Specifications
Authenticating Users Using RADIUS or TACACS+
ExtremeWare XOS 10.1 Concepts Guide 131
Using RADIUS Servers with Extreme Switches
Extreme Networks switches have two levels of user privilege:
• Read-only
• Read-write
Because there are no CLI commands available to modify the privilege level, access rights are
determined when you log in. For a RADIUS server to identify the administrative privileges of a user,
Extreme switches expect a RADIUS server to transmit the Service-Type attribute in the Access-Accept
packet, after successfully authenticating the user.
Extreme switches grant a RADIUS-authenticated user read-write privilege if a Service-Type value of 6 is
transmitted as part of the Access-Accept message from the Radius server. Other Service-Type values, or
no value, result in the switch granting read-only access to the user. Different implementations of
RADIUS handle attribute transmission differently. You should consult the documentation for your
specific implementation of RADIUS when you configure users for read-write access.
Configuring TACACS+
Terminal Access Controller Access Control System Plus (TACACS+) is a mechanism for providing
authentication, authorization, and accounting on a centralized server, similar in function to RADIUS.
The ExtremeWare XOS version of TACACS+ is used to authenticate prospective users who are
attempting to administer the switch. TACACS+ is used to communicate between the switch and an
authentication database.
NOTE
You cannot use RADIUS and TACACS+ at the same time.
You can configure two TACACS+ servers, specifying the primary server address, secondary server
address, and TCP port number to be used for TACACS+ sessions.