beautypg.com

Allied Telesis AT-S62 User Manual

Page 750

background image

Chapter 34: TACACS+ and RADIUS Authentication Protocols

750

Section VII: Management Security

password up to 16 characters. Spaces are allowed in both a
username and password, but special characters, such as asterisks
and exclamation points, should be avoided.

– Assigning each combination an authorization level. How this is

achieved differs depending on the server software you are using.
TACACS+ controls this through the sixteen (0 to 15) different
levels of the Privilege attribute. A privilege level of “0” gives the
combination Operator status. Any value from 1 to 15 gives the
combination Manager status.

For RADIUS, management level is controlled by the Service Type
attribute. This attribute has 11 different values, of which only two
apply to the AT-S62 management software. A value of
Administrative for this attribute gives the username and password
combination Manager access. A value of NAS Prompt assigns the
combination Operator status.

Note

This manual does not explain how to configure TACACS+ or
RADIUS server software. For that you need to refer to the
documentation that came with the software.

ˆ

You must activate the TACACS+ or RADIUS client software on the
switch using the AT-S62 software and configure the settings, which
includes the IP addresses of up to three authentication server. The
procedure for this step is found in this chapter.

By default, authentication protocol is disabled in the AT-S62 software.
Before activating it, you need to provide the following information:

ˆ

Which authentication protocol, TACACS+ or RADIUS, you want to use.
Only one authentication protocol can be active on a switch at a time.

ˆ

IP addresses of up to three authentication servers.

ˆ

The encryption key used by the authentication servers.

You can specify up to three TACACS+ or RADIUS servers. Specifying
multiple servers adds redundancy to your network. For example, removing
an authentication server from the network for maintenance will not prevent
network managers from logging into switches if there are one or two other
authentication servers on the network.

When a switch receives a username and password combination from a
network manager, it sends the combination to the first authentication
server in its list. If the server fails to respond, the switch sends the
combination to the next server in the list, and so on.

If no authentication server responds or if no servers have been defined
and you are managing the switch locally, the management software

See also other documents in the category Allied Telesis Computer hardware: