Tacacs+ Authentication; How Tacacs+ Authentication Works - Lenovo Flex System Fabric CN4093 Application Manual

TACACS+ Authentication

How TACACS+ Authentication Works

1. Remote administrator connects to the switch and provides user name and
2. Using Authentication/Authorization protocol, the switch sends request to
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or
82
CN4093 Application Guide for N/OS 8.2
Lenovo N/OS supports authentication, authorization, and accounting with
networks using the Cisco Systems TACACS+ protocol. The CN4093 functions as
the Network Access Server (NAS) by interacting with the remote client and
initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined as someone requiring management access to the
CN4093 either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
 TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is
UDP‐based. TCP offers a connection‐oriented transport, while UDP offers
best‐effort delivery. RADIUS requires additional programmable variables such
as re‐transmit attempts and time‐outs to compensate for best‐effort transport,
but it lacks the level of built‐in support that a TCP transport offers.
 TACACS+ offers full packet encryption whereas RADIUS offers password‐only
encryption in authentication requests.
 TACACS+ separates authentication, authorization and accounting.
TACACS+ works much in the same way as RADIUS authentication as described on
page 78.
password.
authentication server.
deny administrative access.
During a session, if additional authorization checking is needed, the switch checks
with a TACACS+ server to determine if the user is granted permission to use a
particular command.