126
4.1.2. Using TACACS+ to Control Management Access
TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices
via one or more
centralized
servers. TACACS+ simplifies
authentication
by making use of a single database that
can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared
key configured on the client and daemon server to encrypt all messages.
If you configure TACACS+ as the authentication method for user login and a user attempts to access the user
interface on the switch, the switch prompts for the user login credentials and requests services from the
TACACS+ client. The client then uses the configured list of servers for authentication, and provides results
back to the switch.
You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You
can also assign each a priority to determine the order in which the TACACS+ client will contact them. TACACS+
contacts the server when a connection attempt fails or times out for a higher priority server.
You can configure each server host with a specific connection type, port, timeout, and shared key, or you
can use global configuration for the key and timeout.
The TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All
sensitive information is encrypted and the shared secret is never passed over the network; it is used only to
encrypt the data.
4.1.3. Configuring and Applying Authentication Profiles
A user can access the switch management interface only after providing a valid user name and password
combination that matches the user account information stored in the user database configured on the
switch.
QNOS software include several additional features to increase management security and help prevent
unauthorized access to the CLI.
An authentication profile specifies which authentication method or methods to use to authenticate a user
who attempts to access the switch management interface. The profile includes a method list, which defines
how authentication is to be performed, and in which order. The list specifies the authentication method to
use first, and if the first method returns an error, the next method in the list is tried. This continues until all
methods in the list have been attempted. If no method can perform the authentication, then the
authentication fails. A method might return an error if, for example, the authentication server is
unreachable or misconfigured.
The authentication method can be one or more of the following:
ï‚·
enable—Uses the enable password for authentication. If there is no enable password defined,
then the enable method returns an error.
ï‚·
line—Uses the Line password for authentication. If there is no line password defined for the
access line, then the line method returns an error.
ï‚·
local— Uses the ID and password in the Local User Database for authentication. If the user ID
is not in the local database, access is denied. This method never returns an error. It always
permits or denies a user.
To Next Page
Loading...
Need help?
General