Authenticating Management Sessions Through a TACACS+ Server
You can use a Terminal Access Controller Access Control System Plus (TACACS+) server to authenticate management sessions for multiple switches.
- Username and password authentication
- Command authorization (the TACACS+ server validates whether the
user is authorized to execute each command within the subset of commands, based
on login privilege level)
NoteCommand usage that should be restricted for a user account by TACACS with CLI authorization enabled may not occur when users are logged in by Chalet or when using the XML API directly. To use Chalet securely, create only read-only users on the switch, and then access Chalet with those user accounts.
- Accounting service (tracks authentication and authorization events)
NoteYou can use a local database on each switch as a backup authentication service if the TACACS+ service is unavailable. When the TACACS+ service is operating, privileges defined on the TACACS+ server take precedence over privileges configured in the local database.
- TACACS+ client software, which is included in the ExtremeXOS software.
- A TACACS+ server, which is a third-party product.
- TACACS+ provides many of the same features provided by RADIUS, but enabling both RADIUS and TACACS+ at the same time is not supported for Management User Authentication.
- RADIUS can be used for both Switch Management User Authentication as well as Network Login user/device authentication, while TACACS+ can be used only for Management User Authentication.
TACACS+ is a communications protocol that is used between client and server to implement the TACACS+ service. The TACACS+ client component of the ExtremeXOS software should be compatible with any TACACS+ compliant server product.
NoteThe switch allows local authentication when the client IP is excluded in TACACS+ server by default. To disallow local authentication when the client IP is excluded in TACACS+ server the local authentication disallow option should be used.
For information on installing, configuring, and managing a TACACS+ server, see the product documentation for that server.
The following describes how to configure the ExtremeXOS TACACS+ client component in the ExtremeXOS software: Configuring the TACACS+ Client for Authentication and Authorization.