Page 56 / 757 Scroll up to view Page 51 - 55
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
52
8
ACCESS AUTHENTICATION CONTROL COMMANDS
The TACACS / XTACACS / TACACS+ / RADIUS commands allow users to secure access to the Switch using the
TACACS / XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the
administrator level privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS
authentication is enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the
user. If the user is verified, he or she is granted access to the Switch.
There are currently three versions of the TACACS security protocol, each a separate entity. The Switch’s software
supports the following versions of TACACS:
a)
TACACS (Terminal Access Controller Access Control System) —Provides password checking and
authentication, and notification of user actions for security purposes utilizing via one or more centralized TACACS
servers, utilizing the UDP protocol for packet transmission.
b)
Extended TACACS (XTACACS) — An extension of the TACACS protocol with the ability to provide more types of
authentication requests and more types of response codes than TACACS. This protocol also uses UDP to
transmit packets.
c)
TACACS+ (Terminal Access Controller Access Control System plus) — Provides detailed access control for
authentication for network devices. TACACS+ is facilitated through Authentication commands via one or more
centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon,
using the TCP protocol to ensure reliable delivery.
The Switch also supports the RADIUS protocol for authentication using the Access Authentication Control commands.
RADIUS or Remote Authentication Dial In User Server also uses a remote server for authentication and can be
responsible for receiving user connection requests, authenticating the user and returning all configuration information
necessary for the client to deliver service through the user. RADIUS may be facilitated on this Switch using the
commands listed in this section.
In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS /
TACACS+ / RADIUS server must be configured on a device other than the Switch, called a server host and it must
include usernames and passwords for authentication. When the user is prompted by the Switch to enter usernames and
passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS server to verify, and
the server will respond with one of three messages:
1.
The server verifies the username and password, and the user is granted normal user privileges on the Switch.
2.
The server will not accept the username and password and the user is denied access to the Switch.
3.
The server doesn’t respond to the verification query. At this point, the Switch receives the timeout from the server
and then moves to the next method of verification configured in the method list.
The Switch has four built-in server groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS protocols.
These built-in server groups are used to authenticate users trying to access the Switch. The users will set server hosts in
a preferable order in the built-in server group and when a user tries to gain access to the Switch, the Switch will ask the
first server host for authentication. If no authentication is made, the second server host in the list will be queried, and so
on. The built-in server group can only have hosts that are running the specified protocol. For example, the TACACS
server group can only have TACACS server hosts.
The administrator for the Switch may set up five different authentication techniques per user-defined method list
(TACACS / XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order
preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight
authentication techniques. When a user attempts to access the Switch, the Switch will select the first technique listed for
authentication. If the first technique goes through its server hosts and no authentication is returned, the Switch will then
go to the next technique listed in the server group for authentication, until the authentication has been verified or denied,
or the list is exhausted.
Page 57 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
53
Please note that user granted access to the Switch will be granted normal user privileges on the Switch. To gain access
to admin level privileges, the user must enter the
enable admin
command and then enter a password, which was
previously configured by the administrator of the Switch.
The Access Authentication Control commands in the Command Line Interface (CLI) are listed (along with the appropriate
parameters) in the following table.
NOTE:
TACACS, XTACACS and TACACS+ are separate entities and are not compatible. The Switch
and the server must be configured exactly the same, using the same protocol. (For example, if the
Switch is set up for TACACS authentication, so must be the host server.)
Page 58 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
54
Command
Parameters
enable password encryption
disable password encryption
create account
[admin | operator | user] <username 15>
config account
<username> {encrypt [plain_text | sha_1] <password>}
show account
delete account
<username>
enable authen_policy
disable authen_policy
show authen_policy
create authen_login
method_list_name
<string 15>
config authen_login
[default | method_list_name <string 15>] method {tacacs | xtacacs | tacacs+ |
radius | server_group <string 15> | local | none}(1)
delete authen_login
method_list_name
<string 15>
show authen_login
[default | method_list_name <string 15> | all]
create authen_enable
method_list_name
<string 15>
config authen_enable
[default | method_list_name <string 15>] method {tacacs | xtacacs | tacacs+ |
radius | server_group <string 15> | local _enable | none}(1)
delete authen_enable
method_list_name
<string 15>
show authen_enable
[default | method_list_name <string 15> | all]
config authen application
[console | telnet | ssh | http | all] [login | enable] [default | method_list_name
<string 15>]
show authen application
create authen server_group
<string 15>
config authen server_group
[tacacs | xtacacs | tacacs+ | radius | <string 15>] [add | delete] server_host
<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius]
delete authen server_group
<string 15>
show authen server_group
{<string 15>}
create authen server_host
<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius] { port <int 1-65535> | key
[<key_string 254> | none] | timeout <int 1-255> | retransmit <int 1-20> }
config authen server_host
<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius] { port <int 1-65535> | key
[<key_string 254> | none ] | timeout <int 1-255> | retransmit <int 1-20> }
delete authen server_host
<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius]
show authen server_host
config authen parameter
response_timeout
<int 0-255>
config authen parameter attempt
<int 1-255>
show authen parameter
enable admin
Page 59 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
55
Command
Parameters
config admin local_enable
Each command is listed, in detail, in the following sections.
enable password encryption
Purpose
This command is used to enable password encryption.
Syntax
enable password encryption
Description
The user account configuration information will be stored in the configuration file, and can be
applied to the system later.
If password encryption is enabled, the passwords will be in encrypted form.
When password encryption is disabled, if the user specifies the password in plain text form,
the password will be in plan text form. However, if the user specifies the password in
encrypted form, or if the password has been converted to encrypted form by the last enable
password encryption command, the password will always be in the encrypted form and can
not be reverted back to plaintext.
Parameters
None
Restrictions
Only Administrator and Operator-level users can issue this command.
Example usage:
To enable password encryption:
DGS-3627:admin# enable password encryption
Command: enable password encryption
DGS-3627:admin#
disable password encryption
Purpose
This command is used to disable password encryption.
Syntax
disable password encryption
Description
The user account configuration information will be stored in the configuration file, and can be
applied to the system later.
If password encryption is enabled, the passwords will be in encrypted form.
When password encryption is disabled, if the user specifies the password in plain text form,
the password will be in plan text form. However, if the user specifies the password in
encrypted form, or if the password has been converted to encrypted form by the last enable
password encryption command, the password will always be in the encrypted form and can
not be reverted back to plaintext.
Parameters
None.
Restrictions
Only Administrator and Operator-level users can issue this command.
Example usage:
To disable password encryption:
Page 60 / 757
xStack
®
DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual
56
DGS-3627:admin# disable password encryption
Command: disable password encryption
DGS-3627:admin#
create account
Purpose
This command is used to create user accounts.
Syntax
create account [admin | operator | user] <username 15>
Description
The create account command is used to create user accounts. A username can be between
1 and 15 characters. The password is between 0 and 15 characters and is case sensitive.
The total number of accounts supported by the Switch (including admin and user level
accounts) is 8.
Parameters
admin
- Specify an administrator level account. The administrator is the highest privilege level
in the Switch.
operator
- Specify an operator level account.
user
- Specify a user level account.
<username 15>
- The user name, which must be a minimum of 1 character and a maximum
of 15 characters.
Restrictions
Only Administrator-level users can issue this command.
Example usage:
To create the admin-level user “alpha”:
DGS-3627:admin# create account admin alpha
Command: create account admin alpha
Enter a case-sensitive new password:****
Enter the new password again for confirmation:****
Success.
DGS-3627:admin#
config account
Purpose
This command is used to configure user accounts.
Syntax
config account <username> {encrypt [plain_text | sha_1] <password>}
Description
When the password information is not specified in the command, the system will prompt the
user to input the password interactively. In this case, the user can only input a plain text
password.
If the user specifies a password in the command, the user can select to input the password in
plain text form or in encrypted form. The encryption algorithm is based on SHA-1.
Parameters
<username>
- Specify the name of the account. The account must already be defined.
plain_text
- Specify the password in plain text form.
sha_1
- Specify the password in SHA-1 encrypted form.
password
- The password for the user account. The length of a password in plain-text form
and encrypted form are different. For a plain-text form password, the password must be a
minimum of 0 characters and a maximum of 15 characters. For an encrypted form password,
the length is fixed to 35 bytes long. The password is case-sensitive.
Restrictions
Only Administrator level users can issue this command.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top