Chapter 25 AAA
GS2200-24 User’s Guide
202
25.3 What You Need to Know
Authentication is the process of determining who a user is and validating access to
the Switch. The Switch can authenticate users who try to log in based on user
accounts configured on the Switch itself. The Switch can also use an external
authentication server to authenticate a large number of users
Authorization is the process of determining what a user is allowed to do. Different
user accounts may have higher or lower privilege levels associated with them. For
example, user A may have the right to create new login accounts on the Switch
but user B cannot. The Switch can authorize users based on user accounts
configured on the Switch itself or it can use an external server to authorize a large
number of users.
25.3.1 Local User Accounts
By storing user profiles locally on the Switch, your Switch is able to authenticate
and authorize users without interacting with a network AAA server. However,
there is a limit on the number of users you may authenticate in this way (See
Chapter 32 on page 271).
25.3.2 RADIUS and TACACS+
RADIUS and TACACS+ are security protocols used to authenticate users by means
of an external server instead of (or in addition to) an internal device user database
that is limited to the memory capacity of the device. In essence, RADIUS and
TACACS+ authentication both allow you to validate an unlimited number of users
from a central location.
The following table describes some key differences between RADIUS and
TACACS+.
Table 59 RADIUS vs. TACACS+
RADIUS TACACS+
Transport
Protocol
UDP (User Datagram Protocol) TCP (Transmission Control Protocol)
Encryption Encrypts the password sent for
authentication.
All communication between the client
(the Switch) and the TACACS server
is encrypted.
