XG2000 series User's Guide
56/315
All Rights Reserved, Copyright (C) PFU LIMITED 2009
4.11.3 Configuring RADIUS/TACACS+
To configure RADIUS/TACACS+ authentication, carry out the following procedure.
Command Task
xg# configure terminal
Switch to global configuration mode.
xg(config)# radius-server key KEY
(Optional)
Specifies a global secret key which is used as a
default parameter when RADIUS server is registered
with no key parameter.
xg(config)# tacacs-server key KEY
(Optional)
Specifies a global secret key which is used as a
default parameter when TACACS+ server is
registered with no key parameter.
xg(config)# radius-server timeout <1 – 15>
(Optional)
Specifies the timeout(sec) for authentication requests.
xg(config)# radius-server host HOST [auth-port
PORT] [key KEY]
Register a RADIUS server.
xg(config)# tacacs-server host HOST [key KEY]
Register a TACACS+ server.
xg(config)# aaa authentication login {console |
ssh} {local | radius | tacacs} {local | none}
Set login authentication method.
xg(config)# exit
Exit to administrator EXEC mode.
xg# account user001 class admin
(Optional)
Register the same account for using
RADIUS/TACACS+ authentication on XG2000
XG2000 cannot use an unregistered account.
xg# show radius
Displays the information of RADIUS server
xg# show tacacs
Displays the information of TACACS+ server
xg# show authentication
Displays the setting status of login authentication
method
xg# show account
Lists the all accounts registered in the device.
z It is needed to register RADIUS/TACACS+ user accounts to XG2000 before enabling
RADIUS/TACACS+ authentication. XG2000 does not allow any account except for "admin" for the
default configuration.
z RADIUS/TACACS+ authentication is only available if primary login is RADIUS/TACACS+
authentication and secondary login is disable by "aaa authentication login" command. Any user can
not login XG2000 under RADIUS/TACACS+ authentication is only available if RADIUS/TACACS+
server does not work. It is recommended to test RADIUS/TACACS+ authentication under local
authentication is available.
z XG2000 requests authentication in order of the lists displayed by "show radius", "show tacacs"
command. Up to 4 access requests are transmitted for each RADIUS servers and 1 access for
TACACS+ servers until receiving the reply from the RADIUS/TACACS+ server.