Cisco Systems DOC-7814982 Configuring TACACS+ Login Authentication

7-14

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 7 Administering the Switch

Controlling Switch Access with TACACS+

To remove the specified TACACS+ server name or address, use the no tacac s-s erver hos t hostname

global configurat ion comm and. To remove a ser ver group from the co nfiguration l ist, use t he no aa a

group se rver ta cac s+ group-name g loba l c onfiguration c om mand. To r emove the I P a ddr ess of a

TACACS+ server, use the no s erver ip- addres s server gr oup sub configurat ion comm a nd.

Configuring TACACS+ Login Authentication

To configure AAA authentication, you define a named list of authentication methods and then apply that

list to various interfaces. The method list defines the types of au thentica tion to be perfo rmed a nd the

sequence in which the y ar e performed; it must be a pplied to a specif ic inter face before an y of the d ef ined

authe nticat ion methods a re perfor med. The only exceptio n is the default me thod lis t (which, by

coincidence, is named default). The default method list is automatically applied to all interfaces except

those that have a named method list explicitly defined. A defined method list overrides the default

method list.

A method list describes the sequence and authentication methods to be queried to authenticate a user.

You can de sign ate one or more se curi ty pr otoc ols to be used fo r a uthe ntica ti on, thu s ens uring a ba ckup

system for authentication in case the initial method fails. The software uses the first method listed to

authe ntica te users; if tha t m eth od fail s to re spon d, t he so ftwa re se lect s the next authe nti cati on method

in the method list. This process continues until there is successful communication with a listed

authentication method or until all defined methods are exhausted. If authentication fails at any point in

this cycle—meaning that the security server or local username database responds by denying the user

access—th e authen ticat ion proce ss stops, and no othe r authe nticatio n methods a re attemp ted.

Step 4 aaa group server taca cs+ group-name (Optional) Define the AAA server-group with a group name.

This co mm an d p uts t h e sw itc h in a se rver gr oup su bc onfigurat ion m ode.

Step 5 server i p-add ress (Optional) Associate a particular TACACS+ server with the defined

server group. Repeat this step for each TACACS+ server in the AAA

server g roup.

Each se rver i n th e gro up must be p reviou sly d efined in St ep 2 .

Step 6 end Return to privileged EXEC mode.

Step 7 show tacacs Verify your e ntrie s.

Step 8 copy running-config startup-config (Optiona l) Save your entries in the co nfigurati on file.

Command Purpose