Auth/Radius/TACACS+ Template
EdgeConnect appliances support user authentication and authorization as a condition of providing access rights.
-
Authentication is the process of validating that the end user, or a device, is who they claim to be.
-
Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.
-
Map order refers to the order in which the authorization servers are queried.
-
The configuration specified for authentication and authorization applies globally to all users accessing that appliance.
-
If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.
Authentication and Authorization
To provide authentication and authorization services, EdgeConnect appliances:
-
Support a built-in, local database.
-
Can be linked to a RADIUS (Remote Authentication Dial-In User Service) server.
-
Can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.
Both RADIUS and TACACS+ are client-server protocols.
Appliance-based User Database
-
The local, built-in user database supports user names, groups, and passwords.
-
The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.
-
The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface’s (CLI) enable mode privileges.
-
The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface’s (CLI) configuration mode privileges.
RADIUS
-
RADIUS uses UDP as its transport.
-
With RADIUS, the authentication and authorization functions are coupled together.
-
RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Refer to your RADIUS documentation for details.
-
IMPORTANT: Configure your RADIUS server’s priv levels within the following ranges:
-
admin = 7 - 15
-
monitor = 1 - 6
-
TACACS+
-
TACACS+ uses TCP as its transport.
-
TACACS+ provides separated authentication, authorization, and accounting services.
-
Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Refer to your TACACS+ documentation for details.
-
IMPORTANT: Configure your TACACS+ server’s roles to be admin and monitor.
What Is Recommended
-
Use either RADIUS or TACACS+, but not both.
-
For Authentication Order, configure the following:
-
First – Remote first.
-
Second – Local. If not using either, then None.
-
Third – None.
-
-
When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:
-
Map Order – Remote First
-
Default Role – admin
-