66 RackSwitch G8000: Application Guide
All user privileges, other than those assigned to the Administrator, have to be
defined in the RADIUS dictionary. RADIUS attribute 6 which is built into all RADIUS
servers defines the administrator. The file name of the dictionary is RADIUS
vendor-dependent. The following RADIUS attributes are defined for G8000 user
privileges levels:
TACACS+ Authentication
N/OS supports authentication and authorization with networks using the Cisco
Systems TACACS+ protocol. The G8000 functions as the Network Access Server
(NAS) by interacting with the remote client and initiating authentication and
authorization sessions with the TACACS+ access server. The remote user is
defined as someone requiring management access to the G8000 through a data
port.
TACACS+ offers the following advantages over RADIUS:
•
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is
UDP-based. TCP offers a connection-oriented transport, while UDP offers
best-effort delivery. RADIUS requires additional programmable variables such as
re-transmit attempts and time-outs to compensate for best-effort transport, but it
lacks the level of built-in support that a TCP transport offers.
•
TACACS+ offers full packet encryption whereas RADIUS offers password-only
encryption in authentication requests.
•
TACACS+ separates authentication, authorization and accounting.
How TACACS+ Authentication Works
TACACS+ works much in the same way as RADIUS authentication as described on
page 63.
1. Remote administrator connects to the switch and provides user name and
password.
2. Using Authentication/Authorization protocol, the switch sends request to
authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to
grant or deny administrative access.
During a session, if additional authorization checking is needed, the switch checks
with a TACACS+ server to determine if the user is granted permission to use a
particular command.
Table 4. IBM N/OS-proprietary Attributes for RADIUS
User Name/Access User-Service-Type Value
User Vendor-supplied 255
Operator Vendor-supplied 252
Admin Vendor-supplied 6
To Next Page
Loading...
Need help?
General
