What are RADIUS, TACACS+, and LDAP?

Overview

RADIUS is an access server AAA protocol. The protocol provides a standardized method of exchanging information between a RADIUS client, which is located on a device and managed by the NFM-P, and a RADIUS server, which is located externally from the device and the NFM-P.

RADIUS provides an extra layer of login security. The RADIUS client relays user account information to the RADIUS server, which authenticates the user and returns user privilege information. The information defines the device access of the user. For example, a user may not be allowed to FTP information to or from the device.

You can create device user accounts as a backup to RADIUS, TACACS+, or LDAP authentication. In the event that a RADIUS, TACACS+, or LDAP function fails, the device user account provides device access.

TACACS+ and LDAP provide functions that are similar to RADIUS functions.

Note: The NFM-P checks for reachability to a TACACS+ server using UDP port 49 to prevent long timeout issues. However, all subsequent communication with the server uses TCP port 49.

See the appropriate RADIUS, TACACS+, or LDAP documentation for information about authentication server installation, configuration, and management.

For TACACS+ users, you can specify the following in a user template that is read by the global TACACS+ policy:

• the type of permitted device access, for example, console, FTP, or both

• a home directory

• a login script to execute

Combined local and remote authentication

An organization may have an established TACACS+ or RADIUS authentication configuration. You can add NFM-P client GUI user accounts to an existing TACACS+ or RADIUS user base for local NFM-P authentication.

Consider the following:

• You can create an NFM-P user account that matches a TACACS+, RADIUS, or LDAP user account. For example, if the RADIUS user account is Jane, you can create an NFM-P user Jane.

• Remote users with usernames that don’t abide by the following rules may not work correctly. An NFM-P user name must begin with an alphanumeric character, and can:

  • be from 1 to 40 characters in length

  • include the following special characters:  . - _ @

  • not include a space character

• An NFM-P user that is authenticated remotely can log in to the NFM-P using the RADIUS, TACACS+, or LDAP password.

• For local NFM-P user authentication, the account password must meet the NFM-P password requirements.

For example, for a user called Jane:

• The RADIUS user name is Jane, and the password is accessforjane.

• The NFM-P user name is Jane and password is !LetJane1In.

When Jane is authenticated by RADIUS, she can log in to the NFM-P client by typing in Jane and accessforjane. If the RADIUS server was down, and she could not be authenticated remotely, to be authenticated locally Jane must log in to the NFM-P client by typing jane and !LetJane1In.