Support User Manuals

Allied Telesis AT-S63 Dust Collector User Manual

Open as PDF

of 514

Chapter 36: TACACS+ and RADIUS Protocols

428 Section IX: Management Security

maximum length for a password is 16 alphanumeric characters

and spaces.

– To create an account for a supplicant connected to an

authenticator port set to the MAC address-based authentication

mode, enter the MAC address of the node used by the supplicant

as both its username and password. When entering the MAC

address, do not use spaces or colons (:).

– If you are associating VLANs with supplicant accounts, refer to

“Supplicant VLAN Attributes on the RADIUS Server” on page 371

for further information.

3. Configure the TACACS+ or RADIUS client on the switch by entering

the IP addresses of up to three authentication servers.

4. Activate the TACACS+ or RADIUS client on the switch.

The switch must have a routing interface on the local subnet where the

TACACS+ or RADIUS server is a member. The switch uses the routing

interface’s IP address as its source address when communicating with the

server. For background information on routing interfaces, refer to Chapter

27, “Internet Protocol Version 4 Packet Routing” on page 299.

Note

Prior to version 2.0.0 of the AT-S63 Management Software,

TACACS+ or RADIUS server had to be a member of the switch’s

management VLAN. This restriction no longer applies. The server

can be located on any local subnet that has a routing interface.

By default, authentication protocol is disabled in the AT-S63 Management

Software. Before activating it, you need the following information:

 Select either TACACS+ or RADIUS as the active authentication

protocol. Only one authentication protocol can be active on a switch at

a time.

 Specify the IP addresses of up to three authentication servers.

 Specify the encryption keys used by the authentication servers.

You can specify up to three RADIUS or TACACS+ servers. Specifying

multiple servers adds redundancy to your network. For example, removing

an authentication server from the network for maintenance does not

prevent network managers from logging into switches if there are one or

two other authentication servers on the network.

When a switch receives a username and password combination from a

network manager, it sends the combination to the first authentication

server in its list. If the server fails to respond, the switch sends the

combination to the next server in the list, and so on.

previous next