beautypg.com

Tacacs and tacacs+ security, How tacacs+ differs from tacacs – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 42

background image

TACACS and TACACS+ security

You can use the security protocol Terminal Access Controller Access Control System (TACACS) or
TACACS+ to authenticate the following kinds of access to the Brocade device:

• Telnet access
• SSH access
• Console access
• Access to the Privileged EXEC level and CONFIG levels of the CLI

The TACACS and TACACS+ protocols define how authentication, authorization, and accounting
information is sent between a Brocade device and an authentication database on a TACACS/TACACS
+ server. TACACS/TACACS+ services are maintained in a database, typically on a UNIX workstation
or PC with a TACACS/TACACS+ server running.

How TACACS+ differs from TACACS

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET.
TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.

TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by
separating the functions of authentication, authorization, and accounting (AAA) and by encrypting all
traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length
and content authentication exchanges, which allow any authentication mechanism to be utilized with
the Brocade device. TACACS+ is extensible to provide for site customization and future development
features. The protocol allows the Brocade device to request very precise access control and allows the
TACACS+ server to respond to each component of that request.

NOTE
TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.

TACACS/TACACS+ authentication, authorization,and accounting

When you configure a Brocade device to use a TACACS/TACACS+ server for authentication , the
device prompts users who are trying to access the CLI for a user name and password, then verifies
the password with the TACACS/TACACS+ server.

If you are using TACACS+, Brocade recommends that you also configure authorization , in which the
Brocade device consults a TACACS+ server to determine which management privilege level (and
which associated set of commands) an authenticated user is allowed to use. You can also optionally
configure accounting , which causes the Brocade device to log information on the TACACS+ server
when specified events occur on the device.

NOTE
By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level.
The user can enter the enable command to get to the Privileged EXEC level. A user that is
successfully authenticated can be automatically placed at the Privileged EXEC level after login. Refer
to

Entering privileged EXEC mode after a Telnet or SSH login

on page 52.

TACACS and TACACS+ security

42

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: