Cisco Systems DOC-7814982 TACACS+ Operation, Configuring TACACS+

7-12

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Controlling Switch Access with TACACS+

TACACS+ Operation

When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process

occurs:

1. When th e connection is establishe d, the swi tch contact s the TA CA CS+ daemon t o obtain a us ername

prompt, which is then displayed to the user . The user enters a username, and the switch then contacts

the TACACS+ daemo n to obt ain a passwor d pro mpt. T he swi tch di sp lays t he p assword promp t t o

the user, the user enters a pa ssword, and the pa ssword is then sent to the TACACS+ daemon.

TACACS+ allows a conversation to be held between the daemon and the user until the daemon

receives enough info rmat ion to au thentic ate th e user. The daem on promp ts for a userna me and

password com bi nat ion, but can in clud e othe r item s, such a s the use r’s mother’s maiden name.

2. The sw itch eventual ly rece ives one of thes e respo nses from the TACAC S+ da emon:

a. ACCEPT—The user is authenticated and service can begin. If the switch is configured to

requir e au thor iza tio n, a uthor iza tion begins a t t his t ime.

b. REJECT—The user is not authenticated. The user can be denied access or is prompted to retry

the log in se quenc e, de pendi ng on th e TACACS+ daem on .

c. ERROR—An error occurred at some time during authentication with the daemon or in the

network connection between the daemon and the switch. If an ERR OR response is received, the

switch typically tries to use an alternative method for authenticating the user.

d. CONTINUE—The user is prompted for additional authentication information.

After authe ntica tio n, th e u ser u ndergoes an a dditio nal au th oriz ation p has e if auth oriz atio n has be en

enabled on the switch. Users must first successfully complete TACACS+ authentication before

procee ding to TACACS+ authoriza tion.

3. If TACACS+ autho riza tion i s re quir ed, t he TACACS+ daemon is a gain cont acte d, an d it retur ns a n

ACCEPT or R EJECT a uthorization respo nse. If an ACCEPT response is r eturne d, the re sponse

contains data in the form of attributes that direct the EXEC or NETWORK session for that user,

determining the services that the user can access:

–

Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services

–

Connecti on para met ers, inc luding t he h ost o r cli ent I P addr ess , ac cess l ist, a nd user time outs

This se ction de scri bes how to c onfigure yo ur swi tch to su ppo rt TACAC S+. At a m ini mum, yo u must

identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+

authentication. You can optionally define method lists for TACACS+ authorization and accounting. A

method list defines the sequence and methods to be used to authentic ate, to authorize, or to k eep accounts

on a user . You can use method lists to designate one or more security protocols to be used, thus ensuring

a backup syste m if the in itial meth od fails. The software us es the first method l isted to aut hentic ate, to

authorize, or to keep accounts on users; if that method does not respond, the software selects the next

method in the list. This process continues until there is successful communication with a listed method

or the m eth od list is exhaust ed.