Chapter 24 AAA
accounts configured on the Switch itself. The Switch can also use an external authentication server to authenticate a large number of users
Authorization is the process of determining what a user is allowed to do. Different user accounts may have higher or lower privilege levels associated with them. For example, user A may have the right to create new login accounts on the Switch but user B cannot. The Switch can authorize users based on user accounts configured on the Switch itself or it can use an external server to authorize a large number of users.
Local User Accounts
By storing user profiles locally on the Switch, your Switch is able to authenticate and authorize users without interacting with a network AAA server. However, there is a limit on the number of users you may authenticate in this way (See Chapter 31 on page 275).
RADIUS and TACACS+
RADIUS and TACACS+ are security protocols used to authenticate users by means of an external server instead of (or in addition to) an internal device user database that is limited to the memory capacity of the device. In essence, RADIUS and TACACS+ authentication both allow you to validate an unlimited number of users from a central location.
The following table describes some key differences between RADIUS and TACACS+.
Table 59 RADIUS vs. TACACS+
| RADIUS | TACACS+ |
Transport | UDP (User Datagram Protocol) | TCP (Transmission Control Protocol) |
Protocol |
|
|
|
|
|
Encryption | Encrypts the password sent for | All communication between the client |
| authentication. | (the Switch) and the TACACS server |
|
| is encrypted. |
|
|
|
24.2 AAA Screens
The AAA screens allow you to enable authentication and authorization or both of them on the Switch. First, configure your authentication server settings (RADIUS, TACACS+ or both) and then set up the authentication priority, activate authorization.
210 |
| |
| ||
|
|
|