Configuring remote logon authentication servers, Figure 145: authentication server operation – LevelOne GTL-2691 User Manual

C

HAPTER

13

| Security Measures

AAA Authorization and Accounting

– 312 –

■

[authentication sequence] – User authentication is performed by up

to three authentication methods in the indicated sequence.

W

EB

I

NTERFACE

To configure the method(s) of controlling management access:

1.

Click Security, AAA, System Authentication.

2.

Specify the authentication sequence (i.e., one to three methods).

3.

Click Apply.

Figure 144: Configuring the Authentication Sequence

C

ONFIGURING

R

EMOTE

L

OGON

A

UTHENTICATION

S

ERVERS

Use the Security > AAA > Server page to configure the message exchange

parameters for RADIUS or TACACS+ remote access authentication servers.

Remote Authentication Dial-in User Service (RADIUS) and Terminal Access

Controller Access Control System Plus (TACACS+) are logon authentication

protocols that use software running on a central server to control access to

RADIUS-aware or TACACS-aware devices on the network. An

authentication server contains a database of multiple user name/password

pairs with associated privilege levels for each user that requires

management access to the switch.

Figure 145: Authentication Server Operation

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort

delivery, while TCP offers a connection-oriented transport. Also, note that

RADIUS encrypts only the password in the access-request packet from the

client to the server, while TACACS+ encrypts the entire body of the packet.

Web
Telnet

RADIUS/
TACACS+
server

console

1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.