Tacacs+ authorization, Tacacs+ accounting – Brocade BigIron RX Series Configuration Guide User Manual

Page 155

Advertising
background image

BigIron RX Series Configuration Guide

77

53-1002484-04

Configuring TACACS and TACACS+ security

3

5. The user is prompted for a password.

6. The user enters a password.

7. The device sends the password to the TACACS+ server.

8. The password is validated in the TACACS+ server’s database.

9. If the password is valid, the user is authenticated.

TACACS+ authorization

The device supports two kinds of TACACS+ authorization:

Exec authorization determines a user’s privilege level when they are authenticated.

Command authorization consults a TACACS+ server to get authorization for commands entered
by the user.

When TACACS+ exec authorization takes place, the following events occur.

1. A user logs into the device using Telnet, SSH, or the Web Management Interface

2. The user is authenticated.

3. The device consults the TACACS+ server to determine the privilege level of the user.

4. The TACACS+ server sends back a response containing an A-V (Attribute-Value) pair with the

privilege level of the user.

5. The user is granted the specified privilege level.

When TACACS+ command authorization takes place, the following events occur.

1. A Telnet, SSH, or Web Management Interface user previously authenticated by a TACACS+

server enters a command on the device.

2. The device looks at its configuration to see if the command is at a privilege level that requires

TACACS+ command authorization.

3. If the command belongs to a privilege level that requires authorization, the device consults the

TACACS+ server to see if the user is authorized to use the command.

4. If the user is authorized to use the command, the command is executed.

TACACS+ accounting

TACACS+ accounting works as follows.

1. One of the following events occur on the device:

A user logs into the management interface using Telnet or SSH

A user enters a command for which accounting has been configured

A system event occurs, such as a reboot or reloading of the configuration file

2. The device checks its configuration to see if the event is one for which TACACS+ accounting is

required.

3. If the event requires TACACS+ accounting, the device sends a TACACS+ Accounting Start

packet to the TACACS+ accounting server, containing information about the event.

4. The TACACS+ accounting server acknowledges the Accounting Start packet.

Advertising
Popular Brands
Popular manuals