TACACS and TACACS+ security

Configuring authentication-method lists for

TACACS and TACACS+

You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication method.

Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and up to six backup authentication methods are specified as alternates. If TACACS/TACACS+ authentication fails due to an error, the device tries the backup authentication methods in the order they appear in the list.

When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and CONFIG levels of the CLI.

To create an authentication method list that specifies TACACS/TACACS+ as the primary authentication method for securing Telnet/SSH access to the CLI.

Brocade(config)# enable telnet authentication

Brocade(config)# aaa authentication login default tacacs local

The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is performed using local user accounts instead.

To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.

Brocade(config)# aaa authentication enable default tacacs local none

The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, local authentication is used instead. If local authentication fails, no authentication is used; the device automatically permits access.

Syntax: [no] aaa authentication enable login default method1 [method2] [method3] [method4] [method5] [method6] [method7]

The enable login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

The method1 parameter specifies the primary authentication method. The remaining optional method parameters specify additional methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Parameter column in the following table.

TABLE 4

Authentication method values

 

 

Method parameter

Description

 

 

 

line

 

Authenticate using the password you configured for Telnet access. The Telnet password is

 

 

configured using the enable telnet password… command. Refer to “Setting a Telnet

 

 

password” on page 13.

 

 

 

enable

 

Authenticate using the password you configured for the Super User privilege level. This

 

 

password is configured using the enable super-user-password…command. Refer to “Setting

 

 

passwords for management privilege levels” on page 14.

34

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 54
Image 54
Brocade Communications Systems 6650 manual Method parameter Description