TACACS+ Commands 761
34
TACACS+ Commands
TACACS+ provides access control for networked devices via one or more
centralized servers, similar to RADIUS this protocol simplifies authentication
by making use of a single database that can be shared by many clients on a
large network. TACACS+ is based on the TACACS protocol (described in
RFC1492) but additionally provides for separate authentication,
authorization and accounting services. The original protocol was UDP based
with messages passed in clear text over the network; TACACS+ uses TCP to
ensure reliable delivery and a shared key configured on the client and daemon
server to encrypt all messages.
PowerConnect supports authentication of a user using a TACACS+ server.
When TACACS+ is configured as the authentication method for a user login
type (CLI/HTTP/HTTPS), the NAS will prompt for the user login credentials
and request services from the FASTPATH TACACS+ client; the client will
then use the configured list of servers for authentication and provide results
back to the NAS. The TACACS+ server list is configured with one or more
hosts defined via their network IP address; each can be assigned a priority to
determine the order in which the TACACS+ client will contact them, a
server is contacted when a connection attempt fails or times out for a higher
priority server. Each server host can be separately configured with a specific
connection type, port, timeout, and shared key, or the global configuration
may be used for the key and timeout. Like RADIUS, the TACACS+ server
may do the authentication itself, or redirect the request to another back-end
device, all sensitive information is encrypted and the shared secret is never
passed over the network.
2CSPC4.XCT-SWUM2XX1.book Page 761 Monday, October 3, 2011 11:05 AM