C
HAPTER
13
| Security Measures
AAA Authentication, Authorization and Accounting
– 309 –
Figure 151: Authentication Server Operation
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a more reliable connection-oriented transport.
Also, note that RADIUS encrypts only the password in the access-request
packet from the client to the server, while TACACS+ encrypts the entire
body of the packet.
CLI REFERENCES
â—† "RADIUS Client" on page 808
â—† "TACACS+ Client" on page 812
â—† "AAA" on page 816
COMMAND USAGE
â—† If a remote authentication server is used, you must specify the
message exchange parameters for the remote authentication protocol.
Both local and remote logon authentication control management access
via the console port, web browser, or Telnet.
â—† RADIUS and TACACS+ logon authentication assign a specific privilege
level for each user name/password pair. The user name, password, and
privilege level must be configured on the authentication server. The
encryption methods used for the authentication process must also be
configured or negotiated between the authentication server and logon
client. This switch can pass authentication messages between the
server and client that have been encrypted using MD5 (Message-Digest
5), TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer
Security).
PARAMETERS
These parameters are displayed:
Configure Server
â—† RADIUS
â–
Global – Provides globally applicable RADIUS settings.
â–
Server Index – Specifies one of five RADIUS servers that may be
configured. The switch attempts authentication using the listed
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
To Next Page
Loading...
Need help?
General
