Specifications
94 Implementing IBM System Networking 10Gb Ethernet Switches
TACACS+ authentication
IBM Networking OS supports authentication, authorization, and accounting with networks
using the Cisco Systems TACACS+ protocol. The switch functions as the Network Access
Server (NAS) by interacting with the remote client and initiating authentication and
authorization sessions with the TACACS+ access server. The remote user is defined as
someone that requires management access to the VFSM either through a data or
management port.
TACACS+ offers the following advantages over RADIUS:
ς° TACACS+ uses TCP-based connection-oriented transport, where RADIUS is UDP-based.
TCP offers a connection-oriented transport, where UDP offers best-effort delivery.
RADIUS requires additional programmable variables, such as retransmit attempts and
timeouts to compensate for best-effort transport, but it lacks the level of built-in support
that a TCP transport offers.
ς° TACACS+ offers full packet encryption where RADIUS offers password-only encryption in
authentication requests.
ς° TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works similar to RADIUS authentication:
1. A remote administrator connects to the switch and provides a user name and password.
2. Using the Authentication/Authorization protocol, the switch sends request to the
authentication server.
3. The authentication server checks the request against the user ID database.
4. Using the TACACS+ protocol, the authentication server instructs the switch to grant or
deny administrative access.
During a session, if additional authorization checking is needed, the switch checks with a
TACACS+ server to determine if the user is granted permission to use a particular command.
TACACS+ authentication features in IBM System Networking switches
Authentication is the action of determining the identity of a user, and is generally done when
the user first attempts to log on to a device or gain access to its services. IBM System
Networking switches support ASCII inbound login to the device. PAP, CHAP, and ARAP login
methods, TACACS+ change password requests, and one-time password authentication are
not supported.
Authorization
Authorization is the action of determining a userβs privileges on the device, and usually takes
place after authentication.
The default mapping between TACACS+ authorization levels and IBM Networking OS
management access levels is shown in Table 2-3.
Table 2-3 Default TACACS+ authorization levels
User access level TACACS+ level
user 0
oper 3
admin 6