Installation manual
3-58
SIGNAMAX LLC • www.signamax.eu
Configuring Local/Remote Logon Authentication
Use the Authentication Settings menu to restrict management access based on specified
user names and passwords. You can manually configure access rights on the switch, or
you can use a remote access authentication server based on RADIUS or TACACS+
protocols.
Remote Authentication Dial-in User
Service (RADIUS) and Terminal
Access Controller Access Control
System Plus (TACACS+) are logon
authentication protocols that use
software running on a central server
to control access to RADIUS-aware
or TACACS-aware devices on the
network. An authentication server
contains a database of multiple user
name/password pairs with
associated privilege levels for each
user that requires management access to the switch.
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while
TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the
password in the access-request packet from the client to the server, while TACACS+
encrypts the entire body of the packet.
Command Usage
• By default, management access is always checked against the authentication database
stored on the local switch. If a remote authentication server is used, you must specify
the authentication sequence and the corresponding parameters for the remote
authentication protocol. Local and remote logon authentication control management
access via the console port, web browser, or Telnet.
• RADIUS and TACACS+ logon authentication assign a specific privilege level for each
user name/password pair. The user name, password, and privilege level must be
configured on the authentication server. The encryption methods used for the
authentication process must also be configured or negotiated between the
authentication server and logon client. This switch can pass authentication messages
between the server and client that have been encrypted using MD5 (Message-Digest 5),
TLS (Transport Layer Security), or TTLS (Tunneled Transport Layer Security).
• You can specify up to three authentication methods for any user to indicate the
authentication sequence. For example, if you select (1) RADIUS, (2) TACACS and (3)
Local, the user name and password on the RADIUS server is verified first. If the RADIUS
server is not available, then authentication is attempted using the TACACS+ server, and
finally the local user name and password is checked.
Web
Telnet
RADIUS/
TACACS+
server
console
1. Client attempts management access.
2. Switch contacts authentication server.
3. Authentication server challenges client.
4. Client responds with proper password or key.
5. Authentication server approves access.
6. Switch grants management access.