Edge Products ES3528-WDM User Manual

Page 105

Advertising
background image

Configuring Local/Remote Logon Authentication

6-3

6

the network. An authentication server contains a database of multiple user name/
password pairs with associated privilege levels for each user that requires
management access to the switch.

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts
only the password in the access-request packet from the client to the server, while
TACACS+ encrypts the entire body of the packet.

Command Usage
• By default, management access is always checked against the authentication

database stored on the local switch. If a remote authentication server is used, you
must specify the authentication sequence and the corresponding parameters for
the remote authentication protocol. Local and remote logon authentication control
management access via the console port, web browser, or Telnet.

• RADIUS and TACACS+ logon authentication assign a specific privilege level for

each user name/password pair. The user name, password, and privilege level
must be configured on the authentication server. The encryption methods used for
the authentication process must also be configured or negotiated between the
authentication server and logon client. This switch can pass authentication
messages between the server and client that have been encrypted using MD5
(Message-Digest 5), TLS (Transport Layer Security), or TTLS (Tunneled Transport
Layer Security).

• You can specify up to three authentication methods for any user to indicate the

authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and
(3) Local, the user name and password on the RADIUS server is verified first. If the
RADIUS server is not available, then authentication is attempted using the
TACACS+ server, and finally the local user name and password is checked.

Command Attributes
Authentication – Select the authentication, or authentication sequence required:

- Local – User authentication is performed only locally by the switch.
- Radius – User authentication is performed using a RADIUS server only.
- TACACS – User authentication is performed using a TACACS+ server only.
- [authentication sequence] – User authentication is performed by up to three

authentication methods in the indicated sequence.

RADIUS Settings

- Global – Provides globally applicable RADIUS settings.
- ServerIndex – Specifies one of five RADIUS servers that may be configured.

The switch attempts authentication using the listed sequence of servers. The
process ends when a server either approves or denies access to a user.

- Server IP Address – Address of authentication server. (Default: 10.1.0.1)
- Server Port Number – Network (UDP) port of authentication server used for

authentication messages. (Range: 1-65535; Default: 1812)

- Secret Text String – Encryption key used to authenticate logon access for

client. Do not use blank spaces in the string. (Maximum length: 48 characters)

Advertising
This manual is related to the following products: