Dell POWEREDGE M1000E User Manual

Page 197

Advertising
background image

Using the CLI

197

User Access Control

In addition to authenticating a user, the CLI also assigns the user access to

one of two security levels. Level 1 has read-only access. This level allow the

user to read information but not configure the switch. The access to this level

cannot be modified. Level 15 is the special access level assigned to the

superuser of the switch. This level has full access to all functions within the

switch and can not be modified.
If the user account is created and maintained locally, each user is given an

access level at the time of account creation. If the user is authenticated

through remote authentication servers, the authentication server is

configured to pass the user access level to the CLI when the user is

authenticated. When Radius is used, the

Vendor-Specific Option

field

returns the access level for the user. Two vendor specific options are

supported. These are CISCO-AV-Pairs(Shell:priv-lvl=x) and Dell Radius VSA

(user-group=x). TACACS+ provides the appropriate level of access.
The following rules and specifications apply:

• The user determines whether remote authentication servers or locally

defined user authentication accounts are used.

• If authentication servers are used, the user can identify at least two remote

servers (the user may choose to configure only one server) and what

protocol to use with the server, TACACS+ or Radius. One of the servers is

primary and the other is the secondary server (the user is not required to

specify a secondary server). If the primary server fails to respond in a

configurable time period, the CLI automatically attempts to authenticate

the user with the secondary server.

• The user is able to specify what happens when both primary and secondary

servers fail to respond. In this case, the user is able to indicate that the CLI

should either use the local user accounts or reject all requests.

• Even if the user configures the CLI to fail login when the remote

authentication servers are down, the CLI allows the user to log in to the

serial interface authenticated by locally managed account data.

2CSPC4.XModular-SWUM200.book Page 197 Thursday, March 10, 2011 11:18 AM

Advertising
Popular Brands
Popular manuals