Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS+

 

Command

Purpose

Step 6

 

 

end

Return to privileged EXEC mode.

Step 7

 

 

show tacacs

Verify your entries.

Step 8

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To remove the specified TACACS+ server name or address, use the no tacacs-server host hostname global configuration command. To remove a server group from the configuration list, use the no aaa group server tacacs+ group-nameglobal configuration command. To remove the IP address of a TACACS+ server, use the no server ip-addressserver group subconfiguration command.

Configuring TACACS+ Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports. The method list defines the types of authentication to be performed and the sequence in which they are performed; it must be applied to a specific port before any of the defined authentication methods are performed. The only exception is the default method list (which, by coincidence, is named default). The default method list is automatically applied to all ports except those that have a named method list explicitly defined. A defined method list overrides the default method list.

A method list describes the sequence and authentication methods to be queried to authenticate a user. You can designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails. The software uses the first method listed to authenticate users; if that method fails to respond, the software selects the next authentication method in the method list. This process continues until there is successful communication with a listed authentication method or until all defined methods are exhausted. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops, and no other authentication methods are attempted.

Beginning in privileged EXEC mode, follow these steps to configure login authentication:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

aaa new-model

Enable AAA.

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

9-14

OL-9775-02

 

 

Page 216
Image 216
Cisco Systems 3750E Configuring TACACS+ Login Authentication, Show tacacs Verify your entries, Aaa new-model Enable AAA