Tacacs+ and radius implementation guidelines – Allied Telesis AT-S63 User Manual
Page 831
AT-S63 Management Software Menus Interface User’s Guide
Section VIII: Management Security
831
authentication protocol server. The server checks to see if the username
and password are valid for that switch. This is referred to as
authentication.
If the combination is valid, the authentication protocol server notifies the
switch and the switch completes the login process, allowing the manager
to manage the switch.
If the username and password are invalid, the authentication protocol
server notifies the switch and the switch cancels the login.
Authorization defines what a manager can do after logging in to a switch.
You assign an authorization level to each username and password
combination that you create on the server software. The access level can
either Manager or Operator.
The final function of an authentication protocol is accounting, which keeps
track of user activity on network devices. The AT-S63 management
software does not support RADIUS or TACACS+ accounting as part of
manager accounts. However, it does support RADIUS accounting with the
802.1x Port-based Network Access Control feature, as explained in
Chapter 31, “802.1x Port-based Network Access Control” on page 717.
Note
The AT-S63 management software does not support the two earlier
versions of the TACACS+ protocol, TACACS and XTACACS.
TACACS+ and
RADIUS
Implementation
Guidelines
What do you need to use the TACACS+ and RADIUS protocols?
Following are the main points.
First, you need to install TACACS+ or RADIUS server software on one
or more of your network servers or management stations.
Authentication protocol server software is not available from Allied
Telesyn.
The authentication protocol server can be on the same subnet or a
different subnet as the AT-9400 Series switch. If the server and switch
are on different subnets, be sure to specify a default gateway in the
System Configuration menu (Figure 5 on page 55) so that the switch
and server can communicate with each other.
Note
The switch communicates with the authentication server via the
switch’s management VLAN. Consequently, the node functioning as
the authentication server must be communicating with a switch
through a port that is a member of that VLAN. The default
management VLAN is Default_VLAN. For further information, refer
to “Specifying a Management VLAN” on page 631.