Brocade Communications Systems Brocade ICX 6650 6650 Manuel D’Utilisation
Brocade ICX 6650 Security Configuration Guide
25
53-1002601-01
TACACS and TACACS+ security
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by
separating the functions of authentication, authorization, and accounting (AAA) and by encrypting
all traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length
and content authentication exchanges, which allow any authentication mechanism to be utilized
with the Brocade device. TACACS+ is extensible to provide for site customization and future
development features. The protocol allows the Brocade device to request very precise access
control and allows the TACACS+ server to respond to each component of that request.
separating the functions of authentication, authorization, and accounting (AAA) and by encrypting
all traffic between the Brocade device and the TACACS+ server. TACACS+ allows for arbitrary length
and content authentication exchanges, which allow any authentication mechanism to be utilized
with the Brocade device. TACACS+ is extensible to provide for site customization and future
development features. The protocol allows the Brocade device to request very precise access
control and allows the TACACS+ server to respond to each component of that request.
NOTE
TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.
configuration is not required to employ all three.
TACACS/TACACS+ authentication, authorization,
and accounting
and accounting
When you configure a Brocade device to use a TACACS/TACACS+ server for authentication, the
device prompts users who are trying to access the CLI for a user name and password, then verifies
the password with the TACACS/TACACS+ server.
device prompts users who are trying to access the CLI for a user name and password, then verifies
the password with the TACACS/TACACS+ server.
If you are using TACACS+, Brocade recommends that you also configure authorization, in which the
Brocade device consults a TACACS+ server to determine which management privilege level (and
which associated set of commands) an authenticated user is allowed to use. You can also
optionally configure accounting, which causes the Brocade device to log information on the
TACACS+ server when specified events occur on the device.
Brocade device consults a TACACS+ server to determine which management privilege level (and
which associated set of commands) an authenticated user is allowed to use. You can also
optionally configure accounting, which causes the Brocade device to log information on the
TACACS+ server when specified events occur on the device.
NOTE
By default, a user logging into the device from Telnet or SSH would first enter the User EXEC level.
The user can enter the enable command to get to the Privileged EXEC level.
The user can enter the enable command to get to the Privileged EXEC level.
A user that is successfully authenticated can be automatically placed at the Privileged EXEC level
after login. Refer to
after login. Refer to
Configuring TACACS/TACACS+ for devices in a Brocade IronStack
Because devices operating in a Brocade IronStack topology present multiple console ports, you
must take additional steps to secure these ports when configuring TACACS/TACACS+.
must take additional steps to secure these ports when configuring TACACS/TACACS+.
The following is a sample AAA console configuration using TACACS+.
aaa authentication login default tacacs+ enable
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
enable aaa console
hostname Fred
ip address 10.10.6.56/255
tacacs-server host 255.253.255
tacacs-server key 1 $Gsig@U\
aaa authentication login privilege-mode
aaa authorization commands 0 default tacacs+
aaa authorization exec default tacacs+
aaa accounting commands 0 default start-stop tacacs+
aaa accounting exec default start-stop tacacs+
aaa accounting system default start-stop tacacs+
enable aaa console
hostname Fred
ip address 10.10.6.56/255
tacacs-server host 255.253.255
tacacs-server key 1 $Gsig@U\