© Copyright IBM Corp. 2011 63
Chapter 5. Authentication & Authorization Protocols
Secure switch management is needed for environments that perform significant
management functions across the Internet. The following are some of the functions
for secured IPv4 management and device access:
• “RADIUS Authentication and Authorization” on page 63
• “TACACS+ Authentication” on page 66
• “LDAP Authentication and Authorization” on page 69
Note: IBM Networking OS 6.8 does not support IPv6 for RADIUS, TACACS+ or
LDAP.
RADIUS Authentication and Authorization
IBM N/OS supports the RADIUS (Remote Authentication Dial-in User Service)
method to authenticate and authorize remote administrators for managing the
switch. This method is based on a client/server model. The Remote Access Server
(RAS)—the switch—is a client to the back-end database server. A remote user (the
remote administrator) interacts only with the RAS, not the back-end server and
database.
RADIUS authentication consists of the following components:
• A protocol with a frame format that utilizes UDP over IP (based on RFC 2138
and 2866)
• A centralized server that stores all the user authorization information
• A client: in this case, the switch
The G8000—acting as the RADIUS client—communicates to the RADIUS server to
authenticate and authorize a remote administrator using the protocol definitions
specified in RFC 2138 and 2866. Transactions between the client and the RADIUS
server are authenticated using a shared key that is not sent over the network. In
addition, the remote administrator passwords are sent encrypted between the
RADIUS client (the switch) and the back-end RADIUS server.
How RADIUS Authentication Works
The RADIUS authentication process follows these steps:
1. A remote administrator connects to the switch and provides a user name and
password.
2. Using Authentication/Authorization protocol, the switch sends request to
authentication server.
3. The authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant
or deny administrative access.
To Next Page
Loading...
Need help?
General
