Dell 6200 SERIES Computer Accessories User Manual


 
120 Device Security
Example #2: Set the NAS-IP Address for the RADIUS Server
The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that
is requesting authentication of the user. The address should be unique to the NAS within the scope of
the RADIUS server.
The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NAS-
Identifier must be present in an Access-Request packet.
NOTE: The feature is available in release 2.1 and later.
The following command sets the NAS-IP address to 192.168.20.12. If you do not specify an IP address in
the command, the NAS-IP address uses the interface IP address that connects the switch to the RADIUS
server.
console#config
console(config)#radius-server attribute 4 192.168.20.12
TACACS+
TACACS+ (Terminal Access Controller Access Control System) provides access control for networked
devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication
by making use of a single database that can be shared by many clients on a large network. TACACS+
uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to
encrypt all messages.
After you configure TACACS+ as the authentication method for user login, the NAS (Network Access
Server) prompts for the user login credentials and requests services from the TACACS+ client. The
client then uses the configured list of servers for authentication, and provides results back to the NAS.
You can configure the TACACS+ server list with one or more hosts defined via their network IP address.
You can also assign each a priority to determine the order in which the TACACS+ client will contact
them. TACACS+ contacts the server when a connection attempt fails or times out for a higher priority
server.
You can configure each server host with a specific connection type, port, timeout, and shared key, or you
can use global configuration for the key and timeout.
Like RADIUS, the TACACS+ server can do the authentication itself, or redirect the request to another
back-end device. All sensitive information is encrypted and the shared secret is never passed over the
network; it is used only to encrypt the data.
TACACS+ Configuration Example
This example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a unique
shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other
server has a priority of 2. The process creates a new authentication list, called tacacsList, which uses
TACACS+ to authenticate, and uses local authentication as a backup method.