Brocade Communications Systems 6650 TACACS+ authorization, TACACS+ accounting

28 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

TACACS and TACACS+ security

8. The password is validated in the TACACS+ server database.

9. If the password is valid, the user is authenticated.

TACACS+ authorization

Brocade devices support two kinds of TACACS+ authorization:

•Exec authorization determines a user privilege level when they are authenticated

•Command authorization consults a TACACS+ server to get authorization for commands entered

by the user

When TACACS+ exec authorization takes place, the following events occur.

1. A user logs into the Brocade device using Telnet or SSH

2. The user is authenticated.

3. The Brocade device consults the TACACS+ server to determine the privilege level of the user.

4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the

privilege level of the user.

5. The user is granted the specified privilege level.

When TACACS+ command authorization takes place, the following events occur.

1. A Telnet or SSH user previously authenticated by a TACACS+ server enters a command on the

Brocade device.

2. The Brocade device looks at its configuration to see if the command is at a privilege level that

requires TACACS+ command authorization.

3. If the command belongs to a privilege level that requires authorization, the Brocade device

consults the TACACS+ server to see if the user is authorized to use the command.

4. If the user is authorized to use the command, the command is executed.

TACACS+ accounting

TACACS+ accounting works as follows.

1. One of the following events occur on the Brocade device:

•A user logs into the management interface using Telnet or SSH

•A user enters a command for which accounting has been configured

•A system event occurs, such as a reboot or reloading of the configuration file

2. The Brocade device checks the configuration to see if the event is one for which TACACS+

accounting is required.

3. If the event requires TACACS+ accounting, the Brocade device sends a TACACS+ Accounting

Start packet to the TACACS+ accounting server, containing information about the event.

4. The TACACS+ accounting server acknowledges the Accounting Start packet.

5. The TACACS+ accounting server records information about the event.

6. When the event is concluded, the Brocade device sends an Accounting Stop packet to the

TACACS+ accounting server.

7. The TACACS+ accounting server acknowledges the Accounting Stop packet.