Administrator Guide

Using the CLI 256
configure the switch. The access to this level cannot be modified. Level 15 is
the special access level assigned to the superuser of the switch. This level has
full access to all functions within the switch.
If the account is created and maintained locally, each account is given an
access level at the time of account creation. If the administrator is
authenticated through remote authentication servers, the authentication
server is configured to pass the access level to the CLI when the account is
authenticated. When RADIUS is used, the Vendor-Specific Option field
returns the access level. Two vendor specific options are supported. These are
CISCO-AV-Pairs(Shell:priv-lvl=x) and Dell Radius VSA (user-group=x).
TACACS+ provides the appropriate level of access.
The following rules and specifications apply:
The
administrator
determines whether remote authentication servers or
locally defined authentication accounts are used.
If authentication servers are used, the
administrator
can identify at least
two remote servers (the user may choose to configure only one server) and
what protocol to use with the server, TACACS+ or Radius. One of the
servers is primary and the other is the secondary server (the user is not
required to specify a secondary server). If the primary server fails to
respond in a configurable time period, the CLI automatically attempts to
authenticate the user with the secondary server.
The
administrator
is able to specify what happens when both primary and
secondary servers fail to respond. In this case, the user is able to indicate
that the CLI should either use the local user accounts or reject all requests.
Even if the
administrator
configures the CLI to fail login when the remote
authentication servers are down, the CLI allows access via the serial
interface authenticated by locally managed account data. The default for
serial port access is no login or password required.
SYSLOG
The switch supports sending logging messages to a remote SYSLOG server.
The administrator configures a remote log server to which SYSLOG messages
are sent.
The following rules apply:
The administrator configures a remote SYSLOG server to which system
logging messages are sent.