Chapter 12
| Security Measures
AAA Authorization and Accounting
Configuring Remote
Logon Authentication
Servers
Web Interface
To configure the method(s) of controlling management access:
1.
Click Security, AAA, System Authentication.
2.
Specify the authentication sequence (i.e., one to three methods).
3.
Click Apply.
Figure 152: Configuring the Authentication Sequence
Use the Security > AAA > Server page to configure the message exchange
parameters for RADIUS or TACACS+ remote access authentication servers.
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+) are logon authentication
protocols that use software running on a central server to control access to RADIUS-
aware or TACACS-aware devices on the network. An authentication server contains
a database of multiple user name/password pairs with associated privilege levels
for each user that requires management access to the switch.
Figure 153: Authentication Server Operation
Web
Telnet
RADIUS/
TACACS+
server
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a more reliable connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the client to
the server, while TACACS+ encrypts the entire body of the packet.
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.
– 252 –
console