EX2500 Ethernet Switch Configuration Guide
TACACS+ Authentication
The EX2500 switch supports authentication and authorization with networks using the TACACS+ protocol. The EX2500 switch functions as the Network Access Server (NAS) by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to the EX2500 switch either through a data port or a management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses
TACACS+ offers full packet encryption, whereas RADIUS offers
TACACS+ separates authentication, authorization, and accounting.
How TACACS+ Authentication Works
TACACS+ works in much the same way as RADIUS authentication, as described on page 11. The remote administrator connects to the switch and provides a username and password.
1.Using Authentication/Authorization protocol, the switch sends a request to authentication server.
2.The authentication server checks the request against the user ID database.
3.Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to determine if the user is granted permission to use a particular command.
TACACS+ Authentication Features in the EX2500 Switch
Authentication is the action of determining the identity of a user, and is generally done when the user first attempts to log in to a device or gain access to its services. The EX2500 switch supports ASCII inbound login to the device. PAP, CHAP, and ARAP login methods; TACACS+ change password requests; and
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place after authentication.
14 Securing Access to the Switch
