2 tacacs+ flow, 3 tacacs+ packet, Tacacs+ f – GE ML1600 User Manual

8–2

MULTILINK ML1600 ETHERNET COMMUNICATIONS SWITCH – INSTRUCTION MANUAL

INTRODUCTION TO TACACS+

CHAPTER 8: ACCESS USING TACACS+

8.1.2

TACACS+ Flow

TACACS works in conjunction with the local user list on the ML1600 software (operating
system). Please refer to User MGMNT on page 1–12 for adding users on the MultiLink
Switch Software. The process of authentication as well as authorization is shown in the
flow chart below.

FIGURE 8–1: TACACS authorization flowchart

The above flow diagram shows the tight integration of TACACS+ authentication with the
local user-based authentication. There are two stages a user goes through in TACACS+. The
first stage is authentication where the user is verified against the network user database.
The second stage is authorization, where it is determined whether the user has operator
access or manager privileges.

8.1.3

TACACS+ Packet

Packet encryption is a supported and is a configurable option for the ML1600 software.
When encrypted, all authentication and authorization TACACS+ packets are encrypted and
are not readable by protocol capture and sniffing devices such as EtherReal or others.
Packet data is hashed and shared using MD5 and secret string defined between the
MultiLink switches and the TACACS+ server.

754716A1.CDR

Login

User in Local

User List?

Yes

Is User Manager?

Yes

Login as Manager

Login as Operator

No

No

TACACS+ Enabled?

No

Logout

Yes

Authentication

failure

Logout

Authenticated

TACACS+

authorization

Authorized as

Operator or

Authorization failure

Authorized as

Manager

Login as Manager

Start

Additional

Servers?

Logout

Connection failure

No

Yes

Connect to

TACACS server to

authenticate

Login as Operator

Additional

Servers?