BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
BMD00113, September 2009 Chapter 1: Accessing the Switch 47
TACACS+ Authentication
BLADE OS supports authentication, authorization, and accounting with networks using the Cisco
Systems TACACS+ protocol. The GbE2c functions as the Network Access Server (NAS) by
interacting with the remote client and initiating authentication and authorization sessions with the
TACACS+ access server. The remote user is defined as someone requiring management access to
the GbE2c either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP-based.
TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS
requires additional programmable variables such as re-transmit attempts and time-outs to
compensate for best-effort transport, but it lacks the level of built-in support that a TCP
transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in
authentication requests.
TACACS+ separates authentication, authorization and accounting.
How TACACS+ Authentication Works
TACACS+ works much in the same way as RADIUS authentication as described on page 43.
1. Remote administrator connects to the switch and provides user name and password.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny
administrative access.
During a session, if additional authorization checking is needed, the switch checks with a
TACACS+ server to determine if the user is granted permission to use a particular command.
TACACS+ Authentication Features in BLADE OS
Authentication is the action of determining the identity of a user, and is generally done when the
user first attempts to log in to a device or gain access to its services. BLADE OS supports ASCII
inbound login to the device. PAP, CHAP and ARAP login methods, TACACS+ change password
requests, and one-time password authentication are not supported.