Auth/Radius/TACACS+ Template

Silver Peak appliances support user authentication and authorization as a condition of providing access rights.

n	Authentication is the process of validating that the end user, or a device, is who they claim to be.

n	Authorization is the action of determining what a user is allowed to do. Generally, authentication precedes authorization.

n	Map order refers to the order in which the authentication databases are queried.

n	The configuration specified for authentication and authorization applies globally to all users accessing that appliance.

n	If a logged-in user is inactive for an interval that exceeds the inactivity time-out, the appliance logs them out and returns them to the login page. You can change that value, as well as the maximum number of sessions, in the Session Management template.

Authentication and Authorization

To provide authentication and authorization services, Silver Peak appliances:

•	support a built-in, local database

•	can be linked to a RADIUS (Remote Address Dial-In User Service) server

•	can be linked to a TACACS+ (Terminal Access Controller Access Control System) server.

Both RADIUS and TACACS+ are client-server protocols.

Appliance-based User Database

n	The local, built-in user database supports user names, groups, and passwords.

n	The two user groups are admin and monitor. You must associate each user name with one or the other. Neither group can be modified or deleted.

n	The monitor group supports reading and monitoring of all data, in addition to performing all actions. This is equivalent to the Command Line Interface's (CLI) enable mode privileges.

n	The admin group supports full privileges, along with permission to add, modify, and delete. This is equivalent to the Command Line Interface's (CLI) configuration mode privileges.

RADIUS

n	RADIUS uses UDP as its transport.

n	With RADIUS, the authentication and authorization functions are coupled together.

n	RADIUS authentication requests must be accompanied by a shared secret. The shared secret must be the same as defined in the RADIUS setup. Please see your RADIUS documentation for details.

n	Important: Configure your RADIUS server's priv levels within the following ranges:

•	admin = 7 - 15

•	monitor = 1 - 6

TACACS+

n	TACACS+ uses TCP as its transport.

n	TACACS+ provides separated authentication, authorization, and accounting services.

n	Transactions between the TACACS+ client and TACACS+ servers are also authenticated through the use of a shared secret. Please see your TACACS+ documentation for details.

n	Important: Configure your TACACS+ server's roles to be admin and monitor.

What Silver Peak recommends

n	Use either RADIUS or TACACS+, but not both.

n	For Authetication Order, configure the following:

•	First = Local

•	Second = either RADIUS or TACACS+. If not using either, then None.

•	Third = None

n	When using RADIUS or TACACS+ to authenticate users, configure Authorization Information as follows:

•	Map Order = Remote First

•	Default User = admin

Please send comments or suggestions regarding user documentation to techpubs@silver-peak.com.