Tacacs+ and radius overview – Allied Telesis AT-S63 User Manual
Page 762
Chapter 34: TACACS+ and RADIUS Protocols
762
Section VII: Management Security
TACACS+ and RADIUS Overview
The AT-S63 management software has two standard manager login
accounts: manager and operator. The manager account lets you change a
switch’s parameter settings while the operator account lets you view the
settings, but not change them. Each account has its own password. The
manager account has a default password of “friend” and the operator
account has a default password “operator.”
For those networks that are managed by just one or two network
managers, the standard accounts may be all you need. However, for
larger networks managed by several network managers, you might want
to give each manager his or her own management login account rather
than have them share an account.
This is where TACACS+ and RADIUS can be useful. TACACS+ is an
acronym for Terminal Access Controller Access Control System. RADIUS
is an acronym for Remote Authentication Dial In User Services. These are
authentication protocols. You can use them to transfer the task of
validating management access from an AT-9400 Series switch to an
authentication protocol server.
With the protocols you can create a series of username and password
combinations that define who can manage an AT-9400 Series switch.
There are three basic functions an authentication protocol provides:
Authentication
Authorization
Accounting
When a network manager logs in to a switch to manage the device, the
switch passes the username and password entered by the manager to the
authentication protocol server. The server checks to see if the username
and password are valid for that switch. This is referred to as
authentication.
If the combination is valid, the authentication protocol server notifies the
switch and the switch completes the login process, allowing the manager
to manage the switch.
If the username and password are invalid, the authentication protocol
server notifies the switch and the switch cancels the login.
Authorization defines what a manager can do after logging in to a switch.
You assign an authorization level to each username and password
combination that you create on the server software. The access level can
either Manager or Operator.