The switch acts as an NAS to provide a connection to a single user, to a network, subnetwork or interconnected networks. The switch acts as a gateway to guard access to the TACACS+ server and network. Encryption relies on a secret key that is known to the client and the TACACS+ server.
rlogin
Secure Shell (SSHv2)
Telnet
serial port
web management
Note
Rlogin is only supported on VSP 8600 Series.
A TACACS+ daemon, which typically runs on a UNIX or Windows NT workstation, maintains the TACACS+ authentication, authorization, and accounting services.
Extreme Networks Identity Engines supports the TACACS+ daemon.
As a best practice, use the Identity Engines Ignition Server as your TACACS+ server.
You configure users in the TACACS+ server. If you enable authentication, authorization, and accounting services, the following occurs:
During the logon process, the TACACS+ client initiates the TACACS+ authentication session with the TACACS+ server.
After successful authentication the TACACS+ client initiates the TACACS+ authorization session with the TACACS+ server. This is transparent to the user. The switch receives the user access level after a successful TACACS+ authorization. The TACACS+ server authorizes every command the user issues if TACACS + command authorization is enabled for that user access level.
After successful authorization, if you enable TACACS+ accounting, the TACACS+ client sends accounting information to the TACACS+ server.
Multi-connection mode (also known as per-session): For every authentication, authorization, and accounting (AAA) request the switch establishes a session with the TACACS+ server, and then after the request finishes, the session is torn down. Multi-connection mode is the default mode.
Single-connection mode: The first AAA request establishes the session, which is only torn down if TACACS+ is disabled or due to inactivity.