TACACS+ Authentication Features in Enterprise NOS
Authorization
© Copyright Lenovo 2017
Authentication is the action of determining the identity of a user, and is generally
done when the user first attempts to log in to a device or gain access to its services.
Enterprise NOS supports ASCII inbound login to the device. PAP, CHAP and
ARAP login methods, TACACS+ change password requests, and one‐time
password authentication are not supported.
Authorization is the action of determining a user's privileges on the device, and
usually takes place after authentication.
The default mapping between TACACS+ authorization levels and Enterprise NOS
management access levels is shown in Table
this table must be defined on the TACACS+ server.
Table 9.
Default TACACS+ Authorization Levels
Enterprise NOS User Access
Level
user
oper
admin (USERID)
Alternate mapping between TACACS+ authorization levels and Enterprise NOS
management access levels is shown in Table
the alternate TACACS+ authorization levels:
CN 4093(config)# tacacs-server privilege-mapping
Table 10.
Alternate TACACS+ Authorization Levels
Enterprise NOS User Access
Level
user
oper
admin (USERID)
You can customize the mapping between TACACS+ privilege levels and CN4093
management access levels. Use the following command to manually map each
TACACS+ privilege level (0‐15) to a corresponding CN4093 management access
level:
CN 4093(config)# tacacs-server user-mapping
If the remote user is successfully authenticated by the authentication server, the
switch verifies the privileges of the remote user and authorizes the appropriate
access.
9. The authorization levels listed in
TACACS+ Level
0
3
6
10. Use the following command to use
TACACS+ Level
0–1
6–8
14–15
Chapter 5: Authentication & Authorization Protocols
105