Radius, Radius authentication – Dell PowerEdge FX2/FX2s User Manual

Page 163

Advertising
background image

Example of Enabling Local Authentication for the Console and Remote Authentication for VTY Lines

Dell(config)# aaa authentication enable mymethodlist radius tacacs

Dell(config)# line vty 0 9

Dell(config-line-vty)# enable authentication mymethodlist

Server-Side Configuration

• TACACS+ — When using TACACS+, Dell Networking OS sends an initial packet with service type

SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have

an entry for username $enable$.

• RADIUS — When using RADIUS authentication, Dell Networking OS sends an authentication packet

with the following:
Username: $enab15$

Password: <password-entered-by-user>

Therefore, the RADIUS server must have an entry for this username.

RADIUS

Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.

This protocol transmits authentication, authorization, and configuration information between a central
RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to
the RADIUS server and requests authentication of the user and password. The RADIUS server returns one
of the following responses:

• Access-Accept — the RADIUS server authenticates the user.
• Access-Reject — the RADIUS server does not authenticate the user.

If an error occurs in the transmission or reception of RADIUS packets, you can view the error by enabling
the debug radius command.

Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent
in plain text). RADIUS uses UDP as the transport protocol between the RADIUS server host and the client.

For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.

RADIUS Authentication

Dell Networking OS supports RADIUS for user authentication (text password) at login and can be

specified as one of the login authentication methods in the aaa authentication login command.

Idle Time

Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30
minutes is used.

RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the
lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of
the following happens:

• The administrator changes the idle-time of the line on which the user has logged in.
• The idle-time is lower than the RADIUS-returned idle-time.

Security

163

Advertising
Popular Brands
Popular manuals