Command Reference Guide

ManualsBrandsNEC ManualsSwitchN8406-022A

N8406-022A 1Gb Intelligent L2 Switch Command Reference Guide (AOS) 73

TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP)

whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and

authorization in a user profile, whereas TACACS+ separates the two operations.

TACACS+ offers the following advantages over RADIUS as the authentication device:

TACACS+ is TCP-based, so it facilitates connection-oriented traffic.

It supports full-packet encryption, as opposed to password-only in authentication requests.

It supports decoupled authentication, authorization, and accounting.

The following table describes the TACACS+ Server Configuration Menu options.

Table 66 TACACS+ Server Configuration Menu options

Command

Description

prisrv <IP address>

Defines the primary TACACS+ server address.

secsrv <IP address>

Defines the secondary TACACS+ server address.

secret <1-32 characters>

|none

This is the shared secret between the switch and the TACACS+ server(s).

secret2 <1-32 characters>

|none

This is the secondary shared secret between the switch and the TACACS+

server(s).

port <TCP port number>

Enter the number of the TCP port to be configured, between 1 - 65000. The

default is 49.

retries <1-3>

Sets the number of failed authentication requests before switching to a

different TACACS+ server. The range is 1-3 requests. The default is 3

requests.

timeout <4-15>

Sets the amount of time, in seconds, before a TACACS+ server

authentication attempt is considered to have failed. The range is 4-15

seconds. The default is 5 seconds.

telnet enable|disable

Enables or disables the TACACS+ back door for telnet. The telnet

command also applies to SSH/SCP connections and the Browser-based

Interface (BBI). The default value is disabled. This command does not apply

when secure backdoor (secbd) is enabled.

secbd enable|disable

Enables or disables the TACACS+ back door using secure password for

telnet/SSH/ HTTP/HTTPS. The default value is disabled. This command

does not apply when backdoor (telnet) is enabled.

cmap enable|disable

Enables or disables TACACS+ authorization-level mapping.

The default value is disabled.

usermap <0-15>

user|oper|admin|none

Maps a TACACS+ authorization level to this switch user level. Enter a

TACACS+ authorization level (0-15), followed by the corresponding this

switch user level.

Enables the TACACS+ server.

Off

Disables the TACACS+ server. This is the default.

Cur

Displays current TACACS+ configuration parameters.

IMPORTANT: If TACACS+ is enabled, you must login using TACACS+ authentication when connecting via

the console or Telnet/SSH/HTTP/HTTPS. Backdoor for console is always enabled, so you can connect using

notacacs and the administrator password even if the backdoor (telnet) or secure backdoor (secbd) are

disabled.

If Telnet backdoor is enabled (telnet ena), type in notacacs as a backdoor to bypass TACACS+

checking, and use the administrator password to log into the switch. The switch allows this even if TACACS+

servers are available.

If secure backdoor is enabled (secbd ena), type in notacacs as a backdoor to bypass TACACS+ checking,

and use the administrator password to log into the switch. The switch allows this only if TACACS+ servers are

not available.