configuration	437
Interface policy-map	438
Control-plane policy-map	439
System policy-map	439
Ingress traffic classification	439
Queue selection	440
Strict priority queuing	441
Class of service or dot1p classification	442
DSCP classification	443
MAC address classification	443
VLAN classification	444
IP access-group classification	445
IP precedence classification	445
Mark traffic	446
Class of service marking	446
DSCP marking	447
Group marking	447
Traffic metering	448
Bandwidth allocation	448
Service-policy rate-shaping	449
Policy-based rate-policing	450
Control-plane policing	451
Configure control-plane policing	451
Assign service-policy	452
View configuration	453
Queue management	453
Verify configuration	454
Egress queue statistics	455
QoS commands	456
bandwidth	456
class	456
class-map	457
clear interface	457
clear qos statistics	458
clear qos statistics type	458
control-plane	458
flowcontrol	459
match	459
match cos	460
match dscp	460
match precedence	461
match queue	461
match vlan	462
mtu	462
pause	462
police	463
policy-map	464
priority	464

Match case Limit results 1 per page

Example (disable)

OS10(config)# no ip telnet server enable

Supported Releases

10.3.1E or later

Security

Accounting, authentication, and authorization (AAA) services secure networks against unauthorized access. In addition to local

authentication, OS10 supports remote authentication dial-in service (RADIUS) and terminal access controller access control system

(TACACS+) client/server authentication systems. For RADIUS and TACACS+, an OS10 switch acts as a client and sends authentication

requests to a server that contains all user authentication and network service access information.

A RADIUS or TACACS+ server provides accounting, authentication (user credentials

veriﬁcation),

and authorization (user privilege-level)

services. You can

conﬁgure

the security protocol used for

diﬀerent

methods to

deﬁne

the types of authentication and the sequence in which they apply. By default, only the

local

authentication method is

used.

The authentication methods in the method list are executed in the order in which they are

conﬁgured.

You can re-enter the methods to

change the order. The

local

authentication method must always be in the list. If a console user logs in with RADIUS or TACACS+

authentication, the privilege-level you

conﬁgured

for the user on the RADIUS or TACACS+ server is applied.

NOTE:

You must

conﬁgure

the group name (level) on the RADIUS server using the

vendor-speciﬁc

attribute or the

authentication fails.

•

Conﬁgure

the AAA authentication method in CONFIGURATION mode.

aaa authentication {local | radius | tacacs}

•

local

— Use the username and password database

deﬁned

in the local

conﬁguration.

•

radius

— (Optional) Use the RADIUS servers

conﬁgured

with the

radius-server host

command as the primary

authentication method.

•

tacacs

— (Optional) Use the TACACS+ servers

conﬁgured

with the

tacacs-server host

command as the primary

authentication method.

Conﬁgure

AAA authentication

OS10(config)# aaa authentication radius local

Role-based access control

RBAC provides control for access and authorization. Users are granted permissions based on

deﬁned

roles — not on their individual system

user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single

role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter

an enable password because you are automatically placed in EXEC mode.

OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add

commands a user can enter, and set the actions the user can perform. This allows greater

ﬂexibility

when assigning permissions for each

command to each role. Using RBAC is easier and more

eﬃcient

to administer user rights. If a user’s role matches one of the allowed user

roles for that command, command authorization is granted.

A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each

role’s permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events,

audits, and security system logs.

System management

349