Authentication, Authorization, Authentication authorization – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual
Page 1291
TACACS+ Introduction and Configuration
Software Reference for x310 Series Switches
C613-50046-01 REV A
AlliedWare Plus
TM
Operating System - Version 5.4.4C
48.3
Authentication
The TACACS+ protocol can forward many types of username and password information.
The AlliedWare Plus TACACS+ implementation supports username and password login
authentication, as well as enable password authentication. This information is encrypted
over the network with MD5 (Message Digest 5).
When TACACS+ login authentication is enabled on the switch with the
command and at least one TACACS+ server is configured and
reachable, all user login authentications are authenticated against the TACACS+ server. No
local login or other means of authentication is allowed or accepted by the switch unless
the switch has been configured to use another authentication method as a backup, and
the TACACS+ server is not reachable.
When TACACS+ enable password authentication is enabled on the switch with the
authentication enable default group tacacs+
command and at least one TACACS+
server is configured and reachable, all user attempts to access a higher privilege level
using the
command are authenticated against the
TACACS+ server. If TACACS+ enable password authentication is enabled and the TACACS+
server is not reachable, then the user is only granted access to the desired privilege level if
a backup authentication method is also configured.
Authorization
In the AlliedWare Plus TACACS+ implementation, authorization cannot be performed
independently of the authentication process. Authorization is concerned with what users
are allowed to do once they have gained access to the managed device. This involves the
passing of Attribute Value pairs (AV pairs) from the TACACS+ server to the managed
device. An AV pair is made up of two pieces of information: the attribute that identifies the
parameter to be set, and the value that specifies the value to assign to that parameter.
These AV pairs are configured on a per-user or per-group basis on the TACACS+ server. The
AV pairs that are supported by the AlliedWare Plus TACACS+ implementation are:
■
Privilege Level
Privilege levels range from 1 to 15, with 15 being the highest. For information about
privilege levels see
“How to Add and Remove Users” on page 1.27
and the
■
Timeout
The value assigned to this attribute specifies the length of time that the session can
exist. After this value has expired, the session will either be disconnected, or have the
privilege of the user reduced. The valid range of timeout values is 0 to 65535
(minutes).
■
Idletime
If no input or output traffic is received or sent in the period specified by the value for
this attribute, the session is disconnected. The valid idletime range is 0 to 65535
(minutes).
Note
If TACACS+ login authentication is enabled on the switch, and enable password
authentication is configured as default with the
command, then a local enable password must be configured for
each privilege level that needs to be accessible to users.