© Copyright Lenovo 2016 Chapter 5: Authentication & Authorization Protocols 111TACACS+ Authentication Features in Enterprise NOSAuthentication is the action of determining the identity of a user, and is generallydone when the user first attempts to log in to a device or gain access to its services.ENOS supports ASCII inbound login to the device. PAP, CHAP and ARAP loginmethods, TACACS+ change password requests, and one‐time passwordauthentication are not supported.AuthorizationAuthorization is the action of determining a user’s privileges on the device, andusually takes place after authentication.The default mapping between TACACS+ authorization levels and ENOSmanagement access levels is shown in Table 8. The authorization levels must bedefined on the TACACS+ server.Alternate mapping between TACACS+ authorization levels and ENOSmanagement access levels is shown in Table 9. Use the following command to setthe alternate TACACS+ authorization levels.If the remote user is successfully authenticated by the authentication server, theswitch verifies the privileges of the remote user and authorizes the appropriateaccess. The administrator has an option to allow secure backdoor access viaTelnet/SSH. Secure backdoor provides switch access when the TACACS+ serverscannot be reached. You always can access the switch via the console port, by usingnotacacs and the administrator password, whether secure backdoor is enabledor not.Note: To obtain the TACACS+ backdoor password for your G8264, contactTechnical Support.Table 8. Default TACACS+ Authorization LevelsENOS User Access Level TACACS+ leveluser 0oper 3admin 6RS G8264(config)# tacacs server privilege mappingTable 9. Alternate TACACS+ Authorization LevelsENOS User Access Level TACACS+ leveluser 0 ‐ 1oper 6 ‐ 8admin 14 ‐ 15
