To Next Page

To Previous Page

EX2500 Ethernet Switch Configuration Guide

14  Securing Access to the Switch

TACACS+ Authentication

The EX2500 switch supports authentication and authorization with networks using

the TACACS+ protocol. The EX2500 switch functions as the Network Access Server

(NAS) by interacting with the remote client and initiating authentication and

authorization sessions with the TACACS+ access server. The remote user is

defined as someone requiring management access to the EX2500 switch either

through a data port or a management port.

TACACS+ offers the following advantages over RADIUS:

 TACACS+ uses TCP-based connection-oriented transport, whereas RADIUS is

UDP-based. TCP offers a connection-oriented transport, while UDP offers

best-effort delivery. RADIUS requires additional programmable variables such

as re-transmit attempts and time-outs to compensate for best-effort transport,

but it lacks the level of built-in support that a TCP transport offers.

 TACACS+ offers full packet encryption, whereas RADIUS offers password-only

encryption in authentication requests.

 TACACS+ separates authentication, authorization, and accounting.

How TACACS+ Authentication Works

TACACS+ works in much the same way as RADIUS authentication, as described on

page 11. The remote administrator connects to the switch and provides a

username and password.

1. Using Authentication/Authorization protocol, the switch sends a request to

authentication server.

2. The authentication server checks the request against the user ID database.

3. Using TACACS+ protocol, the authentication server instructs the switch to

grant or deny administrative access.

During a session, if additional authorization checking is needed, the switch checks

with a TACACS+ server to determine if the user is granted permission to use a

particular command.

TACACS+ Authentication Features in the EX2500 Switch

Authentication is the action of determining the identity of a user, and is generally

done when the user first attempts to log in to a device or gain access to its services.

The EX2500 switch supports ASCII inbound login to the device. PAP, CHAP, and

ARAP login methods; TACACS+ change password requests; and one-time

password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and

usually takes place after authentication.

Juniper EX2500 Configuration Guide

Other manuals for Juniper EX2500