39-4
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 39 Configuring the Switch Access Using AAA
Understanding How Authentication Works
Understanding How TACACS+ Authentication Works
TACACS+ controls access to the network devices by exchanging Network Access Server (NAS)
information between a network device and a centralized database to determine the identity of a user or
an entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based
access-control protocol that is specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery
and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and
challenge-response authentication. TACACS+ authentication usually occurs in these instances:
• When you first log on to a machine
• When you send a service request that requires privileged access
When you request privileged or restricted services, TACACS+ encrypts your user password information
using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information
identifies the packet type that is being sent (for example, an authentication packet), the packet sequence
number, the encryption type that is used, and the total packet length. The TACACS+ protocol then
forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services,
while all part of TACACS+, are independent of one another, so a given TACACS+ configuration can use
any or all of the three services.
When the TACACS+ server receives the packet, it does the following:
• Authenticates the user information and notifies the client that authentication has either passed or
failed.
• Notifies the client that authentication will continue and that the client must provide additional
information. This challenge-response process can continue through multiple iterations until
authentication either passes or fails.
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must
be the same as the one that is configured on the TACACS+ servers. The TACACS+ clients and servers
use the key to encrypt all the transmitted TACACS+ packets. If you do not configure a TACACS+ key,
the packets are not encrypted.
You can configure the following TACACS+ parameters on the switch:
• Enable or disable TACACS+ authentication to determine if a user has permission to access the
switch
• Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged
mode
• Specify a key that is used to encrypt the protocol packets
• Specify the server on which the TACACS+ server daemon resides
• Set the number of login attempts that are allowed
• Set the timeout interval for a server daemon response
• Enable or disable the directed-request option
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local
authentication at the same time.
When local authentication is disabled, if you disable all other authentication methods, local
authentication is reenabled automatically.
To Next Page
Loading...
Need help?
General