Accessing the switch
TACACS+ offers the following advantages over RADIUS:
•TACACS+ uses
•TACACS+ offers full packet encryption whereas RADIUS offers
•TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works much in the same way as RADIUS authentication.
1.Remote administrator connects to the switch and provides user name and password.
NOTE: The user name and password can have a maximum length of 128 characters. The password cannot be left blank.
2.Using Authentication/Authorization protocol, the switch sends request to authentication server.
3.Authentication server checks the request against the user ID database.
4.Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.
TACACS+ authentication features
Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access levels is shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+ server.
Table 4 Default TACACS+ privilege levels
User access level | TACACS+ level |
|
|
user | 0 |
|
|
oper | 3 |
|
|
admin | 6 |
|
|
26