Filter
Top Products
Accessing the switch
26
TACACS+ offers the following advantages over RADIUS:
• TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers
a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional
programmable variables such as re-transmit attempts and time-outs to compensate for best-effort
transport, but it lacks the level of built-in support that a TCP transport offers.
• TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in
authentication requests.
• TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works much in the same way as RADIUS authentication.
1. Remote administrator connects to the switch and provides user name and password.
NOTE: The user name and password can have a maximum length of 128 characters. The
password cannot be left blank.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny
administrative access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+
server to determine if the user is granted permission to use a particular command.
TACACS+ authentication features
Authentication is the action of determining the identity of a user, and is generally done when the user first
attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login
to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time
password authentication are not supported.
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place after
authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access
levels is shown in the table below. The privilege levels listed in the following table must be defined on the
TACACS+ server.
Table 4 Default TACACS+ privilege levels
User access level TACACS+ level
user 0
oper 3
admin 6