Alcatel-Lucent 6850-48 网络指南
Managing Authentication Servers
TACACS+ Server
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 35-15
TACACS+ Server
Terminal Access Controller Access Control System (TACACS+) is a standard authentication and account-
ing protocol defined in RFC 1321 that employs TCP for reliable transport. A built-in TACACS+ client is
available in the switch. A TACACS+ server allows access control for routers, network access servers, and
other networked devices through one or more centralized servers. The protocol also allows separate
authentication, authorization, and accounting services. By allowing arbitrary length and content authenti-
cation exchanges, it allows clients to use any authentication mechanism.
ing protocol defined in RFC 1321 that employs TCP for reliable transport. A built-in TACACS+ client is
available in the switch. A TACACS+ server allows access control for routers, network access servers, and
other networked devices through one or more centralized servers. The protocol also allows separate
authentication, authorization, and accounting services. By allowing arbitrary length and content authenti-
cation exchanges, it allows clients to use any authentication mechanism.
The TACACS+ client offers the ability to configure multiple TACACS+ servers. This can be done by the
user. When the primary server fails, the client tries the subsequent servers. Multiple server configurations
are applicable only for backup and not for server chaining.
user. When the primary server fails, the client tries the subsequent servers. Multiple server configurations
are applicable only for backup and not for server chaining.
In the TACACS+ protocol, the client queries the TACACS+ server by sending TACACS+ requests. The
server responds with reply packets indicating the status of the request.
server responds with reply packets indicating the status of the request.
• Authentication. TACACS+ protocol provides authentication between the client and the server. It also
ensures confidentiality because all the exchanges are encrypted. The protocol supports fixed pass-
words, one-time passwords, and challenge-response queries. Authentication is not a mandatory feature,
and it can be enabled without authorization and accounting. During authentication if a user is not found
on the primary TACACS+ server, the authentication fails. The client does not try to authenticate with
the other servers in a multiple server configuration. If the authentication succeeds, then Authorization
is performed.
words, one-time passwords, and challenge-response queries. Authentication is not a mandatory feature,
and it can be enabled without authorization and accounting. During authentication if a user is not found
on the primary TACACS+ server, the authentication fails. The client does not try to authenticate with
the other servers in a multiple server configuration. If the authentication succeeds, then Authorization
is performed.
• Authorization. Enabling authorization determines if the user has the authority to execute a specified
command. TACACS+ authorization cannot be enabled independently. The TACACS+ authorization is
enabled automatically when the TACACS+ authentication is enabled.
enabled automatically when the TACACS+ authentication is enabled.
• Accounting. The process of recording what the user is attempting to do or what the user has done is
Accounting.
The TACACS+ accounting must be enabled on the switches for accounting to succeed.
Accounting can be enabled irrespective of authentication and authorization. TACACS+ supports three
types of accounting:
types of accounting:
Start Records—Indicate the service is about to begin.
Stop Records—Indicates the services has just terminated.
Update Records—Indicates the services are still being performed.
TACACS+ Client Limitations
The following limitation apply to this implementation of the TACACS+ client application:
• TACACS+ supports Authenticated Switch Access and cannot be used for user authentication.
• Authentication and Authorization are combined together and cannot be performed independently.
• On the fly, command authorization will not be supported. Authorization will be similar to the AOS
partition management families.
• Only inbound ASCII logins are supported.
• A maximum of 50 simultaneous TACACS+ sessions can be supported when no other authentication
mechanism is activated.
• Accounting of commands performed by the user on the remote TACACS+ process will not be
supported at in the boot.cfg file at boot up time.