Radius attributes for user privileges, Tacacs+ authentication, How tacacs+ authentication works – NEC INTELLIGENT L2 SWITCH N8406-022A User Manual

Accessing the switch 18

RADIUS attributes for user privileges

When the user logs in, the switch authenticates the level of access by sending the RADIUS access request, that is,
the client authentication request, to the RADIUS authentication server.

If the authentication server successfully authenticates the remote user, the switch verifies the privileges of the
remote user and authorizes the appropriate access. The administrator has the option to allow backdoor access
through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When backdoor
access is enabled, access is allowed even if the primary and secondary authentication servers are reachable. Only
when both the primary and secondary authentication servers are not reachable, the administrator has the option to
allow secure backdoor (secbd) access through the console port only, or through the console and
Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either backdoor or secure backdoor enabled,
but not both at the same time. The default value for backdoor access through the console port only is enabled.
You always can access the switch via the console port, by using noradius and the administrator password,
whether backdoor/secure backdoor are enabled or not. The default value for backdoor and secure backdoor access
through Telnet/SSH/HTTP/HTTPS is disabled.

All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary.
RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the dictionary
is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user privilege
levels.

Table 3 Proprietary attributes for RADIUS

User name/access

User service type

Value

User Vendor-supplied

255

Operator Vendor-supplied

252

TACACS+ authentication

The switch software supports authentication, authorization, and accounting with networks using the Cisco Systems
TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with the remote client
and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is
defined as someone requiring management access to the switch either through a data or management port.

TACACS+ offers the following advantages over RADIUS:

•

TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a
connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional
programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport,
but it lacks the level of built-in support that a TCP transport offers.

•

TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication
requests.

•

TACACS+ separates authentication, authorization, and accounting.

How TACACS+ authentication works

TACACS+ works much in the same way as RADIUS authentication.

1.

Remote administrator connects to the switch and provides user name and password.

NOTE: The user name and password can have a maximum length of 128 characters. The password
cannot be left blank.

2. Using

Authentication/Authorization protocol, the switch sends request to authentication server.

3.

Authentication server checks the request against the user ID database.

4.

Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative
access.

During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to
determine if the user is granted permission to use a particular command.

TACACS+ authentication features

Authentication is the action of determining the identity of a user, and is generally done when the user first attempts
to log in to a device or gain access to its services. Switch software supports ASCII inbound login to the device. PAP,
CHAP and ARAP login methods, TACACS+ change password requests, and one-time password authentication are
not supported.