Authentication Commands

4

Authentication Sequence

 

 

 

 

Table 4-28 Authentication Sequence Commands

 

 

 

 

 

 

 

 

Command

 

Function

Mode

Page

 

 

 

 

 

authentication login

 

Defines logon authentication method and precedence

GC

4-69

 

 

 

 

 

authentication enable

 

Defines the authentication method and precedence for

GC

4-70

 

 

command mode change

 

 

 

authentication login

This command defines the login authentication method and precedence. Use the no form to restore the default.

Syntax

authentication login {[local] [radius] [tacacs]} no authentication login

local - Use local password.

radius - Use RADIUS server password.

tacacs - Use TACACS server password.

Default Setting

Local

Command Mode

Global Configuration

Command Usage

RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery, while TCP offers a connection-oriented transport. Also, note that RADIUS encrypts only the password in the access-request packet from the client to the server, while TACACS+ encrypts the entire body of the packet.

RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server.

You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.

Example

Console(config)#authentication login radius

Console(config)#

Related Commands

username - for setting the local user names and passwords (4-25)

4-69