Table of Contents
Advertisement
Access Request Flow
In
password
which password authentication is attempted among RADIUS, TACACS+, and local
passwords. This example uses the authentication order of RADIUS, then TACACS+, and
finally, local. An access request is sent to RADIUS server 1. One of two scenarios can occur.
If there is no response from the server, the request is passed to the next RADIUS server with
the next lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted
(RADIUS server 5). If server 5 does not respond, the request is passed to the TACACS+
server 1. If there is no response from that server, the request is passed to the next TACACS+
server with the next lowest index (TACACS+ server 2) and so on.
If a request is sent to an active RADIUS server and the user name and password is not
recognized, access is denied and passed on to the next authentication option, in this case, the
TACACS+ server. The process continues until the request is either accepted, denied, or each
server is queried. Finally, if the request is denied by the active TACACS+ server, the local
parameters are checked for user name and password verification. This is the last chance for the
access request to be accepted.
Start
Deny
TACACS+
Server 1
Deny
7950 SR OS System Management Guide
Figure
2, the authentication process is defined in the
context. The authentication order is determined by specifying the sequence in
No Response
RADIUS
RADIUS
Server 1
Server 2
Access
Denied
No Response
No Response
TACACS+
Server 2
Access
Access
Denied
Denied
Local
Deny
Access
Figure 2: Security Flow
No Response
No Response
RADIUS
Server 3
Access
Access
Denied
Denied
No Response
TACACS+
TACACS+
Server 3
Server 4
config>system>security>
No Response
RADIUS
RADIUS
Server 4
Server 5
Access
Denied
No Response
TACACS+
Accept
Server 5
OSRG009
Security
Page 31
Advertisement
Table of Contents
