Accounting, Tacacs+ authentication – Juniper Networks EX2500 User Manual
Page 28
EX2500 Ethernet Switch Configuration Guide
14
Securing Access to the Switch
Accounting
Accounting is the action of recording a user's activities on the device for the
purposes of billing and security. It follows the authentication and authorization
actions. If the authentication and authorization are not performed through a
RADIUS server, no RADIUS accounting messages are sent out. The EX2500 switch
supports the following RADIUS accounting attributes:
Accounting Start—The RADIUS Accounting Start record typically contains the
following information:
IP address
User name
Session ID
Server ID
Accounting status type (start)
Accounting Stop—The RADIUS Accounting Stop record typically contains the
following information:
Elapsed time
Reason for termination
Accounting status type (stop)
TACACS+ Authentication
The EX2500 switch supports authentication and authorization with networks using
the TACACS+ protocol. The EX2500 switch functions as the Network Access Server
(NAS) by interacting with the remote client and initiating authentication and
authorization sessions with the TACACS+ access server. The remote user is
defined as someone requiring management access to the EX2500 switch either
through a data port or a management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport, whereas RADIUS is
UDP-based. TCP offers a connection-oriented transport, while UDP offers
best-effort delivery. RADIUS requires additional programmable variables such
as re-transmit attempts and time-outs to compensate for best-effort transport,
but it lacks the level of built-in support that a TCP transport offers.
TACACS+ offers full packet encryption, whereas RADIUS offers password-only
encryption in authentication requests.
TACACS+ separates authentication, authorization, and accounting.