How tacacs+ differs from tacacs – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Security Configuration Guide

29

53-1003035-02

Configuring TACACS or TACACS+ security

1

•

Web management access

•

Access to the Privileged EXEC level and CONFIG levels of the CLI

NOTE

You cannot authenticate Brocade Network Advisor (SNMP) access to a Brocade device using TACACS
or TACACS+.

The TACACS and TACACS+ protocols define how authentication, authorization, and accounting
information is sent between a Brocade device and an authentication database on a TACACS or
TACACS+ server. TACACS or TACACS+ services are maintained in a database, typically on a UNIX
workstation or PC with a TACACS or TACACS+ server running.

How TACACS+ differs from TACACS

TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET.
TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.

TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by
separating the functions of authentication, authorization, and accounting (AAA) and by encrypting
all traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length
and content authentication exchanges, which allow any authentication mechanism to be utilized
with the Brocade device. TACACS+ is extensible to provide for site customization and future
development features. The protocol allows the Brocade device to request very precise access
control and allows the TACACS+ server to respond to each component of that request.

NOTE

TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.

TACACS or TACACS+ authentication, authorization,
and accounting

When you configure a Brocade device to use a TACACS or TACACS+ server for authentication, the
device prompts users who are trying to access the CLI for a user name and password, then verifies
the password with the TACACS or TACACS+ server.

If you are using TACACS+, it is recommended that you also configure authorization, in which the
Brocade device consults a TACACS+ server to determine which management privilege level (and
which associated set of commands) an authenticated user is allowed to use. You can also
optionally configure accounting, which causes the Brocade device to log information on the
TACACS+ server when specified events occur on the device.

NOTE

By default, a user logging into the device through Telnet or SSH would first enter the User EXEC level.
The user can enter the enable command to get to the Privileged EXEC level.

NOTE

A user that is successfully authenticated can be automatically placed at the Privileged EXEC level
after login. Refer to

“Entering privileged EXEC mode after a console, Telnet or SSH login”

.