Dell PowerEdge M805 User Manual

Using the CLI

73

User Access Control

In addition to authenticating a user, the CLI also assigns the user access to one of two security
levels. Level 1 has read-only access. This level allow the user to read information but not configure
the switch. The access to this level cannot be modified. Level 15 is the special access level assigned
to the superuser of the switch. This level has full access to all functions within the switch and can
not be modified.

If the user account is created and maintained locally, each user is given an access level at the time
of account creation. If the user is authenticated through remote authentication servers, the
authentication server is configured to pass the user access level to the CLI when the user is
authenticated. When Radius is used, the Vendor-Specific Option field returns the access level for
the user. Two vendor specific options are supported. These are CISCO-AV-Pairs(Shell:priv-lvl=x)
and Dell Radius VSA (user-group=x). TACACS+ provides the appropriate level of access.

The following rules and specifications apply:

•

The user determines whether remote authentication servers or locally defined user
authentication accounts are used.

•

If authentication servers are used, the user can identify at least two remote servers (the
user may choose to configure only one server) and what protocol to use with the server,
TACACS+ or Radius. One of the servers is primary and the other is the secondary server
(the user is not required to specify a secondary server). If the primary server fails to
respond in a configurable time period, the CLI automatically attempts to authenticate
the user with the secondary server.

•

The user is able to specify what happens when both primary and secondary servers fail to
respond. In this case, the user is able to indicate that the CLI should either use the local
user accounts or reject all requests.

•

Even if the user configures the CLI to fail login when the remote authentication servers
are down, the CLI allows the user to log in to the serial interface authenticated by locally
managed account data.

Syslogs

The CLI uses syslog support to send logging messages to a remote syslog server. The user configures
the switch to generate all logging messages to a remote log server. If no remote log server exists,
then the CLI maintains a rolling log of at most the last 1000 critical system events.

The following rules and specifications apply:

•

The CLI permits the user to configure a remote syslog server to which all system logging
messages are sent.

•

Log messages are implementation-dependent but may contain debug messages, security
or fault events.

•

If a log server is not specified by the user, the CLI maintains at most the last 1000 critical
system events. In this case, less important events are not recorded.