C
ONFIGURING
THE
S
WITCH
3-50
CLI – Assign a user name to access-level 15 (i.e., administrator), then
specify the password.
Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based
on specified user names and passwords. You can manually configure access
rights on the switch, or you can use a remote access authentication server
based on RADIUS or TACACS+ protocols.
Remote
Authentication Dial-in
User Service
(RADIUS) and
Terminal Access
Controller Access
Control System Plus
(TACACS+) are logon
authentication
protocols that use
software running on a central server to control access to RADIUS-aware
or TACACS-aware devices on the network. An authentication server
contains a database of multiple user name/password pairs with associated
privilege levels for each user that requires management access to the
switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best
effort delivery, while TCP offers a connection-oriented transport. Also,
note that RADIUS encrypts only the password in the access-request
packet from the client to the server, while TACACS+ encrypts the entire
body of the packet.
Console(config)#username bob access-level 15 4-35
Console(config)#username bob password 0 smith
Console(config)#
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3.Authentication server challenges client.
4. Client responds with proper password or key.
5.Authentication server approves access.
6. Switch grants management access.