Juniper Networks EX2500 manual How TACACS+ Authentication Works

Page 28

EX2500 Ethernet Switch Configuration Guide

TACACS+ Authentication

The EX2500 switch supports authentication and authorization with networks using the TACACS+ protocol. The EX2500 switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the EX2500 switch either through a data port or a management port.

TACACS+ offers the following advantages over RADIUS:

TACACS+ uses TCP-based connection-oriented transport, whereas RADIUS is UDP-based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers.

TACACS+ offers full packet encryption, whereas RADIUS offers password-only encryption in authentication requests.

TACACS+ separates authentication, authorization, and accounting.

How TACACS+ Authentication Works

TACACS+ works in much the same way as RADIUS authentication, as described on page 11. The remote administrator connects to the switch and provides a username and password.

1.Using Authentication/Authorization protocol, the switch sends a request to authentication server.

2.The authentication server checks the request against the user ID database.

3.Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access.

During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.

TACACS+ Authentication Features in the EX2500 Switch

Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. The EX2500 switch supports ASCII inbound login to the device. PAP, CHAP, and ARAP login methods; TACACS+ change password requests; and one-time password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.

14 Securing Access to the Switch

Image 28

Contents Configuration Guide North Mathilda Avenue Sunnyvale, CAIi „ Table of Contents Chapter VLANs Chapter Ports and Trunking Rmon Overview Rmon Group 1-Statistics Rmon Group 2-HistoryAppendixes Port Mirroring Overview Configuring Port MirroringIndexes Default Vlan Settings Port-Based Vlan AssignmentPage List of Tables EX2500 Ethernet Switch Configuration Guide „ List of Tables About This Guide ObjectivesAudience Supported PlatformsDocumentation Conventions Icon Meaning DescriptionDocumentation Feedback List of Technical PublicationsRequesting Technical Support Self-Help Online Tools and Resources Opening a Case with JtacEX2500 Ethernet Switch Applications Page Accessing the Switch Configuring the Management InterfaceDynamic Host Configuration Protocol Configure the default gateway. Enable the gatewayUsing Telnet Using the EX2500 Web Device ManagerConfiguring EX2500 Web Device Manager Access via Http Configuring EX2500 Web Device Manager Access via HttpsUsing Snmp SNMPv1, SNMPv2User Configuration Default ConfigurationSNMPv3 Configuring Snmp Trap Hosts SNMPv1 Trap Host ConfigurationSNMPv2 Trap Host Configuration Configure an entry in the notify tableSecuring Access to the Switch SNMPv3 Trap Host ConfigurationRadius Authentication and Authorization How Radius Authentication WorksConfiguring Radius on the Switch Configure the Radius secretRadius Authentication Features in the EX2500 Switch Switch User Accounts Radius Attributes for EX2500 User PrivilegesHow TACACS+ Authentication Works TACACS+ AuthenticationTACACS+ Authentication Features in the EX2500 Switch „ starttime „ stoptime „ elapsedtime „ disccause Configuring TACACS+ Authentication on the Switch Command Authorization and LoggingConfigure the TACACS+ secret and second secret Configuring SSH Features on the Switch Generating RSA Host and Server Keys for SSH AccessSecure Shell SSH Encryption of Management MessagesEnd User Access Control SSH Integration with Radius and TACACS+ AuthenticationConsiderations for Configuring End User Accounts User Access ControlListing Current Users Logging In to an End User AccountVLANs Vlan Overview„ Port configuration VLANs and Port Vlan ID NumbersVlan Numbers Pvid NumbersIllustrates the default Vlan settings on the switch Vlan TaggingDefault Vlan Settings Port-Based Vlan Assignment Vlan Configuration Rules Vlan Topologies and Design ConsiderationsMultiple VLANs Configuration Example Multiple VLANs example in is described in TableEnable tagging on uplink ports that support multiple VLANs Private VLANs Private Vlan PortsPrivate Vlan Configuration Guidelines Private Vlan Configuration ExampleConfigure a secondary Vlan and map it to the primary Vlan Verify the configurationSpanning Tree Protocol Spanning Tree OverviewDetermining the Path for Forwarding BPDUs Bridge Protocol Data Units BPDUsBridge Priority Spanning Tree Group Configuration Guidelines Changing the Spanning Tree ModePort Priority Port Path CostRules for Vlan Tagged Ports Creating a VlanAdding and Removing Ports from STGs Rapid Spanning Tree Protocol Port State ChangesRstp Configuration Guidelines Rstp Configuration ExamplePort Type and Link Type Edge PortWhy Do We Need Multiple Spanning Trees? Default Spanning Tree ConfigurationPer Vlan Rapid Spanning Tree Pvrst Configuration Guidelines Configuring PvrstMstp Configuration Guidelines Multiple Spanning Tree ProtocolMstp Region Common Internal Spanning TreeMultiple Spanning Tree Groups Configuration Example Implementing Multiple Spanning Tree GroupsFast Uplink Convergence VlanConfiguration Guidelines Configuring Fast Uplink ConvergenceTrunking Overview Ports and TrunkingStatistical Load Distribution Before Configuring Static Trunks Built-In Fault ToleranceTrunk Group Configuration Rules Port Trunking Configuration Example Port Trunk Group Configuration ExampleFollow these steps on the EX2500 switch Define a trunk group Configurable Trunk Hash Algorithm Link Aggregation Control Protocol„ Destination MAC Dmac „ Destination IP DIP48 „ Link Aggregation Control Protocol Lacp Configuration Guidelines Configuring LacpOptionally Reducing Lacp Timeout Set the Lacp modeEx2500config-if# lacp timeout short ex2500config-if# exit Quality of Service QoS OverviewUsing ACL Filters COSMAC Extended ACLs IP Standard ACLsTo delete a MAC Extended ACL To delete an IP Standard ACLIP Extended ACLs To delete an IP Extended ACLUnderstanding ACL Priority TCP/UDPACL Configuration Examples Assigning ACLs to a PortViewing ACL Statistics ACL Example 1-Blocking Traffic to a HostACL Example 3-Blocking Http Traffic Add the ACL to a portACL Example 4-Blocking All Except Certain Packets Assign the ACLs to a portConfiguring Storm Control Using Storm Control FiltersBroadcast Storms Using Dscp Values to Provide QoS Differentiated Services ConceptsPer Hop Behavior Assured Forwarding Drop Precedence ClassQoS Levels Use the following command to perform Dscp mappingDscp Mapping Using 802.1p Priority to Provide QoS Shows the priority bits in a VLAN-tagged packetQueuing and Scheduling Remote Monitoring Rmon OverviewConfigure the Rmon statistics on a port Rmon Group 1-StatisticsConfiguring Rmon History Configure the Rmon History parameters for a portThis configuration enables Rmon History collection on port Rmon Group 2-HistoryRmon Group 3-Alarms Alarm MIB ObjectsConfiguring Rmon Alarms Configure the Rmon Alarm parameters to track Icmp messagesEx2500config# rmon event 110 type log-only Rmon Group 9-EventsPage Igmp Igmp SnoopingFastLeave Igmp Snooping Configuration Example IGMPv3 SnoopingStatic Multicast Router Ex2500# show ip igmp groupsHigh Availability Through Uplink Failure Detection High Availability OverviewSpanning Tree Protocol with UFD UFD Configuration Guidelines Failure Detection PairUFD Configuration Example Monitoring UFDPage Appendixes EX2500 Ethernet Switch Configuration Guide 80 „ Appendixes „ Port Mirroring Overview on „ Configuring Port Mirroring on Port Mirroring OverviewConfiguring Port Mirroring Indexes „ Index onEX2500 Ethernet Switch Configuration Guide 84 „ Indexes Index NumericsManagement interface, configuring Multi-links between switches, port trunkingPhysical. See switch ports Internet Group Management Protocol. See IgmpQuality of Service. See QoS QoSSecurity Segmentation. See IP subnets Segments. See IP subnetsVirtual Local Area Networks. See VLANs Example showing multiple VLANs