Tacacs+ and radius overview – Allied Telesis AT-S63 User Manual

Page 836

background image

Chapter 36: TACACS+ and RADIUS Protocols

836

Section IX: Management Security

TACACS+ and RADIUS Overview

TACACS+ and RADIUS are authentication protocols for enhancing the
security of your network. In general terms, these authentication protocols
transfer the task of authenticating network access from a network device
to an authentication protocol server.

The AT-S62 software comes with TACACS+ and RADIUS client software.
You can use the client software to add two security features to the switch.
The first feature, described in this chapter, creates new manager accounts
for controlling who can log onto a switch to change its parameter settings.
The second feature is 802.1x Port-based Access Control, explained in
Chapter 31, “802.1x Port-based Network Access Control” on page 723,
which controls access to the ports on the switch by the end users and end
nodes.

This chapter explains the manager accounts feature. The AT-S63
management software has two standard manager login accounts:
manager and operator. The manager account lets you change a switch’s
parameter settings while the operator account lets you view the settings,
but not change them. Each account has its own password. The manager
account has a default password of “friend” and the operator account has a
default password “operator.”

For those networks managed by just one or two network managers, you
might not need any additional accounts. However, for larger networks
managed by several network managers, you might want to give each
manager his or her own management login account for a switch rather
than have them share an account.

This is where TACACS+ and RADIUS can be useful. TACACS+ is an
acronym for Terminal Access Controller Access Control System. RADIUS
is an acronym for Remote Authentication Dial In User Services. These are
authentication protocols. You can use protocols to transfer the task of
validating management access from an AT-9400 Series switch to an
authentication protocol server, and so be able to create your own manager
accounts.

With these protocols you can create a series of username and password
combinations that define who can manage an AT-9400 Series switch.

There are three basic functions an authentication protocol provides:

ˆ

Authentication

ˆ

Authorization

ˆ

Accounting

When a network manager logs in to a switch to manage the device, the