Table of Contents
Advertisement
Chapter 27
Configuring Switch Access Using AAA
Understanding How TACACS+ Authentication Works
TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control
protocol specified by RFC 1492. TACACS+ controls access to network devices by exchanging Network
Access Server (NAS) information between a network device and a centralized database to determine the
identity of a user or device. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic
between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and
challenge-response authentication. TACACS+ authentication usually occurs in these instances:
•
•
When you request privileged or restricted services, TACACS+ encrypts your user password information
using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information
identifies the packet type being sent (for example, an authentication packet), the packet sequence
number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the
packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services,
while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can
use any or all of the three services.
When the TACACS+ server receives the packet, it does the following:
•
•
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must
be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the
key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are
not encrypted. The TACACS+ key must be less than 100 characters long.
You can configure the following TACACS+ parameters on the switch:
•
•
•
•
•
•
•
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local
authentication at the same time.
If local authentication is disabled and you then disable all other authentication methods, local
authentication is reenabled automatically.
78-12647-02
When you first log onto a machine
When you send a service request that requires privileged access
Authenticates the user information and notifies the client that authentication has either passed or
failed.
Notifies the client that authentication will continue and that the client must provide additional
information. This challenge-response process can continue through multiple iterations until
authentication either passes or fails.
Enable or disable TACACS+ authentication to determine if a user has permission to access the
switch
Enable or disable TACACS+ authentication to determine if a user has permission to enter privileged
mode
Specify a key used to encrypt the protocol packets
Specify the server on which the TACACS+ server daemon resides
Set the number of login attempts allowed
Set the timeout interval for server daemon response
Enable or disable the directed-request option
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
Understanding How Authentication Works
27-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
