Table of Contents
Advertisement
Introduction
6.8 RADIUS / TACACS Authentication
6.8.1 Introduction
Terminal Access Controller Access Control System Plus (TACACS+) and Remote Authentication Dial In User
Service (RADIUS) Authentication give the user the ability to keep a centralized database of login IDs and pass-
words for users. This allows the user to manage a single user authentication database over a large network,
eliminating the requirement to manage many user databases over a potentially large network of devices.
RADIUS is a client/server protocol for performing network-based user authentication, authorization and
accounting. RADIUS is defined by RFCs 2865, 2866, 2867, 2868, and 3575.
TACACS+ is a proprietary access control protocol as described in RFC 1492.
TACACS+ and RADIUS authentication operates by using an external server as a means to authenticate logins to
the system. When a user attempts to login to the system, the system sends the request to the configured
TACACS+ or RADIUS server which then processes the attempt. If the attempt is successful, the user is logged
in. If the attempt fails, the system prevents the user from logging in.
The system supports:
Up to 5 servers of type TACACS+ and RADIUS.
•
Dual challenge authentication.
•
Vendor-specific Attribute Value (AV) pairs for automatic assignment of security level.
•
Displays PASSCODE instead of PASSWORD to inform the user they are logging in through an external ser-
•
vice.
A local login of "last resort" when no external authentication servers are reachable.
•
By default, RADIUS and TACACS+ authentication is disabled. When a user first adds a RADIUS or TACACS+
server, future login attempts use that server to authenticate user logins. Authentication against the local user
database is disabled. Local user logins are then only allowed if none of the configured RADIUS and TACACS+
servers are reachable or if all RADIUS and TACACS+ servers are deleted.
If multiple RADIUS and/or TACACS+ servers are defined, each server is contacted in turn. First, the configured
RADIUS servers are contacted, then TACACS+ servers. If a server returns an authentication failure, a request
is sent to the next server. This process continues until a server returns authentication success or until all the
servers have been contacted and returned failure.
6.8.2 Configuring a RADIUS Server
6.8.2.1 Default Configuration
When an SBx3112 switch is initially booted up, there is no RADIUS server configured.
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
Introduction
6-75
Advertisement
Chapters
Table of Contents
Troubleshooting
