Dell PowerConnect 6248 Configuration Guide - Page 120

TACACS+, TACACS+ Configuration Example

Get Dell PowerConnect 6248 PDF manuals and user guides View all Dell PowerConnect 6248 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 120 highlights

Example #2: Set the NAS-IP Address for the RADIUS Server The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that is requesting authentication of the user. The address should be unique to the NAS within the scope of the RADIUS server. The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NASIdentifier must be present in an Access-Request packet. NOTE: The feature is available in release 2.1 and later. The following command sets the NAS-IP address to 192.168.20.12. If you do not specify an IP address in the command, the NAS-IP address uses the interface IP address that connects the switch to the RADIUS server. console#config console(config)#radius-server attribute 4 192.168.20.12 TACACS+ TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages. After you configure TACACS+ as the authentication method for user login, the NAS (Network Access Server) prompts for the user login credentials and requests services from the TACACS+ client. The client then uses the configured list of servers for authentication, and provides results back to the NAS. You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You can also assign each a priority to determine the order in which the TACACS+ client will contact them. TACACS+ contacts the server when a connection attempt fails or times out for a higher priority server. You can configure each server host with a specific connection type, port, timeout, and shared key, or you can use global configuration for the key and timeout. Like RADIUS, the TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All sensitive information is encrypted and the shared secret is never passed over the network; it is used only to encrypt the data. TACACS+ Configuration Example This example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other server has a priority of 2. The process creates a new authentication list, called tacacsList, which uses TACACS+ to authenticate, and uses local authentication as a backup method. 120 Device Security

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
120
Device Security
Example #2: Set the NAS-IP Address for the RADIUS Server
The NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) that
is requesting authentication of the user. The address should be unique to the NAS within the scope of
the RADIUS server.
The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NAS-
Identifier must be present in an Access-Request packet.
NOTE:
The feature is available in release 2.1 and later.
The following command sets the NAS-IP address to 192.168.20.12. If you do not specify an IP address in
the command, the NAS-IP address uses the interface IP address that connects the switch to the RADIUS
server.
console#config
console(config)#radius-server attribute 4 192.168.20.12
TACACS+
TACACS+ (Terminal Access Controller Access Control System) provides access control for networked
devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication
by making use of a single database that can be shared by many clients on a large network. TACACS+
uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to
encrypt all messages.
After you configure TACACS+ as the authentication method for user login, the NAS (Network Access
Server) prompts for the user login credentials and requests services from the TACACS+ client. The
client then uses the configured list of servers for authentication, and provides results back to the NAS.
You can configure the TACACS+ server list with one or more hosts defined via their network IP address.
You can also assign each a priority to determine the order in which the TACACS+ client will contact
them. TACACS+ contacts the server when a connection attempt fails or times out for a higher priority
server.
You can configure each server host with a specific connection type, port, timeout, and shared key, or you
can use global configuration for the key and timeout.
Like RADIUS, the TACACS+ server can do the authentication itself, or redirect the request to another
back-end device. All sensitive information is encrypted and the shared secret is never passed over the
network; it is used only to encrypt the data.
TACACS+ Configuration Example
This example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a unique
shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other
server has a priority of 2. The process creates a new authentication list, called tacacsList, which uses
TACACS+ to authenticate, and uses local authentication as a backup method.