Link Search Menu Expand Document

Auth/Radius/TACACS+ Template

EdgeConnect appliances support user authentication and authorization as a condition of providing access rights.

  • Authentication is the process of validating that the end user, or a device, is who they claim to be.

  • Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.

  • Map order refers to the order in which the authorization servers are queried.

  • The configuration specified for authentication and authorization applies globally to all users accessing that appliance.

  • If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.

Authentication and Authorization

To provide authentication and authorization services, EdgeConnect appliances:

  • Support a built-in, local database.

  • Can be linked to a RADIUS (Remote Authentication Dial-In User Service) server.

  • Can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.

Both RADIUS and TACACS+ are client-server protocols.

Appliance-based User Database

  • The local, built-in user database supports user names, groups, and passwords.

  • The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.

  • The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface’s (CLI) enable mode privileges.

  • The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface’s (CLI) configuration mode privileges.

RADIUS

  • RADIUS uses UDP as its transport.

  • With RADIUS, the authentication and authorization functions are coupled together.

  • RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Refer to your RADIUS documentation for details.

  • IMPORTANT: Configure your RADIUS server’s priv levels within the following ranges:

    • admin = 7 - 15

    • monitor = 1 - 6

TACACS+

  • TACACS+ uses TCP as its transport.

  • TACACS+ provides separated authentication, authorization, and accounting services.

  • Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Refer to your TACACS+ documentation for details.

  • IMPORTANT: Configure your TACACS+ server’s roles to be admin and monitor.

  • Use either RADIUS or TACACS+, but not both.

  • For Authentication Order, configure the following:

    • First – Remote first.

    • Second – Local. If not using either, then None.

    • Third – None.

  • When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:

    • Map Order – Remote First

    • Default Role – admin

Back to top

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America