Lantronix S3220 Series User Guide Rev J PDF 34.75 MB - Page 681

Transition Networks ION x222x / x32xx User Guide berships, Connection multiplexing (multiple concurrent NAS clients per process), Session multiplexing (multiple concurrent sessions per connection, single‐connection), IPv4 and IPv6 support, and compliant to latest TACACS+ protocol specification (at the time of publication). TACACS+ / Tacplus involves: • A NAS (Network Access Server), such as. a TN, Cisco, or other device, or any other client which makes TACACS+ authentication and authorization requests, or generates TACACS+ accounting pack‐ ets. Servers using RADIUS or TACACS protocol are often called NAS (Network Access Server), not to be confused with NAS ‐ (Network Attached Storage). • A daemon ‐ a program which services network requests for authentication and authorization, veri‐ fies identities, grants or denies authorizations, and logs accounting records. • AV pairs ‐ strings of text in the form attribute=value, sent between a NAS and a TACACS+ daemon as part of the TACACS+ protocol. Note: Since a "NAS" is sometimes referred to as a server, and a "daemon" is also often referred to as a server, the term "server" is avoided here in favor of the less ambiguous terms "NAS" and "Daemon". The Tacplus software provides logs for Authentication (authentication log = log_destination), Authoriza‐ tion (authorization log = log_destination), and Accounting (accounting log = log_destination). Tacplus supports three authentication methods: Clear text, Data Encryption Standard (DES ‐ local and remote), and S/Key. By default, Tacplus provides authentication services for: 1. VTY login, 2. Point‐to‐Point Protocol authen‐ tication via Password Authentication Protocol (PAP), 3. Point‐to‐Point Protocol authentication via Chal‐ lenge/Handshake Authentication Protocol (CHAP), and 4. AppleTalk Remote Access (ARAP). CHAP and ARAP can only utilize clear text, as required by their protocol definitions. Support for Mi‐ crosoft CHAP (MSCHAP) is available. Tacplus statuses include: PASS, FAIL, GETDATA, GETUSER, GETPASS, RESTART, ERROR, and FOLLOW. Tag (IEEE 802.1Q tag) An IEEE 802.1Q tag, if present, is placed between the Source Address and the EtherType or Length fields. The first two bytes of the 802.1Q tag are the Tag Protocol Identifier (TPID) value of 0x8100. The TPID is located in the same place as the EtherType/Length field in untagged frames, so an EtherType value of 0x8100 means the frame is tagged, and the true EtherType/Length is located after the Q‐tag. The TPID is followed by two bytes containing the Tag Control Information (TCI), the IEEE 802.1p priority (QOS) and the VLAN ID. The Q‐tag is followed by the rest of the frame. Tagged frame A packet that contains a header that carries a VLAN identifier and a priority value. Also called a VLAN tagged packet. A Tagged frame contains a tag header immediately following the Source MAC Address field of the frame or, if the frame contains a Routing Information field, immediately following the Routing Information field. There are two types of tagged frames: VLAN‐tagged frames and priority‐ tagged frames. 33472 Rev. J https://www.transition.com Page 681 of 700