RADIUS-aware or TACACS+-aware devices on the network. An authentication server contains a database of multiple user name/password pairs with associated privilege levels for each user that requires management access to a switch.

Note – When setting up privilege levels on a RADIUS or TACACS+ server, remember that level 0 allows guest (Normal Exec) access to the switch. Only level 15 allows administrator (Privileged Exec) access.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.

RADIUS and TACACS+ logon authentication controls management access through the console port, Web browser, or Telnet. These access options must be configured on the authentication server.

RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name/password pair. The user name, password, and privilege level must be configured on the authentication server.

You can specify one to three authentication methods for any user to indicate the authentication sequence. For example, if you select (1) RADIUS and (2) Local, the user name and password on the RADIUS server are verified first. If the RADIUS server is not available, then the local user name and password are checked.

When configuring user authentication using the web interface or CLI, the following parameters are displayed or can be configured:

Authentication Mechanisms

Require User Authentication – The operating status of user authentication.

Preference – The switch attempts to authenticate the user based on the specified sequence.

Authentication Server Settings

Server IP Address – The address of the authentication server. The default is: 10.1.0.1.

Server Port Number – The UDP or TCP network port (between 1 and 65,535) of the authentication server used for authentication messages. The default is 1812.

Encryption Key – The password (between 1 and 20 characters) used to authenticate logon access for the client. Do not use blank spaces in the string.

No. of Retries7 – The number of times (between 1 and 30) the switch tries to authenticate logon access through the authentication server. The default is 2.

7. Applies only to RADIUS server authentication.

Chapter 3 General Management of the Switch 3-29

Page 67
Image 67
Sunfire B1600 manual Applies only to Radius server authentication