User guide
RADIUS Remote Authorization (RADIUS / Tacacs+) on Devices
4-23
AlliedView NMS Administration Guide (Security Administration)
4.7 Remote Authorization (RADIUS / Tacacs+) on Devices
RADIUS and Tacacs+ are remote authentication protocols used by devices to authenticate telnet user-client sessions. When
the user logs in, the device forwards all login information to the RADIUS servers first, followed by the Tacacs+ servers (if
RADIUS is not available) for authentication until it receives a response back from one of them. Depending on the exchange
of messages, the device grants or denies access for the session. RADIUS uses UDP/IP for transmitting information across
the network, while Tacacs+ uses TCP/IP.
Note: For complete information on the RADIUS / Tacacs+ protocol and how they are handled by Allied Telesis
devices, refer to the iMAP User Guide.
When the AlliedView NMS is initially configured and logs in to a device that is configured with RADIUS/Tacacs+, only a
user-level privilege can be assigned. To allow for security officer level, the client must send a special “ENABLE SECU-
RITY OFFICER” command string back to the server. The server prompts for a “Passcode.” The client then transmits the
appropriate passcode (password) after which the session has a Security Officer level.
The handle this, the AlliedView NMS handles this exchange and the password prompt that is “passcode” rather than “Pass-
word.” Moreover, the NMS handles transitions from RADIUS being used to Tacacs+ and vice-versa.
Note: Only iMAP Telesis devices support Tacacs+, and the devices other than iMAPs supporting RADIUS
provide a direct “SECURITY” access after 1st authentication, if discovered as the “SECURITY” level
user.
4.7.1 RADIUS
For devices that use the RADIUS, authentication is done on a per device basis that is datafilled for the device’s MO proper-
ties. Refer to the following figure.
Device Information Operation Permits the display of device information
SNMP Agent Operation Permits SNMP Agent operations
SNMP Community Operation Permits SNMP Community operations
Configure VLAN Operation Permits VLAN configuration operations (Includes EPSR)
Card Management Operation Permits card management operations
Port View Operation Port Management Operation (complete control)
Port Provision Operation (view and provision/deprovision)
SysLog Management Operation Permits access to syslog application
Command Script Mgmt Operation Permits command script management operations
Configuration File Mgmt Operation Permits file management operations
Profile and QoS Operation Profile and QoS Policy Operations
Rediscover Operation Permits rediscovery operations
Application Manager Operation Permits access to the Application Manager
Telnet Cutthru Operation Permits Telnet cut-through
GUI Cutthru Operation Permits GUI cut-through
Manage CLI Users Operation Permits CLI user management operations
Manage System Log Configuration
Permits access to System Log Configuration (
control the system log
daemon, event logging, and the logs that are stored in the data-
base)
TABLE 4-15 Operations for AT Object Operation
Operation Description