User manual
C
HAPTER
14
| Security Measures
Configuring Remote Logon Authentication Servers
– 163 –
ES-2000 Series
Figure 89: Configuring the Authentication Sequence
CONFIGURING REMOTE LOGON AUTHENTICATION SERVERS
Use the Security > AAA > Server page to configure the message exchange
parameters for RADIUS or TACACS+ remote access authentication servers.
Remote Authentication Dial-in User Service (RADIUS) and Terminal Access
Controller Access Control System Plus (TACACS+) are logon authentication
protocols that use software running on a central server to control access to
RADIUS-aware or TACACS-aware devices on the network. An
authentication server contains a database of multiple user name/password
pairs with associated privilege levels for each user that requires
management access to the switch.
Figure 90: Authentication Server Operation
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort
delivery, while TCP offers a connection-oriented transport. Also, note that
RADIUS encrypts only the password in the access-request packet from the
client to the server, while TACACS+ encrypts the entire body of the packet.
COMMAND USAGE
◆ If a remote authentication server is used, you must specify the
message exchange parameters for the remote authentication protocol.
Both local and remote logon authentication control management access
via the web browser.
◆ RADIUS and TACACS+ logon authentication assign a specific privilege
level for each user name/password pair. The user name, password, and
privilege level must be configured on the authentication server. The
encryption methods used for the authentication process must also be
configured or negotiated between the authentication server and logon
client. This switch can pass authentication messages between the
Web
RADIUS/
TACACS+
server
1. Client attempts management access.
2. Switch contacts authentication server.
3.Authentication server challenges client.
4. Client responds with proper password or key.
5.Authentication server approves access.
6. Switch grants management access.