Juniper Networks EX2500 User Manual
Securing Access to the Switch
15
Chapter 1: Accessing the Switch
The default mapping between TACACS+ authorization levels and EX2500
management access levels is shown in Table 6. The authorization levels must be
defined on the TACACS+ server.
management access levels is shown in Table 6. The authorization levels must be
defined on the TACACS+ server.
Alternate mapping between TACACS+ authorization levels and EX2500
management access levels is shown in Table 7. Use the following command to set
the alternate TACACS+ authorization levels:
management access levels is shown in Table 7. Use the following command to set
the alternate TACACS+ authorization levels:
ex2500(config)#
tacacs-server privilege-mapping
If the remote user is successfully authenticated by the authentication server, the
switch verifies the privileges of the remote user and authorizes the appropriate
access. The administrator has an option to allow secure backdoor access via Telnet
or SSH. Secure backdoor provides switch access when the TACACS+ servers
cannot be reached. You always can access the switch via the console port by using
notacacs and the administrator password, whether secure backdoor is enabled or
not.
switch verifies the privileges of the remote user and authorizes the appropriate
access. The administrator has an option to allow secure backdoor access via Telnet
or SSH. Secure backdoor provides switch access when the TACACS+ servers
cannot be reached. You always can access the switch via the console port by using
notacacs and the administrator password, whether secure backdoor is enabled or
not.
Accounting
Accounting is the action of recording a user's activities on the device for the
purposes of billing and/or security. It follows the authentication and authorization
actions. If the authentication and authorization are not performed via TACACS+,
no TACACS+ accounting messages are sent out. The EX2500 switch supports the
following TACACS+ accounting attributes:
purposes of billing and/or security. It follows the authentication and authorization
actions. If the authentication and authorization are not performed via TACACS+,
no TACACS+ accounting messages are sent out. The EX2500 switch supports the
following TACACS+ accounting attributes:
protocol
(console, telnet, ssh, or http)
start_time
stop_time
elapsed_time
disc_cause
Table 6: Default TACACS+ Authorization Levels
EX2500 User Access Level
TACACS+ level
user
0
oper
3
admin
6
Table 7: Alternate TACACS+ Authorization Levels
EX2500 User Access Level
TACACS+ level
user
0 - 1
oper
6 - 8
admin
14 - 15
NOTE:
To obtain the TACACS+ backdoor password for your EX2500 switch,
contact technical support.