How tacacs+ authentication works, Tacacs+ authentication features, Authorization – HP 445946-001 User Manual

Page 26

Advertising
background image

Accessing the switch

26

TACACS+ offers the following advantages over RADIUS:

TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers

a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional

programmable variables such as re-transmit attempts and time-outs to compensate for best-effort

transport, but it lacks the level of built-in support that a TCP transport offers.

TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in

authentication requests.

TACACS+ separates authentication, authorization, and accounting.

How TACACS+ authentication works

TACACS+ works much in the same way as RADIUS authentication.

1.

Remote administrator connects to the switch and provides user name and password.

NOTE:

The user name and password can have a maximum length of 128 characters. The

password cannot be left blank.

2.

Using Authentication/Authorization protocol, the switch sends request to authentication server.

3.

Authentication server checks the request against the user ID database.

4.

Using TACACS+ protocol, the authentication server instructs the switch to grant or deny

administrative access.

During a session, if additional authorization checking is needed, the switch checks with a TACACS+

server to determine if the user is granted permission to use a particular command.

TACACS+ authentication features

Authentication is the action of determining the identity of a user, and is generally done when the user first
attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login

to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time

password authentication are not supported.

Authorization

Authorization is the action of determining a user’s privileges on the device, and usually takes place after

authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access
levels is shown in the table below. The privilege levels listed in the following table must be defined on the

TACACS+ server.

Table 4

Default TACACS+ privilege levels

User access level

TACACS+ level

user 0

oper 3

admin 6

Advertising
Popular Brands
Popular manuals