Accounting, Tacacs+ authentication – Juniper Networks EX2500 User Manual

EX2500 Ethernet Switch Configuration Guide

14

„

Securing Access to the Switch

Accounting

Accounting is the action of recording a user's activities on the device for the
purposes of billing and security. It follows the authentication and authorization
actions. If the authentication and authorization are not performed through a
RADIUS server, no RADIUS accounting messages are sent out. The EX2500 switch
supports the following RADIUS accounting attributes:

„

Accounting Start—The RADIUS Accounting Start record typically contains the
following information:

„

IP address

„

User name

„

Session ID

„

Server ID

„

Accounting status type (start)

„

Accounting Stop—The RADIUS Accounting Stop record typically contains the
following information:

„

Elapsed time

„

Reason for termination

„

Accounting status type (stop)

TACACS+ Authentication

The EX2500 switch supports authentication and authorization with networks using
the TACACS+ protocol. The EX2500 switch functions as the Network Access Server
(NAS) by interacting with the remote client and initiating authentication and
authorization sessions with the TACACS+ access server. The remote user is
defined as someone requiring management access to the EX2500 switch either
through a data port or a management port.

TACACS+ offers the following advantages over RADIUS:

„

TACACS+ uses TCP-based connection-oriented transport, whereas RADIUS is
UDP-based. TCP offers a connection-oriented transport, while UDP offers
best-effort delivery. RADIUS requires additional programmable variables such
as re-transmit attempts and time-outs to compensate for best-effort transport,
but it lacks the level of built-in support that a TCP transport offers.

„

TACACS+ offers full packet encryption, whereas RADIUS offers password-only
encryption in authentication requests.

„

TACACS+ separates authentication, authorization, and accounting.