Filter
Top Products
U
SER
A
UTHENTICATION
3-77
Remote Authentication
Dial-in User Service
(RADIUS) and Terminal
Access Controller Access
Control System Plus
(TACACS+) are logon
authentication protocols
that use software running
on a central server to
control access to RADIUS-aware or TACACS- aware devices on the
network. An authentication server contains a database of multiple user
name/password pairs with associated privilege levels for each user that
requires management access to the switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best
effort delivery, while TCP offers a connection-oriented transport. Also,
note that RADIUS encrypts only the password in the access-request
packet from the client to the server, while TACACS+ encrypts the entire
body of the packet.
Command Usage
• By default, management access is always checked against the
authentication database stored on the local switch. If a remote
authentication server is used, you must specify the authentication
sequence and the corresponding parameters for the remote
authentication protocol. Local and remote logon authentication control
management access via the console port, web browser, or Telnet.
• RADIUS and TACACS+ logon authentication assign a specific privilege
level for each user name/password pair. The user name, password, and
privilege level must be configured on the authentication server.
• You can specify up to three authentication methods for any user to
indicate the authentication sequence. For example, if you select (1)
RADIUS, (2) TACACS and (3) Local, the user name and password on
the RADIUS server is verified first. If the RADIUS server is not
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3.Authenticationserverchallenges client.
4. Client responds with proper password or key.
5.Authenticationserverapproves access.
6. Switch grants management access.