xStack

®

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

52

8

ACCESS AUTHENTICATION CONTROL COMMANDS

The TACACS / XTACACS / TACACS+ / RADIUS commands allow users to secure access to the Switch using the

TACACS / XTACACS / TACACS+ / RADIUS protocols. When a user logs in to the Switch or tries to access the

administrator level privilege, he or she is prompted for a password. If TACACS / XTACACS / TACACS+ / RADIUS

authentication is enabled on the Switch, it will contact a TACACS / XTACACS / TACACS+ / RADIUS server to verify the

user. If the user is verified, he or she is granted access to the Switch.

There are currently three versions of the TACACS security protocol, each a separate entity. The Switch’s software

supports the following versions of TACACS:

a)

TACACS (Terminal Access Controller Access Control System) —Provides password checking and

authentication, and notification of user actions for security purposes utilizing via one or more centralized TACACS

servers, utilizing the UDP protocol for packet transmission.

b)

Extended TACACS (XTACACS) — An extension of the TACACS protocol with the ability to provide more types of

authentication requests and more types of response codes than TACACS. This protocol also uses UDP to

transmit packets.

c)

TACACS+ (Terminal Access Controller Access Control System plus) — Provides detailed access control for

authentication for network devices. TACACS+ is facilitated through Authentication commands via one or more

centralized servers. The TACACS+ protocol encrypts all traffic between the Switch and the TACACS+ daemon,

using the TCP protocol to ensure reliable delivery.

The Switch also supports the RADIUS protocol for authentication using the Access Authentication Control commands.

RADIUS or Remote Authentication Dial In User Server also uses a remote server for authentication and can be

responsible for receiving user connection requests, authenticating the user and returning all configuration information

necessary for the client to deliver service through the user. RADIUS may be facilitated on this Switch using the

commands listed in this section.

In order for the TACACS / XTACACS / TACACS+ / RADIUS security function to work properly, a TACACS / XTACACS /

TACACS+ / RADIUS server must be configured on a device other than the Switch, called a server host and it must

include usernames and passwords for authentication. When the user is prompted by the Switch to enter usernames and

passwords for authentication, the Switch contacts the TACACS / XTACACS / TACACS+ / RADIUS server to verify, and

the server will respond with one of three messages:

1.

The server verifies the username and password, and the user is granted normal user privileges on the Switch.

2.

The server will not accept the username and password and the user is denied access to the Switch.

3.

The server doesn’t respond to the verification query. At this point, the Switch receives the timeout from the server

and then moves to the next method of verification configured in the method list.

The Switch has four built-in server groups, one for each of the TACACS, XTACACS, TACACS+ and RADIUS protocols.

These built-in server groups are used to authenticate users trying to access the Switch. The users will set server hosts in

a preferable order in the built-in server group and when a user tries to gain access to the Switch, the Switch will ask the

first server host for authentication. If no authentication is made, the second server host in the list will be queried, and so

on. The built-in server group can only have hosts that are running the specified protocol. For example, the TACACS

server group can only have TACACS server hosts.

The administrator for the Switch may set up five different authentication techniques per user-defined method list

(TACACS / XTACACS / TACACS+ / RADIUS / local / none) for authentication. These techniques will be listed in an order

preferable, and defined by the user for normal user authentication on the Switch, and may contain up to eight

authentication techniques. When a user attempts to access the Switch, the Switch will select the first technique listed for

authentication. If the first technique goes through its server hosts and no authentication is returned, the Switch will then

go to the next technique listed in the server group for authentication, until the authentication has been verified or denied,

or the list is exhausted.

xStack

®

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

53

Please note that user granted access to the Switch will be granted normal user privileges on the Switch. To gain access

to admin level privileges, the user must enter the

enable admin

command and then enter a password, which was

previously configured by the administrator of the Switch.

The Access Authentication Control commands in the Command Line Interface (CLI) are listed (along with the appropriate

parameters) in the following table.

NOTE:

TACACS, XTACACS and TACACS+ are separate entities and are not compatible. The Switch

and the server must be configured exactly the same, using the same protocol. (For example, if the

Switch is set up for TACACS authentication, so must be the host server.)

xStack

®

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

54

Command

Parameters

enable password encryption

disable password encryption

create account

[admin | operator | user] <username 15>

config account

<username> {encrypt [plain_text | sha_1] <password>}

show account

delete account

<username>

enable authen_policy

disable authen_policy

show authen_policy

create authen_login

method_list_name

<string 15>

config authen_login

[default | method_list_name <string 15>] method {tacacs | xtacacs | tacacs+ |

radius | server_group <string 15> | local | none}(1)

delete authen_login

method_list_name

<string 15>

show authen_login

[default | method_list_name <string 15> | all]

create authen_enable

method_list_name

<string 15>

config authen_enable

[default | method_list_name <string 15>] method {tacacs | xtacacs | tacacs+ |

radius | server_group <string 15> | local _enable | none}(1)

delete authen_enable

method_list_name

<string 15>

show authen_enable

[default | method_list_name <string 15> | all]

config authen application

[console | telnet | ssh | http | all] [login | enable] [default | method_list_name

<string 15>]

show authen application

create authen server_group

<string 15>

config authen server_group

[tacacs | xtacacs | tacacs+ | radius | <string 15>] [add | delete] server_host

<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius]

delete authen server_group

<string 15>

show authen server_group

{<string 15>}

create authen server_host

<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius] { port <int 1-65535> | key

[<key_string 254> | none] | timeout <int 1-255> | retransmit <int 1-20> }

config authen server_host

<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius] { port <int 1-65535> | key

[<key_string 254> | none ] | timeout <int 1-255> | retransmit <int 1-20> }

delete authen server_host

<ipaddr> protocol [tacacs | xtacacs | tacacs+ | radius]

show authen server_host

config authen parameter

response_timeout

<int 0-255>

config authen parameter attempt

<int 1-255>

show authen parameter

enable admin

xStack

®

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

55

Command

Parameters

config admin local_enable

Each command is listed, in detail, in the following sections.

enable password encryption

Purpose

This command is used to enable password encryption.

Syntax

enable password encryption

Description

The user account configuration information will be stored in the configuration file, and can be

applied to the system later.

If password encryption is enabled, the passwords will be in encrypted form.

When password encryption is disabled, if the user specifies the password in plain text form,

the password will be in plan text form. However, if the user specifies the password in

encrypted form, or if the password has been converted to encrypted form by the last enable

password encryption command, the password will always be in the encrypted form and can

not be reverted back to plaintext.

Parameters

None

Restrictions

Only Administrator and Operator-level users can issue this command.

Example usage:

To enable password encryption:

DGS-3627:admin# enable password encryption

Command: enable password encryption

DGS-3627:admin#

disable password encryption

Purpose

This command is used to disable password encryption.

Syntax

disable password encryption

Description

The user account configuration information will be stored in the configuration file, and can be

applied to the system later.

If password encryption is enabled, the passwords will be in encrypted form.

When password encryption is disabled, if the user specifies the password in plain text form,

the password will be in plan text form. However, if the user specifies the password in

encrypted form, or if the password has been converted to encrypted form by the last enable

password encryption command, the password will always be in the encrypted form and can

not be reverted back to plaintext.

Parameters

None.

Restrictions

Only Administrator and Operator-level users can issue this command.

Example usage:

To disable password encryption:

xStack

®

DGS-3600 Series Layer 3 Gigabit Ethernet Managed Switch CLI Manual

56

DGS-3627:admin# disable password encryption

Command: disable password encryption

DGS-3627:admin#

create account

Purpose

This command is used to create user accounts.

Syntax

create account [admin | operator | user] <username 15>

Description

The create account command is used to create user accounts. A username can be between

1 and 15 characters. The password is between 0 and 15 characters and is case sensitive.

The total number of accounts supported by the Switch (including admin and user level

accounts) is 8.

Parameters

admin

- Specify an administrator level account. The administrator is the highest privilege level

in the Switch.

operator

- Specify an operator level account.

user

- Specify a user level account.

<username 15>

- The user name, which must be a minimum of 1 character and a maximum

of 15 characters.

Restrictions

Only Administrator-level users can issue this command.

Example usage:

To create the admin-level user “alpha”:

DGS-3627:admin# create account admin alpha

Command: create account admin alpha

Enter a case-sensitive new password:****

Enter the new password again for confirmation:****

Success.

DGS-3627:admin#

config account

Purpose

This command is used to configure user accounts.

Syntax

config account <username> {encrypt [plain_text | sha_1] <password>}

Description

When the password information is not specified in the command, the system will prompt the

user to input the password interactively. In this case, the user can only input a plain text

password.

If the user specifies a password in the command, the user can select to input the password in

plain text form or in encrypted form. The encryption algorithm is based on SHA-1.

Parameters

<username>

- Specify the name of the account. The account must already be defined.

plain_text

- Specify the password in plain text form.

sha_1

- Specify the password in SHA-1 encrypted form.

password

- The password for the user account. The length of a password in plain-text form

and encrypted form are different. For a plain-text form password, the password must be a

minimum of 0 characters and a maximum of 15 characters. For an encrypted form password,

the length is fixed to 35 bytes long. The password is case-sensitive.

Restrictions

Only Administrator level users can issue this command.