Authenticating Management Sessions Through a TACACS+ Server
You can use a Terminal Access Controller Access Control System Plus (TACACS+) server to authenticate management sessions for multiple switches.
- Username and password authentication
- Command authorization (the TACACS+ server validates whether the user is authorized to execute each command within the subset of commands, based on login privilege level)
- Accounting service (tracks authentication and authorization events)

Note
You can use a local database on each switch as a backup authentication service if the TACACS+ service is unavailable. When the TACACS+ service is operating, privileges defined on the TACACS+ server take precedence over privileges configured in the local database.- TACACS+ client software, which is included in the ExtremeXOS software.
- A TACACS+ server, which is a third-party product.

Note
TACACS+ provides many of the same features provided by RADIUS. You cannot use RADIUS and TACACS+ at the same time.TACACS+ is a communications protocol that is used between client and server to implement the TACACS+ service. The TACACS+ client component of the ExtremeXOS software should be compatible with any TACACS+ compliant server product.

Note
The switch allows local authentication when the client IP is excluded in TACACS+ server by default. To disallow local authentication when the client IP is excluded in TACACS+ server the local authentication disallow option should be used.For information on installing, configuring, and managing a TACACS+ server, see the product documentation for that server.
The following describes how to configure the ExtremeXOS TACACS+ client component in the ExtremeXOS software: Configuring the TACACS+ Client for Authentication and Authorization.