Introduction


AAA (Authentication, Authorization and Accounting) is a management mechanism of network security and provides three security functions of authentication, authorization and accounting.

Authentication: Confirm the identity of remote users accessing the network to determine whether the visitor is a validated network user.

Authorization: Give different users with different permissions, restriction to services that users can use. For example, after the user successfully logs in to the server, the administrator can authorize the user to execute CLI commands.

Accounting: Record all operations of users using network services, including the type of service used, starting time, data traffic, etc. It is not only a means of billing, but also monitors network security.

PICOS supports TACACS+, RADIUS and local authentication method. TACACS+ (Terminal Access Controller Access Control System) is a security protocol that is an enhancement to the original TACACS protocol. The protocol is similar to the RADIUS protocol. It uses the client / server model to communicate with the NAS and the TACACS + server to achieve user’s AAA management.

TACACS+/RADIUS Authentication and Authorization Process

This section describes the TACACS+/RADIUS authentication and authorization of PICOS 2.11.7 and the later versions.


TACACS+/RADIUS server is reachable and TACACS+/RADIUS service is configured

TACACS+/RADIUS server is unreachable or TACACS+/RADIUS service is not configured

Console Login

Allow to login only if pass authentication form TACACS+ server.


After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.

Generate a syslog and fallback to local authentication. Allow to login if pass local authentication.

After successful login, local authorization will be performed.

Network (INTERFACE/VLAN/MGMT Port/INBAND) Login

By default, generate a syslog and do nothing else.


User can configure to enable local authentication fallback function to fallback to local authentication and authorization in this case. For details about local authentication fallback function, see set system aaa local-auth-fallback disable.

Console Login:

  •   If the TACACS+/RADIUS server is reachable and the TACACS+/RADIUS service is configured, the system uses TACACS/RADIUS server for authentication. Access will be denied on failure. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.
  •   If the TACACS+/RADIUS server is unreachable or the TACACS+/RADIUS service is not available, the system generates a syslog and uses local user/passwd file for authentication. After successful login, local authorization will be performed.

 Network (INTERFACE/VLAN/MGMT Port/INBAND) Login:

  •   If the TACACS+/RADIUS server is reachable and the TACACS+/RADIUS service is configured, the system uses TACACS+/RADIUS server for authentication. Access will be denied on failure. After successful login, if the TACACS+ server goes down, the user will be logged out and asked to re-log in.
  •   If the TACACS+/RADIUS server is unreachable or the TACACS+/RADIUS service is not available, by default, the system generates a syslog and does nothing else. However, user can configure local authentication fallback function to perform local authentication and authorization. For details about local authentication fallback function, see set system aaa local-auth-fallback disable.

User Level Mapping

If users login to PICOS via TACACS+/RADIUS, PICOS will not create new users in Linux platform. There is a mapping relationship between user level configured on AAA server and PICOS local user. The following table lists the mapping relationship between TACACS+ user and local user.

Howerver, note that RADIUS user is mapped to admin when login to PICOS.

Table 1. User level mapping between TACACS+ user level and PICOS local user

User Level on TACACS+ ServerUser AccountPermission ClassDescriptions
15adminSuper-userUsers of this level can configure network services, such as routing and commands of all network layers, and can control basic system operations and user management. 
1-14operatorRead-onlyUsers of this level can access to configuration mode to view the current configuration with limited access. A network operator cannot modify any configuration setting on a switch.
0guestGuestUsers of this level can do nothing but show the version and exit.













Copyright © 2024 Pica8 Inc. All Rights Reserved.