© Copyright IBM Corp. 2011 Chapter 5. Authentication & Authorization Protocols 67
TACACS+ Authentication Features in IBM N/OS
Authentication is the action of determining the identity of a user, and is generally
done when the user first attempts to log in to a device or gain access to its services.
N/OS supports ASCII inbound login to the device. PAP, CHAP and ARAP login
methods, TACACS+ change password requests, and one-time password
authentication are not supported.
Authorization
Authorization is the action of determining a user’s privileges on the device, and
usually takes place after authentication.
The default mapping between TACACS+ authorization levels and N/OS
management access levels is shown in Table 5. The authorization levels must be
defined on the TACACS+ server.
Alternate mapping between TACACS+ authorization levels and N/OS management
access levels is shown in Table 6. Use the following command to set the alternate
TACACS+ authorization levels.
If the remote user is successfully authenticated by the authentication server, the
switch verifies the privileges of the remote user and authorizes the appropriate
access. The administrator has an option to allow secure backdoor access via
Telnet/SSH. Secure backdoor provides switch access when the TACACS+ servers
cannot be reached. You always can access the switch via the console port, by using
notacacs
and the administrator password, whether secure backdoor is enabled or
not.
Note: To obtain the TACACS+ backdoor password for your G8000, contact
Technical Support.
Table 5. Default TACACS+ Authorization Levels
N/OS User Access Level TACACS+ level
user
0
oper
3
admin
6
RS G8000(config)# tacacs-server privilege-mapping
Table 6. Alternate TACACS+ Authorization Levels
N/OS User Access Level TACACS+ level
user
0 - 1
oper
6 - 8
admin
14 - 15
To Next Page
Loading...
Need help?
General
