Manuals / NEC / Computer Equipment / Switch

NEC N8406-022 manual TACACS+ server configuration

Models: N8406-022

1 102
Download 102 pages 22.4 Kb
Page 62
Image 62
TACACS+ server configuration

TACACS+ server configuration

TACACS+ (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols are more secure than the TACACS encryption protocol. TACACS+ is described in RFC 1492.

TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations.

TACACS+ offers the following advantages over RADIUS as the authentication device:

TACACS+ is TCP-based, so it facilitates connection-oriented traffic.

It supports full-packet encryption, as opposed to password-only in authentication requests.

It supports decoupled authentication, authorization, and accounting.

The following table describes the TACACS+ Server Configuration commands.

Table 59 TACACS+ Server Configuration commands

Command

Description

[no] tacacs-server host <IP address>

Defines the primary TACACS+ server address.

 

Command mode: Global configuration

[no] tacacs-server host <IP address> key <1-32 characters>

Defines the primary or secondary shared secret between the switch and the TACACS+ server(s).

Command mode: Global configuration

tacacs-server port <TCP port number>

Enter the number of the TCP port to be configured, between 1 -

 

65000. The default is 49.

 

Command mode: Global configuration

tacacs-server retransmit <1-3>

Sets the number of failed authentication requests before

 

switching to a different TACACS+ server. The range is 1-3

 

requests. The default is 3 requests.

 

Command mode: Global configuration

tacacs-server timeout <4-15>

Sets the amount of time, in seconds, before a TACACS+ server

 

authentication attempt is considered to have failed. The range

 

is 4-15 seconds. The default is 5 seconds.

 

Command mode: Global configuration

[no] tacacs-server telnet-backdoor

Enables or disables the TACACS+ back door for telnet. The

 

telnet command also applies to SSH/SCP connections and

 

the Browser-based Interface (BBI). This command does not

 

apply when secure backdoor (secbd) is enabled.

 

Command mode: Global configuration

[no] tacacs-server secure-backdoor

Enables or disables the TACACS+ back door using secure

 

password for telnet/SSH/ HTTP/HTTPS. This command does

 

not apply when backdoor (telnet) is enabled.

 

Command mode: Global configuration

[no] tacacs-server privilege-mapping

Enables or disables TACACS+ privilege-level mapping.

 

The default value is disabled.

 

Command mode: Global configuration

tacacs-server user-mapping {<0-15> useroperadmin}

Maps a TACACS+ authorization level to this switch user level. Enter a TACACS+ privilege level (0-15), followed by the corresponding the user level (user, oper, admin).

Command mode: Global configuration

tacacs-server enable

Enables the TACACS+ server.

 

Command mode: Global configuration

no tacacs-server enable

Disables the TACACS+ server.

 

Command mode: Global configuration

show tacacs-server

Displays current TACACS+ configuration parameters.

 

Command mode: All

Configuration Commands 62

Page 61 Page 63
Page 62
Image 62
NEC N8406-022 manual TACACS+ server configuration
Page 61 Page 63