GE ML1600 Switch User Manual


 
8–2 MULTILINK ML1600 ETHERNET COMMUNICATIONS SWITCH – INSTRUCTION MANUAL
INTRODUCTION TO TACACS+ CHAPTER 8: ACCESS USING TACACS+
8.1.2 TACACS+ Flow
TACACS works in conjunction with the local user list on the ML1600 software (operating
system). Please refer to User MGMNT on page 1–12 for adding users on the MultiLink
Switch Software. The process of authentication as well as authorization is shown in the
flow chart below.
FIGURE 8–1: TACACS authorization flowchart
The above flow diagram shows the tight integration of TACACS+ authentication with the
local user-based authentication. There are two stages a user goes through in TACACS+. The
first stage is authentication where the user is verified against the network user database.
The second stage is authorization, where it is determined whether the user has operator
access or manager privileges.
8.1.3 TACACS+ Packet
Packet encryption is a supported and is a configurable option for the ML1600 software.
When encrypted, all authentication and authorization TACACS+ packets are encrypted and
are not readable by protocol capture and sniffing devices such as EtherReal or others.
Packet data is hashed and shared using MD5 and secret string defined between the
MultiLink switches and the TACACS+ server.
754716A1.CDR
Login
UserinLocal
UserList?
Yes
IsUserManager?
Yes
LoginasManager
LoginasOperator
No
No
TACACS+Enabled?
No
Logout
Yes
Authentication
failure
Logout
Authenticated
TACACS+
authorization
Authorizedas
Operatoror
Authorizationfailure
Authorizedas
Manager
LoginasManager
Start
Additional
Servers?
Logout
Connectionfailure
No
Yes
Connectto
TACACSserverto
authenticate
LoginasOperator
Additional
Servers?