Configuring Authentication, RADIUS, and TACACS+

Silver Peak appliances support user authentication and authorization as a condition of providing access rights.

n	Authentication is the process of validating that the end user, or a device, is who or what they claim to be.

n	Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.

n	Map order refers to the order in which the authentication databases are queried.

n	The configuration specified for authentication and authorization applies globally to all users accessing that appliance.

n	If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, on the Administration - Session Management page.

Authentication and Authorization

To provide authentication and authorization services, Silver Peak appliances:

n	support a built-in, local database

n	can be linked to a RADIUS (Remote Address Dial-In User Service) server

n	can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.

Both RADIUS and TACACS+ are client-server protocols.

Appliance-based User Database

n	The local, built-in user database supports user names, groups, and passwords.

n	The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.

n	The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) enable mode privileges.

n	The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface's (CLI) configuration mode privileges.

RADIUS

n	RADIUS uses UDP as its transport.

n	With RADIUS, the authentication and authorization functions are coupled together.

n	RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Please see your RADIUS documentation for details.

n	Important: Configure your RADIUS server's priv levels within the following ranges:

•	admin = 7 - 15

•	monitor = 1 - 6

TACACS+

n	TACACS+ uses TCP as its transport.

n	TACACS+ provides separated authentication, authorization, and accounting services.

n	Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Please see your TACACS+ documentation for details.

n	Important: Configure your TACACS+ server's roles to be admin and monitor.

What Silver Peak recommends

Use either RADIUS or TACACS+, but not both.

n	For Authentication Order, configure the following:

•	First = Local

•	Second = either RADIUS or TACACS+. If not using either, then None.

•	Third = None

n	When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:

•	Map Order = Remote First

•	Default User = admin

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.