10.2.2 Applicable functions and scope of RADIUS/TACACS +

The Switch uses RADIUS or TACACS+ for login authentication from an operation terminal, authentication when changing to administrator mode (by the enable command), command authorization, and accounting. RADIUS is also used for IEEE 802.1X authentication and Web authentication of operation terminals. The RADIUS and TACACS+ function support range is listed below.

<Structure of this section>

(1) Scope of RADIUS/TACACS +

RADIUS or TACACS+ authentication can be used for the following operations:

Telnet to the Switch
Ssh to the Switch
Ftp to the Switch
Sftp to the Switch
Scp to the Switch
Login from the console (RS232C)
Transition to administrator mode (by the enable command)

RADIUS or TACACS+ command authorization can be used for the following operations:

Telnet to the Switch
Ssh to the Switch
Login from the console (RS232C)

RADIUS or TACACS+ accounting can be used for the following operations:

Logging in and out of the Switch by telnet
Logging in and out of the Switch by ssh
Logging in and out of the Switch by ftp
Logging in and out of the Switch by sftp
Logging in and out of the Switch by scp
Login-logout from the console (RS232C)
Command input using the CLI (TACACS+ only)

(2) Supported RADIUS Scope

The Switch supports the following NAS functionality for communication with a RADIUS server:

Table 10-3 RADIUS support range
Category	Description
Documentation	Supported RADIUS functions described herein are limited to NAS-related functions only.
Packet type	Support for the following packet types used in login authentication, authentication when changing to administrator mode (by the enable command), and command authorization: Access-Request (send) Access-Accept (receive) Access-Reject (receive) Support for the following accounting packet types: Accounting-Request (send) Accounting-Response (receive)
Attribute	Support for the following attributes used in login authentication and authentication when changing to administrator mode (by the enable command): User-Name User-Password Service-Type NAS-IP-Address NAS-IPv6-Address NAS-Identifier Reply-Message Support for the following command authorization attributes: Class Vendor-Specific (Vendor-ID: 21839) Support for the following accounting attributes: User-Name NAS-IP-Address NAS-IPv6-Address NAS-Port NAS-Port-Type Service-Type Calling-Station-Id Acct-Status-Type Acct-Delay-Time Acct-Session-Id Acct-Authentic Acct-Session-Time

(a) Content of RADIUS properties used

The table below describes the RADIUS attributes used in authentication, command authorization, and accounting.

To perform command authorization using a RADIUS server, you must set up the server in advance so that it returns a Class or Vendor-Specific attribute when a user is authenticated. Set vendor-specific attributes in a dictionary file or other configuration file to register them with the RADIUS server. For more information about command authorization properties, see Command Authorization Using 10.2.4 RADIUS/TACACS +/Local.

Table 10-4: Contents of RADIUS to be used
Attribute name	Attribute value	Packet type	Description
User-Name	1	Access-Request Accounting-Request	The name of the user being authenticated. Sends the login user name when login authentication is performed. For authentication when changing to administrator mode (enable command), send the user name according to Table 10-9: User name attribute to be set.
User-Password	2	Access-Request	The password of the user being authenticated, sent in encrypted form
Service-Type	6	Access-Request Accounting-Request	Login (value = 1), Administrative (value = 6; used only for Access-Request packet type). Ignored when attached to Access-Accept or Access-Reject.
NAS-IP-Address	4	Access-Request Accounting-Request	The IP address of the Switch. Indicates the local address if the local address is specified. Indicates the IP address of the requesting interface if the local address is not specified.
NAS-IPv6-Address	95	Access-Request Accounting-Request	The IPv6 address of the Switch. Indicates the local address if the local address is specified. Indicates the IPv6 address of the requesting interface if the local address is not specified. If communicating with IPv6 link-local addresses, the IPv6 link-local address of the requesting interface is set, regardless of the local address setting.
NAS-Identifier	32	Access-Request Accounting-Request	The device name of the Switch. This is not attached if a device name was not set.
Reply-Message	18	Access-Accept Access-Reject Accounting-Response	A message from the server. Output as an operation log entry if attached.
Class	25	Access-Accept	The login class; used in command authorization.
Vendor-Specific	26	Access-Accept	A login list; used in command authorization.
NAS-Port	5	Accounting-Request	The port number of the NAS device to which the user is connected. The Switch stores the TTY port number, or 100 for FTP connection.
NAS-Port-Type	61	Accounting-Request	The method of connection to the NAS device. The Switch stores Virtual (5) for Telnet/FTP connection or Async (0) for console connection.
Calling-Station-Id	31	Accounting-Request	The user's ID. In the Switch, telnet/ftp stores the client's IP address. The console stores console.
Acct-Status-Type	40	Accounting-Request	The timing at which the Accounting-Request was sent. The Switch stores Start (1) if sent at login, or Stop (2) if sent at logout.
Acct-Delay-Time	41	Accounting-Request	The length of time (in seconds) taken to send the Accounting-Request after an event requiring this attribute to be sent has occurred.
Acct-Session-Id	44	Accounting-Request	A character string for identifying the session. The Switch stores the session's process ID.
Acct-Authentic	45	Accounting-Request	The manner in which the user was authenticated. The Switch stores three authentication types: RADIUS (1), Local (2), or Remote (3).
Acct-Session-Time	46	Accounting-Request (only when Acct-Status-Type is Stop)	The length of time (in seconds) that the user received the service. The Switch stores the time (in seconds) from successful login until logout.

Access-Request packet

No attributes other than those listed above are attached to Access-Request packets sent by the Switch.
Access-Accept, Access-Reject, and Accounting-Response packets

Attributes other than those listed above are ignored by the Switch if attached to the packet.

(3) Supported Scope of TACACS

The Switch supports the following NAS functionality for communication with a TACACS+ server:

Table 10-5 Scope of TACACS+ support
Category		Description
Packet type		Support for the following packet types used in login authentication and authentication when changing to administrator mode (by the enable command): Authentication Start (send) Authentication Reply (receive) Authentication Continue (send) Support for the following command authorization packet types: Authorization Request (send) Authorization Response (receive) Support for the following accounting packet types: Accounting Request (send) Accounting Reply (receive)
Login authentication	Attribute	User Password priv-lvl
Authentication when changing to administrator mode (by the enable command)	Attribute	User Password priv-lvl
Command authorization	Service	taclogin
Command authorization	Attribute	class allow-commands deny-commands
Accounting	flag	TAC_PLUS_ACCT_FLAG_START TAC_PLUS_ACCT_FLAG_STOP
Accounting	Attribute	task_id start_time stop_time elapsed_time timezone Service priv-lvl cmd

(a) Content of TACACS + attributes to be used

The table below describes the TACACS+ attributes used in authentication, command authorization, and accounting.

To perform command authorization using a TACACS+ server, you must set up the server in advance so that it returns a class attribute or an allow-commands or deny-commands attribute with the requested service when a user is authenticated. For more information about command authorization, see Command Authorization Using 10.2.4 RADIUS/TACACS +/Local.

Table 10-6: Contents of TACACS + attributes to be used
Service	Attribute	Description
-	User	The name of the user being authenticated. Sends the login user name when login authentication is performed. For authentication when changing to administrator mode (enable command), send the user name according to Table 10-9: User name attribute to be set.
	Password	The password of the user being authenticated, sent in encrypted form
	priv-lvl	The privilege level of the user being authenticated. 1 is used for login authentication. 15 is used for authentication when changing to administrator mode (by the enable command).
taclogin	class	Command class
	allow-commands	Authorized command list
	deny-commands	Unauthorized command list

Legend:-: Not applicable

The following table describes the TACACS+ flags for accounting services.

Table 10-7 TACACS+ accounting flag list
flag	Description
TAC_PLUS_ACCT_FLAG_START	Indicates Accounting START packets. However, if the stop-only transmission mode is specified in the aaa configuration entry, no Accounting START packets will be sent.
TAC_PLUS_ACCT_FLAG_STOP	Indicates Accounting STOP packets. However, if the stop-only transmission mode is specified in the aaa configuration entry, only Accounting STOP packets will be sent.

The following table describes the values of the TACACS+ attribute-value pairs used for accounting.

Table 10-8 TACACS+ accounting attribute-value list
Attribute	Value
task_id	The ID assigned to the event. The Switch stores process IDs for accounting events.
start_time	The time at which the event started. The Switch stores the times at which each accounting event was started. This attribute is stored when the following events occur: In start-stop transmission mode: At login and before command execution In stop-only transmission mode: Before command execution
stop_time	The time at which the event ended. The Switch stores the times at which each accounting event ended. This attribute is stored when the following events occur: In start-stop transmission mode: At logout and after command execution In stop-only transmission mode: At logout
elapsed_time	The elapsed time (in seconds) after the event started. The Switch stores the length of time (in seconds) from the start to the end of accounting events. This attribute is stored when the following events occur: In start-stop transmission mode: At logout and after command execution In stop-only transmission mode: At logout
timezone	A string representing the time zone
Service	The character string shell
priv-lvl	Privilege level 1 if using an operation command when setting up command accounting, or level 15 if using a configuration command
cmd	The command string (maximum 250 characters) entered when setting up command accounting