TACACS+ Authentication
How TACACS+ Authentication Works
1. Remote administrator connects to the switch and provides user name and
2. Using Authentication/Authorization protocol, the switch sends request to
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or
104
NE2552E Application Guide for ENOS 8.4
Lenovo ENOS supports authentication, authorization, and accounting with
networks using the Cisco Systems TACACS+ protocol. The NE2552E functions as
the Network Access Server (NAS) by interacting with the remote client and
initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined as someone requiring management access to the
NE2552E either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP‐based connection‐oriented transport; whereas RADIUS is
UDP‐based. TCP offers a connection‐oriented transport, while UDP offers
best‐effort delivery. RADIUS requires additional programmable variables such
as re‐transmit attempts and time‐outs to compensate for best‐effort transport,
but it lacks the level of built‐in support that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password‐only
encryption in authentication requests.
TACACS+ separates authentication, authorization and accounting.
TACACS+ works much in the same way as RADIUS authentication as described on
page
100.
password.
authentication server.
deny administrative access.
During a session, if additional authorization checking is needed, the switch checks
with a TACACS+ server to determine if the user is granted permission to use a
particular command.f