Filter
Top Products
Introduction 13
RADIUS
The switch supports the RADIUS method to authenticate and authorize remote administrators for managing
the switch. This method is based on a client/server model. The RAS, the switch, is a client to the back-end
database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end
server and database.
RADIUS authentication consists of:
• A protocol with a frame format that utilizes UDP over IP, based on RFC 2138 and 2866
• A centralized server that stores all the user authorization information
• A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize
a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions
between the client and the RADIUS server are authenticated using a shared key that is not sent over the
network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client
(the switch) and the back-end RADIUS server.
The benefits of using RADIUS are:
• Authentication of remote administrators
• Identification of the administrator using name/password
• Authorization of remote administrators
• Determination of the permitted actions and customizing service for individual administrators
TACACS+
The switch supports the TACACS+ method to authenticate, authorize, and account for remote
administrators managing the switch. This method is based on a client/server model. The switch is a client
to the back-end TACACS+ AAA server. A remote user (the remote administrator) interacts only with the
client, and not with the back end AAA server.
The TACACS+ AAA method consists of:
• A protocol with a frame format that utilizes TCP over IP
• A centralized AAA server that stores all the user authentication, authorization, and accounting (of
usage) information
• A NAS or client (in this case, the switch)
The switch, acting as the TACACS+ client or NAS, communicates to the TACACS+ server to authenticate,
authorize, and account for user access. Transactions between the client and the TACACS+ server are
authenticated using a shared key that is not sent over the network. In addition, the remote administrator
passwords are sent encrypted between the TACACS+ client (the switch) and the back-end TACACS+
server.
The switch supports:
• Only standard ASCII inbound login authentication. PAP, CHAP, or ARAP login methods are not
supported. One-time password authentication is also not supported.
• Authorization privilege levels of only 0, 3, and 6. These map to management levels of user, oper,
and admin, respectively.