Tacacs+ and radius overview – Allied Telesis AT-S63 User Manual
Page 826
Chapter 36: TACACS+ and RADIUS Protocols
826
Section VIII: Management Security
TACACS+ and RADIUS Overview
TACACS+ and RADIUS are authentication protocols for enhancing the
security of your network. In general terms, these authentication protocols
transfer the task of authenticating network access from a network device
to an authentication protocol server.
The AT-S62 software comes with TACACS+ and RADIUS client software.
You can use the client software to add two security features to the switch.
The first feature, described in this chapter, involves creating new manager
accounts for controlling who can log onto a switch to change its parameter
settings. The second feature is 802.1x Port-based Access Control,
explained in Chapter 30, “802.1x Port-based Network Access Control” on
page 606, which controls which end users and end nodes can send
packets through the switch.
This chapter explains the manager accounts feature. The AT-S63
management software has two standard manager login accounts:
manager and operator. The manager account lets you change a switch’s
parameter settings while the operator account lets you view the settings,
but not change them. Each account has its own password. The manager
account has a default password of “friend” and the operator account has a
default password “operator.”
For those networks that are managed by just one or two network
managers, the standard accounts may be all you need. However, for
larger networks managed by several network managers, you might want
to give each manager his or her own management login account rather
than have them share an account.
This is where TACACS+ and RADIUS can be useful. TACACS+ is an
acronym for Terminal Access Controller Access Control System. RADIUS
is an acronym for Remote Authentication Dial In User Services. These are
authentication protocols. You can use them to transfer the task of
validating management access from an AT-9400 Series switch to an
authentication protocol server.
With the protocols you can create a series of username and password
combinations that define who can manage an AT-9400 Series switch.
There are three basic functions an authentication protocol provides:
Authentication
Authorization
Accounting
When a network manager logs in to a switch to manage the device, the
switch passes the username and password entered by the manager to the