SMC Networks 100BASE-TX, 16 10BASE-T Configuring Local/Remote Logon Authentication

Configuring the Switch

3-34

Configuring Local/Remote Logon Authentication

Use the Authentication Settings menu to restrict m anagement access based on

specified user names and passwords. You can manually configu re access rights on

the switch, or you can use a remote access authentication server based on RADIUS

or TACACS+ protocols.

Remote Authentication Dial-in

User Service (RADIUS) and

Terminal Access Controller

Access Control System Plus

(TACACS+) are logon

authentication protocols that

use software running on a

central server to control

access to RADIUS-aware or

TACACS-aware devices on the

network. An authentication

server contains a database of

multiple user name/password pairs with associated privilege levels for each user

that requires management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,

while TCP offers a connection-oriented transport. Also, note that RADIUS encryp ts

only the password in the access-request packet from the client to the server, while

TACACS+ encrypts the entire body of the packet.

Command Usage

• By default, managem ent access is always checked against the authentication

database stored on the local switch. If a remote authentication server is used, you

must specify the authentication sequence and the corresponding pa rameters for

the remote authentication protocol. Local and remote logon authentication contro l

management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for

each user name/password pair. The user name, password, and privileg e level

must be configured on the authentication server.

• You can specify up to th ree authentication methods for any user to indicate the

authentication sequence. For example, if you select (1) RADIUS, (2) TAC ACS and

(3) Local, the user name and password on the R ADIUS server is verified first. If the

RADIUS server is not available, then authentication is attempted using t he

TACACS+ server, and finally the local user name and password is checked.

Web

Telnet

RADIUS/

TACACS+

server

console

1.Client attempts management access.

2.Switch contacts authentication server.

3.Authentication server challenges client.

4.Client responds with proper password or key.

5.Authentication server approves access.

6.Switch grants management access.