Sun Netra CP3240 Switch User’s Guide Table Of ContentsPrevious ChapterNext ChapterBook Index

C H A P T E R  27
Configuring Access Control for Networked Devices

This chapter describes how to configure the access control for networked devices.

This chapter contains the following topics:

Understanding the Terminal Access Controller Access Control System

Terminal Access Controller Access Control System (TACACS+) provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS+ is based on the TACACS protocol described in RFC1492. TACACS+ uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.

After you configure TACACS+ as the authentication method for user login, the NAS (Network Access Server) prompts for the user login credentials and requests services from the FASTPATH TACACS+ client. The client then uses the configured list of servers for authentication, and provides results back to the NAS. You can configure the TACACS+ server list with one or more hosts defined via their network IP address. You can also assign each a priority to determine the order in which the TACACS+ client will contact them. TACACS+ contacts the server when a connection attempt fails or times out for a higher priority server.

You can configure each server host with a specific connection type, port, timeout, and shared key, or you can use global configuration for the key and timeout.

Like RADIUS, the TACACS+ server can do the authentication itself, or redirect the request to another back-end device. All sensitive information is encrypted and the shared secret is never passed over the network - it is used only to encrypt the data.

Configuring Access Control for Networked Devices

The following example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a unique shared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the other server has a priority of 2. The process creates a new authentication list, called tacacsList, which uses TACACS+ to authenticate, and uses local authentication as a backup method. This authentication list is then associated with the defaultlogin.


FIGURE 27-1 FASTPATH with TACACS+

When a user attempts to log into the switch, the NAS or switch prompts for a username and password. The switch attempts to communicate with the highest priority configured TACACS+ server at 10.10.10.10. Upon successful connection with the server, the switch and server exchange the login credentials over an encrypted channel. The server then grants or denies access, which the switch honors, and either allows or does not allow the user to gain access to the switch. If neither of the two servers can be contacted, the switch searches its local user database for the user.


CODE EXAMPLE 27-1 Configuring Access Control for Networked Devices 
config        tacacs-server host 10.10.10.10                  key tacacs1        exit        tacacs-server host 11.11.11.11                 key tacacs2                 priority 2        exit        authentication login tacacsList tacacs local        users defaultlogin tacacsListexit

 



Sun Netra CP3240 Switch User’s Guide 820-3252-11 Table Of ContentsPrevious ChapterNext ChapterBook Index

© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.