S
ECURITY
2-37
Command Usage
• By default, management access is always checked against the
authentication database stored on the local switch. If a remote
authentication server is used, you must specify the authentication
sequence and the corresponding parameters for the remote
authentication protocol.
• RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best
effort delivery, while TCP offers a connection-oriented transport.
Also, note that RADIUS encrypts only the password in the
access-request packet from the client to the server, while TACACS+
encrypts the entire body of the packet.
• RADIUS and TACACS+ logon authentication control management
access via the console port, Web browser, or Telnet. These access
options must be configured on the authentication server.
• RADIUS and TACACS+ logon authentication assign a specific
privilege level for each user name/password pair. The user name,
password, and privilege level must be configured on the server.
• You can specify up to three authentication methods for any user to
indicate the authentication sequence. For example, if you select (1)
RADIUS, (2) TACACS+ and (3) Local, the user name and password
on the RADIUS server is verified first. If the RADIUS server is not
available, then authentication is attempted using the TACACS+ server,
and finally the local user name and password is checked.
To Next Page
Loading...
