TACACS+ Operation

The switch acts as an NAS to provide a connection to a single user, to a network, subnetwork or interconnected networks. The switch acts as a gateway to guard access to the TACACS+ server and network. Encryption relies on a secret key that is known to the client and the TACACS+ server.

Similar to the Remote Access Dial-In User Services (RADIUS) protocol, TACACS+ provides the ability to centrally manage the users who want to access a remote device. TACACS+ provides management of remote and local users who try to access a device through:
  • rlogin

  • Secure Shell (SSHv2)

  • Telnet

  • serial port

  • Web management

Note

Note

Rlogin is only supported on VSP 8600 Series.

A TACACS+ daemon, which typically runs on a UNIX or Windows NT workstation, maintains the TACACS+ authentication, authorization, and accounting services.

Extreme Networks Identity Engines supports the TACACS+ daemon.

As a best practice, use the Identity Engines Ignition Server as your TACACS+ server.

You configure users in the TACACS+ server. If you enable authentication, authorization, and accounting services, the following occurs:

A TACACS+ session establishes with the server in one of two ways:
  • Multi-connection mode (also known as per-session): For every authentication, authorization, and accounting (AAA) request the switch establishes a session with the TACACS+ server, and then after the request finishes, the session is torn down. Multi-connection mode is the default mode.

  • Single-connection mode: The first AAA request establishes the session, which is only torn down if TACACS+ is disabled or due to inactivity.