What are RADIUS, TACACS+, and LDAP?

Overview

RADIUS is an access server AAA protocol. The protocol provides a standardized method of exchanging information between a RADIUS client, which is located on a device and managed by the NFM-P, and a RADIUS server, which is located externally from the device and the NFM-P.

RADIUS provides an extra layer of login security. The RADIUS client relays user account information to the RADIUS server, which authenticates the user and returns user privilege information. The information defines the device access of the user. For example, a user may not be allowed to FTP information to or from the device.

You can create device user accounts as a backup to RADIUS, TACACS+, or LDAP authentication. In the event that a RADIUS, TACACS+, or LDAP function fails, the device user account provides device access.

TACACS+ and LDAP provide functions that are similar to RADIUS functions.

Note: The NFM-P checks for reachability to a TACACS+ server using UDP port 49 to prevent long timeout issues. However, all subsequent communication with the server uses TCP port 49.

See the appropriate RADIUS, TACACS+, or LDAP documentation for information about authentication server installation, configuration, and management.

For TACACS+ users, you can specify the following in a user template that is read by the global TACACS+ policy:

Combined local and remote authentication

An organization may have an established TACACS+ or RADIUS authentication configuration. You can add NFM-P client GUI user accounts to an existing TACACS+ or RADIUS user base for local NFM-P authentication.

Consider the following:

For example, for a user called Jane:

When Jane is authenticated by RADIUS, she can log in to the NFM-P client by typing in Jane and accessforjane. If the RADIUS server was down, and she could not be authenticated remotely, to be authenticated locally Jane must log in to the NFM-P client by typing jane and !LetJane1In.