RADIUS
The switch supports the RADIUS method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The RAS, the switch, is a client to the
RADIUS authentication consists of:
•A protocol with a frame format that utilizes UDP over IP, based on RFC 2138 and 2866
•A centralized server that stores all the user authorization information
•A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the
The benefits of using RADIUS are:
•Authentication of remote administrators
•Identification of the administrator using name/password
•Authorization of remote administrators
•Determination of the permitted actions and customizing service for individual administrators
TACACS+
The switch supports the TACACS+ method to authenticate, authorize, and account for remote administrators managing the switch. This method is based on a client/server model. The switch is a client to the
The TACACS+ AAA method consists of:
•A protocol with a frame format that utilizes TCP over IP
•A centralized AAA server that stores all the user authentication, authorization, and accounting (of usage) information
•A NAS or client (in this case, the switch)
The switch, acting as the TACACS+ client or NAS, communicates to the TACACS+ server to authenticate, authorize, and account for user access. Transactions between the client and the TACACS+ server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the TACACS+ client (the switch) and the
The switch supports:
•Only standard ASCII inbound login authentication. PAP, CHAP, or ARAP login methods are not supported.
•Authorization privilege levels of only 0, 3, and 6. These map to management levels of user, oper, and admin, respectively.