Blade ICE G8124-E Personal Computer User Manual


 
BLADEOS 6.5.2 Application Guide
70 Chapter 4: Authentication & Authorization Protocols BMD00220, October 2010
TACACS+ Authentication Features in BLADEOS
Authentication is the action of determining the identity of a user, and is generally done when the
user first attempts to log in to a device or gain access to its services. BLADEOS supports ASCII
inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password
requests, and one-time password authentication are not supported.
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place
after authentication.
The default mapping between TACACS+ authorization levels and BLADEOS management access
levels is shown in Table 5. The authorization levels must be defined on the TACACS+ server.
Alternate mapping between TACACS+ authorization levels and BLADEOS management access levels
is shown in Table 6. Use the following command to set the alternate TACACS+ authorization levels.
If the remote user is successfully authenticated by the authentication server, the switch verifies the
privileges of the remote user and authorizes the appropriate access. The administrator has an option
to allow secure backdoor access via Telnet/SSH. Secure backdoor provides switch access when the
TACACS+ servers cannot be reached. You always can access the switch via the console port, by
using notacacs and the administrator password, whether secure backdoor is enabled or not.
Note – To obtain the TACACS+ backdoor password for your G8124, contact Technical Support.
Table 5 Default TACACS+ Authorization Levels
BLADEOS User Access Level TACACS+ level
user 0
oper 3
admin 6
RS G8124(config)# tacacs-server privilege-mapping
Table 6 Alternate TACACS+ Authorization Levels
BLADEOS User Access Level TACACS+ level
user 0 - 1
oper 6 - 8
admin 14 - 15