There are currently three ways to login to the management interface of the device:
- Internal: The device handles over the overall user administration including the user login name, password, access rights, and privileges.
- TACACS+: User administration is handled by a TACACS+ server on the network.
- RADIUS: User administration is handled by a RADIUS server on the network.
With RADIUS, users can login via the following connections:
- Telnet
- SSH
- WEBconfig
- TFTP
- Outband
Note: RADIUS authentication via SNMP is not currently supported.
Note: A RADIUS authentication via LL2M (LANCOM Layer-2 Management Protocol) is not supported, because LL2M requires cleartext access to the password that is stored in the device.
The RADIUS server handles user management in terms of authentication, authorization and accounting (triple-A protocol), which greatly simplifies the management of admin access accounts in large network installations with multiple routers.
Logging in via a RADIUS server follows this procedure:
- At login, the device sends the user's credentials to the RADIUS server on the network. The server data are stored in the device.
- The server checks the credentials for validity.
- If the data is invalid, the server sends a corresponding message to the device, which aborts the login process with an error message.
- If the credentials are valid, the server returns the access rights and privileges to the device and the user then has access to the approved features and directories.
- If the user's sessions are subject to budgeting by the RADIUS server (accounting), the device stores the session data including the start time, end time, user name, authentication mode and, if available, the port used.
