VTY Line and Access-Class Configuration
Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which
authentication scheme you use — line, local, or remote.
Table 59. VTY Access
Authentication Method VTY access-class
support?
Username access-class
support?
Remote authorization
support?
Line YES NO NO
Local NO YES NO
TACACS+ YES NO YES
RADIUS YES NO YES
The system provides several ways to configure access classes for VTY lines, including:
• VTY Line Local Authentication and Authorization
• VTY Line Remote Authentication and Authorization
VTY Line Local Authentication and Authorization
The system retrieves the access class from the local database.
To use this feature:
1. Create a username.
2. Enter a password.
3. Assign an access class.
4. Enter a privilege level.
You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an
access-class as authorization.
Configure local authentication globally and configure access classes on a per-user basis.
The system can assign different access classes to different users by username. Until users attempt to log
in, the system does not know if they will be assigned a VTY line. This means that incoming users always
see a login prompt even if you have excluded them from the VTY line with a deny-all access class. After
users identify themselves, the system retrieves the access class from the local database and applies it.
(The system can then close the connection if a user is denied access.)
NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the
RADIUS server only if you configure RADIUS authentication.
The following example shows how to allow or deny a Telnet connection to a user. Users see a login
prompt even if they cannot log in. No access class is configured for the VTY line. It defaults from the local
database.
NOTE: For more information, refer to Access Control Lists (ACLs).
816
Security