The switch supports the TACACS+ client. TACACS+ is a remote authentication protocol that provides centralized validation of users who attempt to gain access to a router or Network Access Server (NAS).
The TACACS+ feature is a client and server-based protocol that allows the switch to accept a user name and password and send a query to a TACACS+ authentication server, sometimes called a TACACS+ daemon. The TACACS+ server allows access or denies access based on the response by the client.
The TACACS+ feature facilitates the following services:
Login authentication and authorization for CLI access through Secure Shell (SSH), Telnet, or serial port.
Login authentication for web access through EDM.
Command authorization for CLI through SSH, Telnet, or serial port.
Accounting of CLI through SSH, Telnet, and serial port.
The following figure displays the basic layout of the switch and the TACACS+ server for a remote user connection.
The TACACS+ feature uses Transmission Control Protocol (TCP) for its transport to ensure reliable delivery of packets. TACACS+ provides security by encrypting all traffic between the switch, which acts as the Network Access Server, and the TACACS+ server.
TACACS+ is a newer version of TACACS and provides separate authentication, authorization, and accounting (AAA) services. TACACS+ does not support earlier versions of TACACS.