API Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4248FB-ON /S4248FBL-ON

1021

authentication key in plain text or encrypted format. By default, RADIUS over TLS connections use TCP port 2083, and require

that the authentication key is radsec. You can change the TCP port number on the server.

● Configure a RADIUS over TLS authentication on a RADIUS server in CONFIGURATION mode.

radius-server host {hostname | ip-address} tls security-profile profile-name

[auth-port port-number] key {0 authentication-key | 9 authentication-key |

authentication-key}

To configure more than one RADIUS server for RADIUS over TLS authentication, re-enter the radius-server host tls

command multiple times. If you configure multiple RADIUS servers, OS10 attempts to connect in the order you configured them.

An OS10 switch connects with the configured RADIUS servers one at a time, until a RADIUS server responds with an accept or

reject response. The switch tries to connect with a server for the configured number of retransmit retries and timeout period.

A security profile determines the X.509v3 certificate on the switch to use for TLS authentication with a RADIUS server. To

configure a security profile for an OS10 application, see Security profiles.

Configure global settings for the timeout and retransmit attempts allowed on RADIUS servers as described in RADIUS

authentication.

Configure RADIUS over TLS authentication server

OS10(config)# radius-server host 1.2.4.5 tls security-profile radius-prof key radsec

OS10(config)# radius-server retransmit 10

OS10(config)# radius-server timeout 10

AAA with TACACS+ authentication

Configure a TACACS+ authentication server by entering the server IP address or host name. You must also enter a text string

for the key used to authenticate the OS10 switch on a TACACS+ host. The Transmission Control Protocol (TCP) port entry is

optional.

TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an

authentication server. RADIUS encrypts only passwords.

● Configure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for

authentication.

tacacs-server host {hostname | ip-address} key {0 authentication-key | 9

authentication-key | authentication-key} [auth-port port-number]

Re-enter the tacacs-server host command multiple times to configure more than one TACACS+ server. If you

configure multiple TACACS+ servers, OS10 attempts to connect in the order you configured them. An OS10 switch connects

with the configured TACACS+ servers one at a time, until a TACACS+ server responds with an accept or reject response.

Configure a global timeout setting allowed on TACACS+ servers. By default, OS10 times out after five seconds. No source

interface is configured. The default VRF instance is used to contact TACACS+ servers.

NOTE:

You cannot configure both a nondefault VRF instance and a source interface at the same time for TACACS+

authentication.

NOTE: A TACACS+ server configured with a host name is not supported on a nondefault VRF.

● Configure the global timeout used to wait for an authentication response from TACACS+ servers in CONFIGURATION mode,

from 1 to 1000 seconds; the default is 5.

tacacs-server timeout seconds

● (Optional) Specify an interface whose IP address is used as the source IP address for user authentication with a TACACS+

server in CONFIGURATION mode. By default, no source interface is configured. OS10 selects the source IP address of any

interface from which a packet is sent to a TACACS+ server.

NOTE: If you configure a source interface which has no IP address, the IP address of the management interface is used.

ip tacacs source-interface interface

1030

Security