Radius And Tacacs+ Security Protocols - Cisco Nexus 9000 Series Configuration Manual

RADIUS and TACACS+ Security Protocols

Authorization
Accounting
Note You can configure authentication outside of AAA. However, you must configure AAA if you want to use
RADIUS or TACACS+, or if you want to configure a backup authentication method.
Related Topics
RADIUS and TACACS+ Security Protocols
AAA uses security protocols to administer its security functions. If your router or access server is acting as
a network access server, AAA is the means through which you establish communication between your network
access server and your RADIUS or TACACS+ security server.
The chapters in this guide describe how to configure the following security server protocols:
RADIUS
TACACS+
Related Topics
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
4
Provides the method for remote access control, including one-time authorization or authorization for
each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and
Telnet.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating
attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works
by assembling a set of attributes that describe what the user is authorized to perform. These attributes
are compared with the information contained in a database for a given user, and the result is returned to
AAA to determine the user's actual capabilities and restrictions.
Provides the method for collecting and sending security server information used for billing, auditing,
and reporting, such as user identities, start and stop times, executed commands (such as PPP), number
of packets, and number of bytes. Accounting enables you to track the services that users are accessing,
as well as the amount of network resources that they are consuming.
Configuring AAA
A distributed client/server system implemented through AAA that secures networks against unauthorized
access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication
requests to a central RADIUS server that contains all user authentication and network service access
information.
A security application implemented through AAA that provides a centralized validation of users who
are attempting to gain access to a router or network access server. TACACS+ services are maintained
in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.
Configuring RADIUS
Configuring TACACS+
Overview