Authenticating Management Sessions Through a TACACS+ Server

You can use a Terminal Access Controller Access Control System Plus (TACACS+) server to authenticate management sessions for multiple switches.

A TACACS+ server allows you to centralize the authentication database, so that you do not have to maintain a separate local database on each switch. TACACS+ servers provide the following services:

Username and password authentication
Command authorization (the TACACS+ server validates whether the user is authorized to execute each command within the subset of commands, based on login privilege level)
Note
Command usage that should be restricted for a user account by TACACS with CLI authorization enabled may not occur when users are logged in by Chalet or when using the XML API directly. To use Chalet securely, create only read-only users on the switch, and then access Chalet with those user accounts.
Accounting service (tracks authentication and authorization events)

Note

You can use a local database on each switch as a backup authentication service if the TACACS+ service is unavailable. When the TACACS+ service is operating, privileges defined on the TACACS+ server take precedence over privileges configured in the local database.

To use TACACS+ server features, you need the following components:

TACACS+ client software, which is included in the ExtremeXOS software.
A TACACS+ server, which is a third-party product.

Note

TACACS+ provides many of the same features provided by RADIUS, but enabling both RADIUS and TACACS+ at the same time is not supported for Management User Authentication.
RADIUS can be used for both Switch Management User Authentication as well as Network Login user/device authentication, while TACACS+ can be used only for Management User Authentication.

TACACS+ is a communications protocol that is used between client and server to implement the TACACS+ service. The TACACS+ client component of the ExtremeXOS software should be compatible with any TACACS+ compliant server product.

Note

The switch allows local authentication when the client IP is excluded in TACACS+ server by default. To disallow local authentication when the client IP is excluded in TACACS+ server the local authentication disallow option should be used.

For information on installing, configuring, and managing a TACACS+ server, see the product documentation for that server.

The following describes how to configure the ExtremeXOS TACACS+ client component in the ExtremeXOS software: Configuring the TACACS+ Client for Authentication and Authorization.