AT-9000 Switch Command Line User’s Guide
Section XI: Management Security 1193
Note
For information on the RADIUS and TQACACS+ authentication
protocols, refer to the RFC 2865 and RFC 1492 standards,
respectively.
Guidelines Here are the guidelines to using the RADIUS and TACACS+ clients:
Only one client can be active on the switch at a time.
The clients can have a maximum of three IP addresses of
authentication servers.
The switch must have a management IP address. For instructions,
refer to Chapter 9, “IPv4 and IPv6 Management Addresses” on page
201.
The authentication servers on your network must be members of the
same subnet as the management IP address of the switch or have
access to it through routers or other Layer 3 devices.
If the authentication servers are not members of the same subnet as
the management IP address, the switch must have a default gateway.
The default gateway defines the IP address of the first hop to reaching
the remote subnet of the servers. For instructions, refer to Chapter 9,
“IPv4 and IPv6 Management Addresses” on page 201.
The client polls the servers for authentication information in the order
in which they are listed in the client.
If the switch is unable to communicate with the authentication servers
when a manager logs on, because either the servers are not
responding or the RADIUS or TACACS+ client is configured
incorrectly, the switch automatically reactivates the local manager
accounts so that you can continue to log on and manage the unit.
The switch does not support the two earlier versions of the TACACS+
protocol, TACACS and XTACACS.
The TACACS+ client does not support 802.1x port-based network
access control. You must use the RADIUS client and a RADIUS server
for that feature.
To Next Page
Loading...
