Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
472
|
Chapter 17. Security
NETGEAR 8800 User Manual
Note:
RADIUS provides many of the same features provided by
TACACS+. You cannot use RADIUS and TACACS+ at the same
time.
time.
RADIUS is a communications protocol (RFC 2138) that is used between client and server to
implement the RADIUS service. The RADIUS client component of the XCM8800 software
should be compatible with any RADIUS compliant server product.
implement the RADIUS service. The RADIUS client component of the XCM8800 software
should be compatible with any RADIUS compliant server product.
The following sections provide more information on management session authentication:
How NETGEAR Switches Work with RADIUS Servers
When configured for use with a RADIUS server, an XCM8800 switch operates as a RADIUS
client. In RADIUS server configuration, the client component is configured as a client or as a
Network Access Server (NAS). Typically, an XCM8800 NAS provides network access to
supplicants such as PCs or phones.
client. In RADIUS server configuration, the client component is configured as a client or as a
Network Access Server (NAS). Typically, an XCM8800 NAS provides network access to
supplicants such as PCs or phones.
When a supplicant requests authentication from a switch that is configured for RADIUS
server authentication, the following events occur:
server authentication, the following events occur:
1.
The switch sends an authentication request in the form of a RADIUS Access-Request
message.
message.
2.
The RADIUS server looks up the user in the users file.
3.
The RADIUS server accepts or rejects the authentication and returns a RADIUS
Access-Accept or Access-Reject message.
Access-Accept or Access-Reject message.
4.
If authentication is accepted, the Access-Accept message can contain standard RADIUS
attributes and Vendor Specific Attributes (VSAs) that can be used to configure the switch.
attributes and Vendor Specific Attributes (VSAs) that can be used to configure the switch.
5.
If authentication is accepted, the Access-Accept message can enable command
authorization for that user on the switch. Command authorization uses the RADIUS server to
approve or deny the execution of each command the user enters.
authorization for that user on the switch. Command authorization uses the RADIUS server to
approve or deny the execution of each command the user enters.
The XCM8800 switch initiates all communications with the RADIUS server. For basic
authentication, the switch sends the Access-Request message, and communications with the
RADIUS server is complete when the switch receives the Access-Accept or Access-Reject
message. For command authorization, communications starts each time a user configured
for command authorization enters a switch command. RADIUS server communications ends
when command use is allowed or denied.
authentication, the switch sends the Access-Request message, and communications with the
RADIUS server is complete when the switch receives the Access-Accept or Access-Reject
message. For command authorization, communications starts each time a user configured
for command authorization enters a switch command. RADIUS server communications ends
when command use is allowed or denied.
A key component of RADIUS server management is the attributes and VSAs that the
RADIUS server can be configured to send in Access-Accept messages. VSAs are custom
attributes for a specific Vendor, such as NETGEAR. These attributes store information about
a particular user and the configuration options available to the user. The RADIUS client in
XCM8800 accepts these attributes and uses them to configure the switch in response to
RADIUS server can be configured to send in Access-Accept messages. VSAs are custom
attributes for a specific Vendor, such as NETGEAR. These attributes store information about
a particular user and the configuration options available to the user. The RADIUS client in
XCM8800 accepts these attributes and uses them to configure the switch in response to