Handbook

ManualsBrandsNEC ManualsBlade ServersNEC N8406-026 10Gb L3 Switch

Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 22

to the device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time

password authentication are not supported.

Authorization

Authorization is the action of determining a user‘s privileges on the device, and usually takes place after

authentication.

The default mapping between TACACS+ authorization privilege levels and switch management access

levels is shown in the table below. The privilege levels listed in the following table must be defined on the

TACACS+ server.

Table 4 Default TACACS+ privilege levels

User access level

TACACS+ level

user

oper

admin

Alternate mapping between TACACS+ privilege levels and this switch management access levels is

shown in the table below. Use the command /cfg/sys/tacacs/cmap ena to use the alternate

TACACS+ privilege levels.

Table 5 Alternate TACACS+ privilege levels

User access level

TACACS+ level

user

0 - 1

oper

6 - 8

admin

14 - 15

You can customize the mapping between TACACS+ privilege levels and this switch management access

levels. Use the /cfg/sys/tacacs/usermap command to manually map each TACACS+ privilege level (0-

15) to a corresponding switch management access level (user, oper, admin, none).

If the remote user is authenticated by the authentication server, the switch verifies the privileges of the

remote user and authorizes the appropriate access. When both the primary and secondary

authentication servers are not reachable, the administrator has an option to allow backdoor access via

the console only or console and Telnet access. The default is disable for Telnet access and enable for

console access. The administrator also can enable secure backdoor (/cfg/sys/tacacs/secbd) to allow

access if both the primary and secondary TACACS+ servers fail to respond.

Accounting

Accounting is the action of recording a user‘s activities on the device for the purposes of billing and/or

security. It follows the authentication and authorization actions. If the authentication and authorization is

not performed via TACACS+, no TACACS+ accounting messages are sent out.

You can use TACACS+ to record and track software logins, configuration changes, and interactive

commands.

The switch supports the following TACACS+ accounting attributes:

protocol (console/telnet/ssh/http)

start_time

stop_time

elapsed_time

NOTE: When using the browser-based Interface, the TACACS+ Accounting Stop records are

sent only if the Quit button on the browser is clicked.