Configuring tacacs or tacacs+ security, How tacacs+ differs from tacacs – Brocade Virtual ADX Administration Guide (Supporting ADX v03.1.00) User Manual
Page 81
Brocade Virtual ADX Administration Guide
69
53-1003249-01
Configuring TACACS or TACACS+ security
2
Configuring TACACS or TACACS+ security
You can use the security protocol Terminal Access Controller Access Control System (TACACS) or
TACACS+ to authenticate the following kinds of access to the Brocade Virtual ADX.
•
Telnet access
•
SSH access
•
Web management access
•
Access to the Privileged EXEC level and CONFIG levels of the CLI
The TACACS and TACACS+ protocols define how authentication, authorization and accounting
information is sent between a Brocade Virtual ADX and an authentication database on a TACACS or
TACACS+ server. TACACS or TACACS+ services are maintained in a database, typically on a UNIX
workstation or PC with a TACACS or TACACS+ server running.
How TACACS+ differs from TACACS
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET.
TACACS+ is an enhancement to TACACS and uses TCP to ensure reliable delivery.
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by
separating the functions of authentication, authorization and accounting (AAA) and by encrypting
all traffic between the Brocade Virtual ADX and the TACACS+ server. TACACS+ allows for arbitrary
length and content authentication exchanges, which allow any authentication mechanism to be
utilized with the Brocade Virtual ADX. TACACS+ is extensible to provide for site customization and
future development features. The protocol allows the Brocade Virtual ADX to request very precise
access control and allows the TACACS+ server to respond to each component of that request.
NOTE
TACACS+ provides for authentication, authorization and accounting, but an implementation or
configuration is not required to employ all three.
TACACS or TACACS+ authentication, authorization
and accounting
When you configure a Brocade Virtual ADX to use a TACACS or TACACS+ server for authentication,
the device prompts users who are trying to access the CLI for a user name and password, then
verifies the password with the TACACS or TACACS+ server.
If you are using TACACS+, Brocade recommends that you also configure authorization, in which the
Brocade Virtual ADX consults a TACACS+ server to determine which management privilege level
(and which associated set of commands) an authenticated user is allowed to use. You can also
optionally configure accounting, which causes the Brocade Virtual ADX to log information on the
TACACS+ server when specified events occur on the device.
NOTE
By default, a user logging into the device through Telnet or SSH would first enter the User EXEC level.
The user can enter the enable command to get to the Privileged EXEC level. A user that is
successfully authenticated can be automatically placed at the Privileged EXEC level after login. Refer
to