Configuring the ECN330-switch
128 1553-KDU 137 365 Uen D 2006-06-16
6.5.2 Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on
specified user names and passwords. Access rights can be manually configured
on the ECN330-switch, or a remote access authentication server based on
RADIUS or TACACS+ protocols can be used.
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+) are logon authentication
protocols that use software running on a central server to control access to
RADIUS-aware or TACACS-aware devices on the network. An authentication
server contains a database of multiple user name/password pairs with
associated privilege levels for each user that requires management access to
the ECN330-switch.
Figure 43 Authentication Server Operation
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the
client to the server, while TACACS+ encrypts the entire body of the packet.
Command Usage
• By default, management access is always checked against the
authentication database stored on the local ECN330-switch. If a remote
authentication server is used, the authentication sequence and the
corresponding parameters for the remote authentication protocol must
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
To Next Page
Loading...
