Tacacs - HP 438031-B21 - 1:10Gb Ethernet BL-c Switch User Manual

database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end
server and database.
RADIUS authentication consists of:
•
A protocol with a frame format that utilizes UDP over IP, based on RFC 2138 and 2866
•
A centralized server that stores all the user authorization information
•
A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize
a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions
between the client and the RADIUS server are authenticated using a shared key that is not sent over the
network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client
(the switch) and the back-end RADIUS server.
The benefits of using RADIUS are:
•
Authentication of remote administrators
•
Identification of the administrator using name/password
•
Authorization of remote administrators
•
Determination of the permitted actions and customizing service for individual administrators

TACACS+

The switch supports the TACACS+ method to authenticate, authorize, and account for remote
administrators managing the switch. This method is based on a client/server model. The switch is a client
to the back-end TACACS+ AAA server. A remote user (the remote administrator) interacts only with the
client, and not with the back end AAA server.
The TACACS+ AAA method consists of:
•
A protocol with a frame format that utilizes TCP over IP
•
A centralized AAA server that stores all the user authentication, authorization, and accounting (of
usage) information
•
A NAS or client (in this case, the switch)
The switch, acting as the TACACS+ client or NAS, communicates to the TACACS+ server to authenticate,
authorize, and account for user access. Transactions between the client and the TACACS+ server are
authenticated using a shared key that is not sent over the network. In addition, the remote administrator
passwords are sent encrypted between the TACACS+ client (the switch) and the back-end TACACS+
server.
The switch supports:
•
Only standard ASCII inbound login authentication. PAP, CHAP, or ARAP login methods are not
supported. One-time password authentication is also not supported.
•
Authorization privilege levels of only 0, 3, and 6. These map to management levels of user, oper,
and admin, respectively.
•
The accounting attributes of protocol, start_time, stop_time, and elapsed_time. For BBI users,
accounting stop records are only sent if the user presses the QUIT button.
Introduction 13