IBM Partner Pavilion BMD00082 TACACS+ Authentication

SmartConnect User’s Guide

74  Chapter 6: Configuring Switch Access BMD00082, February 2009

TACACS+ Authentication

The switch supports authentication and authorization with networks using the Cisco Systems

TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting

with the remote client and initiating authentication and authorization sessions with the

TACACS+ access server. The remote user is defined as someone requiring management access

to the switch either through a data or management port.

TACACS+ Authentication Features

Authentication is the action of determining the identity of a user, and is generally done when

the user first attempts to log in to a device or gain access to its services. The switch supports

ASCII inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change

password requests, and one-time password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes

place after authentication.

The mapping between TACACS+ authorization levels and switch management access levels is

shown in Table 6-4 on page 74 . The authorization levels must be defined on the TACACS+

server.

Configuring TACACS+ Authentication

1. On the BBI, choose System Settings > Remote User Administration to configure

TACACS+ authentication.

2. In the Tacacs+ section of the window, enter the Tacacs+ Primary Server IP address and

TACACS+ Secret.

3. Select enable for the Tacacs+ option.

4. Click Apply to make your changes active, and Save to retain changes beyond reboot.

Table 6-4 SmartConnect-Proprietary Attributes for T A CACS+

User Access Level TACACS+ level

user 0

oper 3

admin 6

Contents

Main Page Contents Part 1: Basic Concepts & Configuration 11 Page Part 2: BBI Reference 87 Page Page Page Preface Who Should Use This Users Guide What Youll Find in This Users Guide Part 1: Basic Concepts and Configuration Part 2: BBI Reference Typographic Conventions The following table describes the typographic styles used in this book. How to Get Help Table 1 Typographic Conventions Page Part 1: Basic Concepts & Configuration Page CHAPTER 1 VSE SmartConnect Software Operation VSE SmartConnect Software Overview Page VSE SmartConnect Software Quick Start Configuring the Chassis Management System Configuring the Upstream Networking Device Configuring the Chassis Processor Blades Page CHAPTER 2 Getting Started with the Browser- Based Interface Requirements Web Browser Set Up Starting the BBI Page Updating the Software Image Loading the New Software Image Transferring the New Image to the Switch Page Selecting a Software Image to Run Uploading a Software Image from the Switch Selecting a Configuration Block Page CHAPTER 3 Switch Virtualization Virtual Switch Groups Port Groups Virtual Machine Groups Link Aggregation VLANs Network Segmentation Port Access Port-Based VLAN Tagging Defined VLANs Trunking External Trunks Trunking Rules Statistical Load Distribution Built-In Fault Tolerance Link Aggregation Control Protocol Switch Failover Setting the Number of Links to Trigger Failover Configuring Switch Failover Internal Trunks IGMP Snooping Configuring a Backup Server Port General Configuration Port Configuration DHCP Server Configuration This example was performed with Internet Systems Consortium DHCP Server, version 3.0.4. Page CHAPTER 4 Stacking Stacking Requirements Stack Membership Master Member Backup Master and Backup Selection Master and Backup Behavior Stack Member Numbers Configuring a Stack Configuring Each Switch Page Additional Master Configuration Locating the Master Switch Internal Management IP Interface Viewing Stack Connections Binding Members to the Stack Configuring an External IP Address for the Stack Managing a Stack Stacking Port Numbers Stacking Internal Port Settings Stacking VLANs Stacking Boot Management Upgrading Stack Software Page CHAPTER 5 Command Reference CLI Menus Menu Summary Page Page Viewing, Applying, and Saving Changes Viewing Pending Changes Applying Pending Changes Saving the Configuration CHAPTER 6 Configuring Switch Access Management Module Setup Factory Default vs. MM Assigned IP Addresses Configuring the Default Gateway Configuring Management Module for Switch Access Page Using Telnet Connect to the Switch via SSH Using the Browser-Based Interface Access via HTTP Access via HTTPS Page Securing Access to the Switch Setting Allowable Source IP Address Ranges Configuring an IP Address Range for the Management Network RADIUS Authentication and Authorization Configuring RADIUS User Accounts RADIUS Attributes for VSE SmartConnect Software User Privileges TACACS+ Authentication TACACS+ Authentication Features Authorization Configuring TACACS+ Authentication End User Access Control Considerations for Configuring End User Accounts Configuring End-User Access Control Logging in to an End-User Account Protected Mode Secure Shell and Secure Copy Configuring SSH/SCP Features Enabling or Disabling SCP Apply and Save Configuring the SCP Administrator Password Using SSH and SCP Client Commands To Log In to the Switch: To Download the Switch Configuration Using SCP: To Upload the Configuration to the Switch: Apply and Save the Configuration SSH and SCP Encryption of Management Messages Generating RSA Host and Server Keys for SSH Access SSH/SCP Integration with Radius Authentication SSH/SCP Integration with TACACS+ Authentication SecurID Support Using SecurID with SSH Using SecurID with SCP Page Part 2: BBI Reference Page Page Page Port Status Area Menu Area Configuration Window Page CHAPTER 8 Virtual Switch Groups Port Groups Virtual Machine Groups Link Aggregation Virtual Switch Groups Membership Assigning Ports to VSGs Assigning Virtual Machines to VSGs VM Pre-provisioning Switch Management Ports Virtual Switch Groups Settings Delete Virtual Switch Group Settings Switch Failover Link Aggregation Control Protocol IGMP Snooping BPDU Policy Reset to Default Virtual Switch Groups ACL QoS CHAPTER 9 Switch Policies Internal Port Settings External Port Settings Use this window to configure external port settings. Table 9-2 External Port Settings Fields Management Port Settings Port Mirroring Access Control Lists ACL Configuration Table Searching for an Existing ACL Adding a New ACL Add or Edit ACLs Access Control List Use these fields to configure basic ACL parameters Table 9-4 ACL Configuration Fields Table 9-4 ACL Configuration Fields (continued) ACL Metering Settings ACL Remark Control Access Control List Sets Quality of Service IEEE 8021p for MAC-Level QoS Priority CoS Configuration Table CoS Weight Configuration Table Port Priority Configuration DiffServ Code Point QoS Page ServerMobility General Configuration ServerMobility Port Configuration CHAPTER 10 System Settings Management Settings SNMP System Log General Settings Local User Administration Built-In Users User Configuration Remote User Administration RADIUS TACACS+ Time Services Settings NTP Settings General Settings Table 10-8 Time Services General Settings Fields Table 10-9 Time Services NTP Fields ErrDisable System Settings Switch Protected Mode Management Network Settings Bootstrap Protocol Settings SSH/Telnet Settings Switch SSH Settings Switch Telnet Settings Virtual Machine Group Settings Syslog Settings Stacking Configuration Stack Switch Configuration Stack IP Interfaces Page CHAPTER 11 Boot Management General Boot Settings The following table describes the buttons on the Boot Management window. Boot Schedule on page 135 Tabl e 11-1 Boot Management buttons Boot Schedule Page CHAPTER 12 Switch Information Access Control List Information Access Control List Sets Information ARP Cache Information Bootstrap Protocol Relay Information Forwarding Database Information Virtual Switch Group Information The following table describes the VSG information fields. Table 12-4 Virtual Switch Group Information Fields IGMP Information IGMP Multicast Groups The following table describes the IGMP Multicast Router Ports information fields. The following table describes the IGMP Multicast Groups information fields. IGMP Snooping Multicast Router Ports IP Information IP Interfaces Default Gateways Link Status Information ServerMobility General Information ServerMobility Port Information The following table describes the ServerMobility Port information fields. ServerMobility General Configuration on page 115 ServerMobility Port Information on page 146 Table 12-11 Server Mobility Port information SNMPv3 Information The following table describes the SNMPv3 information fields. Table 12-12 SNMPv3 information Table 12-12 SNMPv3 information (continued) Syslog Messages This window lists the most recently logged system messages. Syslog Settings on page 129 Table 12-12 SNMPv3 information (continued) Port Transceiver Status Trunk Groups Information User Information Virtual Machine Group Information Page CHAPTER 13 Switch Statistics Access Control List Statistics FDB Statistics Layer 3 Statistics Address Resolution Protocol Statistics ICMP Statistics The following table describes the ICMP statistics fields. Table 13-4 ICMP Statistics icmpOutErrors TCP Statistics The following table describes the TCP statistics fields. UDP Statistics IGMP Group Snooping Statistics Summary IP Statistics The following table describes the Internet Protocol statistics fields. Table 13-8 IP Statistics ipForwDatagrams MP-Specific Information CPU Utilization The following table describes the CPU Utilization fields. The following table describes the MP Packet statistics fields. MP Packet Statistics Table 13-9 CPU Utilization Network Time Protocol Statistics Port Statistics Switch Ports Statistics Summary Index Symbols A B C M N P Q R