Table of Contents
Advertisement
Installation & Operation Manual
33.18.6
Centralized AAA Servers
In large scale deployments, centralized Authentication, Authorization and Accounting
(AAA) servers are used to control user access to different network equipment. AAA
servers implement the following functionality:
Authenticate user login to the specific equipment.
Authorize certain tasks or commands that specific users may perform on specific
equipment.
Report which users are accounted for which tasks on the specific equipment.
Use of the AAA servers allows use of the same user credentials (usernames and
passwords) across multiple network equipment. It also greatly simplifies user
provisioning and may be used to enforce enhanced security policies, for example:
Time-based login
Enforce password complexity
Immediately revoke privileges from specific users The Mediant 8000 supports two
types of centralized AAA servers:
TACACS+ Servers
RADIUS Servers
When the Mediant 8000 is configured to work with centralized AAA servers, all user
maintenance and provisioning tasks should be performed on the AAA servers (using
the corresponding configuration interfaces) and not via the tools user or passwd CLI
commands.
33.18.6.1
Centralized TACACS+ Servers
Terminal Access Controller Access-Control System Plus (TACACS+) is a AAA
protocol developed by Cisco and supported by most Cisco network equipment.
TACACS+ servers provide all AAA services – authentication, authorization and
accounting – thus greatly simplifying network administration and user management.
Multiple TACACS+ servers may be deployed for high-available network setups.
The Mediant 8000 supports interworking with standard-compliant TACACS+ servers
and implements all AAA services as defined by the protocol (see details below). Up to
three TACACS+ servers may be defined for redundancy purposes. Local user cache
is implemented for emergency access to the Mediant 8000 in case of network outage
(for more information, see Section 'TACACS+ Protocol Overview' below).
33.18.6.1.1
TACACS+ Protocol Overview
The Mediant 8000 implements the latest version of the TACACS+ protocol as defined
in IETF draft-grant-tacacs-02. All major protocol functionality, including message
encryption, is supported.
Up to three TACACS+ servers may be configured for redundancy purposes. The
Mediant 8000 falls back to the redundant TACACS+ server in case communication
with the active TACACS+ server fails. Communication with the currently selected
TACACS+ server continues until the next failure.
Version 6.6
33. Configuring Security Settings
375
October 2014
Advertisement
Table of Contents
Troubleshooting
