Link Search Menu Expand Document

Auth/Radius/TACACS+ Template

EdgeConnect appliances support user authentication and authorization as a condition of providing access rights.

  • Authentication is the process of validating that the end user, or a device, is who they claim to be.

  • Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.

  • Map order refers to the order in which the authorization servers are queried.

  • The configuration specified for authentication and authorization applies globally to all users accessing that appliance.

  • If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.

Authentication and Authorization

To provide authentication and authorization services, EdgeConnect appliances:

  • Support a built-in, local database.

  • Can be linked to a RADIUS (Remote Authentication Dial-In User Service) server.

  • Can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.

Both RADIUS and TACACS+ are client-server protocols.

Appliance-based User Database

  • The local, built-in user database supports user names, groups, and passwords.

  • The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.

  • The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface’s (CLI) enable mode privileges.

  • The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface’s (CLI) configuration mode privileges.

RADIUS

  • RADIUS uses UDP as its transport.

  • With RADIUS, the authentication and authorization functions are coupled together.

  • RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Refer to your RADIUS documentation for details.

  • IMPORTANT: Configure your RADIUS server’s priv levels within the following ranges:

    • admin = 7 - 15

    • monitor = 1 - 6

TACACS+

  • TACACS+ uses TCP as its transport.

  • TACACS+ provides separated authentication, authorization, and accounting services.

  • Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Refer to your TACACS+ documentation for details.

  • IMPORTANT: Configure your TACACS+ server’s roles to be admin and monitor.

  • Use either RADIUS or TACACS+, but not both.

  • For Authentication Order, configure the following:

    • First – Remote first.

    • Second – Local. If not using either, then None.

    • Third – None.

  • When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:

    • Map Order – Remote First

    • Default Role – admin


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America