Chapter 24 AAA
GS2200-24 User’s Guide
210
accounts configured on the Switch itself. The Switch can also use an external
authentication server to authenticate a large number of users
Authorization is the process of determining what a user is allowed to do. Different
user accounts may have higher or lower privilege levels associated with them. For
example, user A may have the right to create new login accounts on the Switch
but user B cannot. The Switch can authorize users based on user accounts
configured on the Switch itself or it can use an external server to authorize a large
number of users.
Local User Accounts
By storing user profiles locally on the Switch, your Switch is able to authenticate
and authorize users without interacting with a network AAA server. However, there
is a limit on the number of users you may authenticate in this way (See Chapter
31 on page 275).
RADIUS and TACACS+
RADIUS and TACACS+ are security protocols used to authenticate users by means
of an external server instead of (or in addition to) an internal device user database
that is limited to the memory capacity of the device. In essence, RADIUS and
TACACS+ authentication both allow you to validate an unlimited number of users
from a central location.
The following table describes some key differences between RADIUS and
TACACS+.
24.2 AAA Screens
The AAA screens allow you to enable authentication and authorization or both of
them on the Switch. First, configure your authentication server settings (RADIUS,
TACACS+ or both) and then set up the authentication priority, activate
authorization.
Table 59 RADIUS vs. TACACS+
RADIUS TACACS+
Transport
Protocol
UDP (User Datagram Protocol) TCP (Transmission Control Protocol)
Encryption Encrypts the password sent for
authentication.
All communication between the client
(the Switch) and the TACACS server
is encrypted.
