Support User Manuals

Dell 9.7(0.0) Plumbing Product User Manual

Open as PDF

of 1039

To use local authentication for enable secret on the console, while using remote authentication on

VTY lines, issue the following commands.

Dell(config)# aaa authentication enable mymethodlist radius tacacs

Dell(config)# line vty 0 9

Dell(config-line-vty)# enable authentication mymethodlist

Server-Side Configuration

Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication

requests to a TACACS+ or RADIUS server.

• TACACS+ — When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE,

and then sends a second packet with just the password. The TACACS server must have an entry for

username $enable$.

• RADIUS — When using RADIUS authentication, the switch sends an authentication packet with the

following:

Username: $enab15$

Password: <password-entered-by-user>

Therefore, the RADIUS server must have an entry for this username.

Obscuring Passwords and Keys

By default, the service password-encryption command stores encrypted passwords. For greater

security, you can also use the service obscure-passwords command to prevent a user from reading

the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP

authentication by obscuring this information. Passwords and keys are stored encrypted in the

configuration file and by default are displayed in the encrypted form when the configuration is displayed.

Enabling the

service obscure-passwords command displays asterisks instead of the encrypted

passwords and keys. This command prevents a user from reading these passwords and keys by obscuring

this information with asterisks.

Password obscuring masks the password and keys for display only but does not change the contents of

the file. The string of asterisks is the same length as the encrypted string for that line of configuration. To

verify that you have successfully obscured passwords and keys, use the show running-config

command or show startup-config command.

If you are using role-based access control (RBAC), only the system administrator and security

administrator roles can enable the service obscure-password command.

To enable the obscuring of passwords and keys, use the following command.

• Turn on the obscuring of passwords and keys in the configuration.

CONFIGURATION mode

service obscure-passwords

Example of Obscuring Password and Keys

Dell(config)# service obscure-passwords

794

Security

previous next