AAA Login Authentication on Dell Switches Running FTOS

By default Dell switches running FTOS use local username/passwords for login authentication. This default behavior is assigned in the ‘default’ method list. To change the login authentication behavior, you can either modify the ‘default’ method list or create new method list(s). In FTOS, AAA (Authentication, Authorization, and Accounting) uses method lists to define the types of authentication and the sequence in which they are applied. Additionally, in FTOS, AAA provides the ability to have different security protocols/mechanisms used for different login methods. In this blog, I demonstrate how different login authentication security mechanisms can be used for different login methods.

In this lab, I utilize a Dell S60 switch [FTOS 8.3.3.8]. I also utilize a Dell S50N switch [FTOS 8.4.2.7] as a management switch. A Cyclades TS3000 console terminal server is used for console connectivity over the management network. Below is the simple network diagram for this lab.

Lab Setup for AAA Authentication

In this lab, I setup login authentication for both console and telnet access; see the screenshot below. For the console access, I instruct FTOS to use the ‘line’ console password for authentication, and, for telnet access, I instruct FTOS to use local authentication. For console authentication, I created the ‘consoleSecurity’ method list and configured the console line password. For telnet authentication, I created the ‘telnetSecurity’ method list and configured a username and password with the ‘username admin password password’ command.

AAA login authentication configuration on Dell S60 switch

You can see from the below screenshot, I also could have used other authentication methods such as RADIUS or TACACS+; for demonstration purposes and simplicity, I used the console line password and local authentication.

AAA login authentication methods

Now when I try to console to the switch via the console terminal server, I get the below password authentication request as expected.

Dell S60 console login authentication using AAA

Additionally, when I try to telnet to the Dell S60 switch via the management network, as expected, I get a login authentication request as shown below.

Dell S60 telnet login authentication using AAA