System Management Guide Security
Edition: 01 3HE 11018 AAAC TQZZA 27
This example uses the authentication order of RADIUS, then TACACS+, and finally,
local. An access request is sent to RADIUS server 1. One of two scenarios can occur.
If there is no response from the server, the request is passed to the next RADIUS
server with the next lowest index (RADIUS server 2) and so on, until the last RADIUS
server is attempted (RADIUS server 5). If server 5 does not respond, the request is
passed to the TACACS+ server 1. If there is no response from that server, the
request is passed to the next TACACS+ server with the next lowest index (TACACS+
server 2) and so on.
If a request is sent to an active RADIUS server and the user name and password are
not recognized, access is denied and passed on to the next authentication option, in
this case, the TACACS+ server. The process continues until the request is either
accepted, denied, or each server is queried. Finally, if the request is denied by the
active TACACS+ server, the local parameters are checked for user name and
password verification. This is the last chance for the access request to be accepted.
Figure 2 Security Flow
RADIUS
Server 1
Access
Denied
RADIUS
Server 2
No Response
Access
Denied
No Response
Access
Denied
No Response
Access
Denied
No Response
RADIUS
Server 3
RADIUS
Server 4
RADIUS
Server 5
Start
Deny
Deny
Deny
Access
Accept
19672
TACACS+
Server 1
Access
Denied
TACACS+
Server 2
Local
No Response
Access
Denied
No Response No Response No Response
TACACS+
Server 3
TACACS+
Server 4
TACACS+
Server 5
To Next Page
Loading...
