Handbook
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 21
RADIUS attributes for user privileges
When the user logs in, the switch authenticates the level of access by sending the RADIUS access request,
that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of
the remote user and authorizes the appropriate access. The administrator has the option to allow
backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS
access. When backdoor access is enabled, access is allowed even if the primary and secondary
authentication servers are reachable. Only when both the primary and secondary authentication servers
are not reachable, the administrator has the option to allow secure backdoor (secbd) access through
the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you
can have either backdoor or secure backdoor enabled, but not both at the same time. The default
value for backdoor access through the console port only is enabled. You always can access the switch
via the console port, by using noradius and the administrator password, whether backdoor/secure
backdoor are enabled or not. The default value for backdoor and secure backdoor access through
Telnet/SSH/HTTP/HTTPS is disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS
dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name
of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are
defined for user privilege levels.
Table 3 Proprietary attributes for RADIUS
User name/access
User service type
Value
User
Vendor-supplied
255
Operator
Vendor-supplied
252
TACACS+ authentication
The switch software supports authentication, authorization, and accounting with networks using the Cisco
Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with
the remote client and initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined as someone requiring management access to the switch either through
a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a
connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional
programmable variables such as re-transmit attempts and time-outs to compensate for best-effort
transport, but it lacks the level of built-in support that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in
authentication requests.
TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works much in the same way as RADIUS authentication.
1. Remote administrator connects to the switch and provides user name and password.
NOTE: The user name and password can have a maximum length of 128 characters. The
password cannot be left blank.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny
administrative access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server
to determine if the user is granted permission to use a particular command.
TACACS+ authentication features
Authentication is the action of determining the identity of a user, and is generally done when the user first
attempts to log in to a device or gain access to its services. Switch software supports ASCII inbound login