Tacacs+ Authentication Features In Enterprise Nos; Authorization - Lenovo RackSwitch G8264CS Application Manual

TACACS+ Authentication Features in Enterprise NOS

Authorization

© Copyright Lenovo 2017
Authentication is the action of determining the identity of a user, and is generally
done when the user first attempts to log in to a device or gain access to its services.
ENOS supports ASCII inbound login to the device. PAP, CHAP and ARAP login
methods, TACACS+ change password requests, and one‐time password
authentication are not supported.
Authorization is the action of determining a user's privileges on the device, and
usually takes place after authentication.
The default mapping between TACACS+ authorization levels and ENOS
management access levels is shown in Table
defined on the TACACS+ server.
Table 8.
Default TACACS+ Authorization Levels
ENOS User Access Level
user
oper
admin
Alternate mapping between TACACS+ authorization levels and ENOS
management access levels is shown in Table
the alternate TACACS+ authorization levels.
RS 8264CS(config)# tacacs-server privilege-mapping
Table 9.
Alternate TACACS+ Authorization Levels
ENOS User Access Level
user
oper
admin
If the remote user is successfully authenticated by the authentication server, the
switch verifies the privileges of the remote user and authorizes the appropriate
access. The administrator has an option to allow secure backdoor access via
Telnet/SSH. Secure backdoor provides switch access when the TACACS+ servers
cannot be reached. You always can access the switch via the console port, by using
notacacs and the administrator password, whether secure backdoor is enabled
or not.
Note: To obtain the TACACS+ backdoor password for your G8264CS, contact
Technical Support.
8. The authorization levels must be
TACACS+ level
0
3
6
9. Use the following command to set
TACACS+ level
0 ‐ 1
6 ‐ 8
14 ‐ 15
Chapter 5: Authentication & Authorization Protocols
103