Setup Guide
VTY Line and Access-Class Conguration
Various methods are available to restrict VTY access in . These depend on which authentication scheme you use — line, local, or remote.
Table 94. VTY Access
Authentication Method VTY access-class support? Username access-class
support?
Remote authorization support?
Line YES NO NO
Local NO YES NO
TACACS+ YES NO YES (with version 5.2.1.0 and
later)
RADIUS YES NO YES (with version 6.1.1.0 and
later)
provides several ways to congure access classes for VTY lines, including:
• VTY Line Local Authentication and Authorization
• VTY Line Remote Authentication and Authorization
VTY Line Local Authentication and Authorization
retrieves the access class from the local database.
To use this feature:
1 Create a username.
2 Enter a password.
3 Assign an access class.
4 Enter a privilege level.
You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization.
Congure local authentication globally and congure access classes on a per-user basis.
can assign dierent access classes to dierent users by username. Until users attempt to log in, does not know if they will be assigned a
VTY line. This means that incoming users always see a login prompt even if you have excluded them from the VTY line with a deny-all
access class. After users identify themselves, retrieves the access class from the local database and applies it. ( then can close the
connection if a user is denied access.)
NOTE
: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you
congure RADIUS authentication.
The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No
access class is congured for the VTY line. It defaults from the local database.
Example of Conguring VTY Authorization Based on Access Class Retrieved from a Local Database (Per User)
DellEMC(conf)#user gooduser password abc privilege 10 access-class permitall
DellEMC(conf)#user baduser password abc privilege 10 access-class denyall
DellEMC(conf)#
DellEMC(conf)#aaa authentication login localmethod local
DellEMC(conf)#
DellEMC(conf)#line vty 0 9
DellEMC(config-line-vty)#login authentication localmethod
DellEMC(config-line-vty)#end
Security
833