Cisco Systems 3560 TACACS+ Operation, Configuring TACACS+

9-12

Catalyst 3560 Switch Software Configuration Guide

OL-8553-06

Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS+

TACACS+ Operation

When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process

occurs:

1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username

prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+

daemon to obtain a password prompt. The switch displays the password prompt to the user, the user

enters a password, and the password is then sent to the TACACS+ daemon.

TACACS+ allows a dialog between the daemon and the user until the daemon receives enough

information to authenticate the user. The daemon prompts for a username and password

combination, but can include other items, such as the user’s mother’s maiden name.

2. The switch eventually receives one of these responses from the TACACS+ daemon:

• ACCEPT—The user is authenticated and service can begin. If the switch is configured to

require authorization, authorization begins at this time.

• REJECT—The user is not authenticated. The user can be denied access or is prompted to retry

the login sequence, depending on the TACACS+ daemon.

• ERROR—An error occurred at some time during authentication with the daemon or in the

network connection between the daemon and the switch. If an ERROR response is received, the

switch typically tries to use an alternative method for authenticating the user.

• CONTINUE—The user is prompted for additional authentication information.

After authentication, the user undergoes an additional authorization phase if authorization has been

enabled on the switch. Users must first successfully complete TACACS+ authentication before

proceeding to TACACS+ authorization.

3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an

ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response

contains data in the form of attributes that direct the EXEC or NETWORK session for that user and

the services that the user can access:

• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services

• Connection parameters, including the host or client IP address, access list, and user timeouts

Configuring TACACS+

This section describes how to configure your switch to support TACACS+. At a minimum, you must

identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+

authentication. You can optionally define method lists for TACACS+ authorization and accounting. A

method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts

on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring

a backup system if the initial method fails. The software uses the first method listed to authenticate, to

authorize, or to keep accounts on users; if that method does not respond, the software selects the next

method in the list. This process continues until there is successful communication with a listed method

or the method list is exhausted.