Sunfire B1600 Switch User Manual


 
Chapter 3 General Management of the Switch 3-29
RADIUS-aware or TACACS+-aware devices on the network. An authentication
server contains a database of multiple user name/password pairs with associated
privilege levels for each user that requires management access to a switch.
Note When setting up privilege levels on a RADIUS or TACACS+ server,
remember that level 0 allows guest (Normal Exec) access to the switch. Only level 15
allows administrator (Privileged Exec) access.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the client
to the server, while TACACS+ encrypts the entire body of the packet.
RADIUS and TACACS+ logon authentication controls management access
through the console port, Web browser, or Telnet. These access options must be
configured on the authentication server.
RADIUS and TACACS+ logon authentication assigns a specific privilege level for
each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server.
You can specify one to three authentication methods for any user to indicate the
authentication sequence. For example, if you select (1) RADIUS and (2) Local, the
user name and password on the RADIUS server are verified first. If the RADIUS
server is not available, then the local user name and password are checked.
When configuring user authentication using the web interface or CLI, the following
parameters are displayed or can be configured:
Authentication Mechanisms
Require User Authentication The operating status of user authentication.
Preference The switch attempts to authenticate the user based on the
specified sequence.
Authentication Server Settings
Server IP Address The address of the authentication server. The default
is: 10.1.0.1.
Server Port Number – The UDP or TCP network port (between 1 and 65,535) of
the authentication server used for authentication messages. The default is 1812.
Encryption Key The password (between 1 and 20 characters) used to
authenticate logon access for the client. Do not use blank spaces in the string.
No. of Retries
7
The number of times (between 1 and 30) the switch tries to
authenticate logon access through the authentication server. The default is 2.
7. AppliesonlytoRADIUSserverauthentication.