Filter
Top Products
Alteon OS Application Guide
48
Chapter 1: Accessing the Switch 42C4911, January 2007
TACACS+ Authentication
Alteon OS supports authentication and authorization with networks using the Cisco Systems
TACACS+ protocol. The GbE Switch Module functions as the Network Access Server (NAS)
by interacting with the remote client and initiating authentication and authorization sessions
with the TACACS+ access server. The remote user is defined as someone requiring manage-
ment access to the GbE Switch Module either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP-
based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery.
RADIUS requires additional programmable variables such as re-transmit attempts and
time-outs to compensate for best-effort transport, but it lacks the level of built-in support
that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryp-
tion in authentication requests.
TACACS+ separates authentication, authorization and accounting.
How TACACS+ Authentication Works
TACACS+ works much in the same way as RADIUS authentication as described on page 44.
1. Remote administrator connects to the switch and provides user name and password.
2. Using Authentication/Authorization protocol, the switch sends request to authentication
server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny
administrative access.
During a session, if additional authorization checking is needed, the switch checks with a
TACACS+ server to determine if the user is granted permission to use a particular command.
TACACS+ Authentication Features in Alteon OS
Authentication is the action of determining the identity of a user, and is generally done when
the user first attempts to log in to a device or gain access to its services. Alteon OS supports
ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change
password requests, and one-time password authentication are not supported.