Cisco Systems ESW 500 Defining TACACS+,

Configuring Device Security

Defining Authentication

ESW 500 Series Switches Administration Guide 117

Defining TACACS+

The devices provide Terminal Access Controller Access Control System

(TACACS+) client support. TACACS+ provides centralized security for validation

of users accessing the device. TACACS+ provides a centralized user

management system, while still retaining consistency with RADIUS and other

authentication processes. TACACS+ provides the following services:

•Authentication — Provides authentication during login and via user names and

user-defined passwords.

•Authorization — Performed at login. Once the authentication session is

completed, an authorization session starts using the authenticated user name.

The TACACS server checks the user privileges.

The TACACS+ protocol ensures network integrity through encrypted protocol

exchanges between the device and TACACS+ server.

The TACACS+ default parameters are user-assigned defaults. The default settings

are applied to newly defined TACACS+ servers. If default values are not defined,

the system defaults are applied to the new TACACS+ new servers. The

TAC AC S+

Page

contains fields for assigning the Default Parameters for the TACACS+

servers.

To d e fi n e T AC A CS + :

Contents

Main 2009 Cisco Systems, Inc. All rights reserved. OL-19128-01 Chapter : Getting Started 12 Chapter : Managing Device Information 52 Chapter : Managing Smart Ports 72 Chapter : Configuring System Time 99 Chapter : Configuring Device Security 108 Defining Access Methods 127 Defining Traffic Control 137 Defining 802.1x 146 Defining Access Control 160 Defining DoS Prevention 181 Chapter : Configuring Ports 213 Port Settings 213 Chapter : Configuring VLANs 219 Defining VLAN Properties 220 Chapter : Configuring IP Information 241 Chapter : Defining Address Tables 256 Chapter : Configuring Multicast Forwarding 262 Chapter : Configuring Spanning Tree 275 Chapter : Configuring Quality of Service 301 Defining Advanced QoS Mode 324 Defining QoS Basic Mode 340 Chapter : Configuring SNMP 343 SNMP Versions 343 Configuring SNMP Security 344 Defining Trap Management 359 Chapter : Managing System Files 373 Chapter : Managing Power-over-Ethernet Devices 382 Chapter : Managing System Logs 386 Chapter : Viewing Statistics 397 Chapter : Aggregating Ports 424 Chapter : Managing Device Diagnostics 434 Getting Started Introduction - - - Typical Installation Methods Default Configuration settings on the ESW 500 Series Switches Physical Connectivity Getting Started 1 2 3 Page Connecting to the Switch Switch Configuration Utility Switch Configuration Utility. Using the Default Static IP Address Log In cisco cisco Switch Configuration Utility - System Dashboard Page Page Using a Dynamic IP Address Allocated to the Switch By DHCP Log In page Page Using the Cisco Configuration Assistant (CCA) version page Topology View Page Page Navigating The Cisco Switch Configuration Utility Using the Management Buttons 1 2 3 Performing Common Configuration Tasks Checking the Software Version Checking the System Information System Information Viewing what Devices are Attached to the Switch Configuring the VLAN Settings for the Switch Properties Page Page Smart Ports Wizard Access Point Page Page Page Saving the Configuration Upgrading the Firmware on the Switch Software Upgrade TFTP Server Software Upgrade Source File Page Page Page Resetting the Device Manual Reset Logging Off the Device Switch Configuration Utility Using The Switch Console Port Selecting Menu Options and Actions Action Page Page Page Managing Device Information Understanding the Dashboards Page Page Page Page Page Page Page Defining System Information Page Viewing Device Health Page Resetting the Device Managing Cisco Discovery Protocol Page CDP Status CDP Neighbors Details Page Voice VLAN Defining the Bonjour Discovery Protocol Bonjour Page HTTP HTTPS Enable Bonjour TCAM Utilization Page Managing Smart Ports Smart Ports for Desktops Page Configuring Smart Ports for Desktops Page Page Configuring Smart Ports for IP Phones and Desktops Page VLAN Data IP Phones + Desktops Discard Configuring Smart Ports for Access Points Page Configuring Smart Ports for Switches Smart Ports Switch Settings Page System Dashboard Page Smart Ports Setti ng Page Page Configuring Smart Ports for Routers Page Page Configuring Smart ports for Guests Smart Ports Setting Page Assign Profile Guest Smart ports Wizard Page Configuring Smart ports for Ser vers Page Configuring Smart ports for Printers Smartports Printer Settings Page Smartports Printer Settings Page Access Page Configuring Smart ports for VS Camera Page Smart Port Other Page Smart ports Setting VLAN ID VS Camera. Configuring Smart Ports for Other Page Edit Smart Port Other Page VLAN ID Trunk Configuring System Time System Time Page Defining System Time Page Page Page Defining SNTP Settings Page Add SNTP Server Page Defining SNTP Authentication Add SNTP Authentication Page Page Configuring Device Security Passwords Management Page Edit Local User Page Modifying the Local User Settings User Authentication Page Defining Authentication Add Authentication Profile Page TAC AC S+ RADIUS Modifying an Authentication Profile Mapping Authentication Profiles Page Defining TACACS+ TAC AC S+ Page Page Page Page Remote Authorization Dial-In User Service Defining RADIUS Page Page Page Modifying RADIUS Server Settings Edit RADIUS Server Page Defining Access Methods Page Access Profiles Page Access Profiles Page Add Access Profile Page Page Page Page Page Page Page Page Defining Traffic Control Defining Storm Control Storm Control Page Page Page Page Page Page Page Modifying Port Security Port Securi ty Page Limited Dynamic Lock Classic Lock Defining 802.1x Page Page VLAN List 802.1X Port Authentication Page Defining Port Authentication Page Page Modifying 8021X Security 802.1X Properties Page Port Authentication Settings Page Page Page Defining Authentication Multi Session Multiple Host Single Page Modifying Authentication Settings 802.1X Port Authentication Page Multi Session Multiple Host Page Page RADIUS MAC Based ACL Page Defining Access Control Defining MAC Based ACL MAC Based ACL Page Page Page Page Adding Rule to MAC Based ACL MAC Based ACL Add MAC Based Rule Page Add Rule Page Page Modifying MAC Based ACL MAC Based ACL Page MAC Addres Rule Settings Page Page Defining IP Based ACL IP Based ACL Page IP Based ACL Page Page Page Page Page Modifying IP Based ACL Page Page Adding an IP Based Rule Page Defining ACL Binding ACL Binding Page ACL Binding Page Page Defining DoS Prevention Page Page Page - - Defining DHCP Snooping Page Page Unchecked DHCP Snooping VLAN Settings Page Unchecked Defining DHCP Snooping on VLANs Defining Trusted Interfaces Trus ted Int erf ace s Page Trus ted Int erf ace s Pag e Edit Trusted Interface Page Trusted Interface Table Page Page Page Page Page Page Defining IP Source Guard Interface Settings IP Source Guard Interface Settings Page IP Source Guard Properties Page Page Querying the IP Source Binding Database IP Source Guard Binding Database Page TCAM Resources Page Defining Dynamic ARP Inspection Page Page Retry Frequency ARP Inspection Trusted Interfaces Page Never Defining ARP Inspection Trusted Interfaces Page Edit Interface Settings Page Defining ARP Inspection List ARP Inspection List Page ARP Inspection List ARP Inspection List Page Static ARP Inspection Table Add ARP list Page Adding a Binding List entry Add ARP Binding Page Assigning ARP Inspection VLAN Set tings ARP Inspection VLAN Settings Page Enabled VLAN Table Add ARP VLAN Settings Page ARP Inspection List Page. Configuring Ports Port Settings Port Settin gs Page Page Page Page Page Configuring VLANs Defining VLAN Properties Page Page Defining VLAN Membership Port to VLAN Page Port to VLAN Page Port to VLAN Page Page Page Assigning Ports to Multiple VLANs VLAN To Port Page Page Join VLAN to Port Page Untagged Tagged VLAN To Port Defining Interface Settings Page Page Defining GVRP Settings Page Page Page Defining Protocol Groups Modifying Protocol Groups Edit Protocol Group Page Defining a Protocol Port Page Configuring IP Information IPv4 Interface Page IP Addressing Page Defining DHCP Relay DHCP Server Page Page Add DHCP Server Page Defining DHCP Relay Interfaces Page Add DHCP Interface Page Address Resolution Protocol VLAN Managing ARP Page Page Page Domain Name System Domain Name System DNS Servers Page Defining DNS Servers Page Page Page Page Defining Address Tables Defining Static Addresses Page Page Defining Dynamic Addresses Page Page Configuring Multicast Forwarding IGMP Snooping Page Enabled Immediate Leave Disabled Modifying IGMP Snooping Page Defining Multicast Group Page Page Static Forbidde n Multicast Forward Page Dynamic Defining Multicast Forwarding Page Page Defining Unregistered Multicast Settings Unregistered Multicast Page Page Unregistered Multicast Configuring Spanning Tree Defining STP Properties Page Page Defining Spanning Tree Interface Settings Page Page Page Page Page Defining Rapid Spanning Tree Page Page - - Edit Rapid Spanning Tree Page Edit Rapid Spanning Tree Page RSTP Page Page Defining Multiple Spanning Tree Page Defining MSTP Instance to VLAN Multiple Spanning Tree Regions Instance to VLAN Page Defining MSTP Instance Settings Multiple Spanning Tree Regions MSTP Instance Settings Page MSTP Instance Settings Page Page Page Page Page Page Page Page Configuring Quality of Service Managing QoS Statistics Policer Sta tistics Policer Stati stics Page Add Policer Statistics Page Resetting Aggregate Policer Statistics Counters Policer Statistics Page Queues Statistics Page Page Defining General Settings Page Unchecked Edit Interface Priority Page CoS Page Modifying Interface Priorities Page Page Page Page Page Mapping DSCP to Queue Page Modifying Bandwidth Settings Page Configuring VLAN Rate Limit Page Modifying the VLAN Rate Limit Defining Advanced QoS Mode Page DSCP Mapping DSCP Mapping Page Defining Class Mapping Class Mapping Page Class Mapping Page MAC Based ACLs Defining Aggregate Policer Page Add QoS Aggregate Policer Page Remark DSCP Drop Modifying QoS Aggregate Policer Aggregate Policer Page Edit QoS Aggregate Policer Page Page Page Page Out of Profile DSCP Drop Modifying the QoS Policy Profile Policy Table Page Page Add QoS Policy Binding Page Edit QoS Policy Binding Page Modifying QoS Policy Binding Settings Policy Binding Defining QoS Basic Mode Rewriting DSCP Values DSCP Mapping Page Configuring SNMP SNMP Versions SNMP v1 and v2 SNMP v3 Configuring SNMP Security Page Defining SNMP Views SNMP Views Pa ge DefaultSuper Default SNMP Views Page Defining SNMP Users SNMP Users Page SNMP Group Profile Page SNMP Users Page SNMP Users Page Page Page Page Page Page Page Page Page Page Read Only Edit SNMP Community Page SNMP Communities Page Defining Trap Management Trap Settings Page Configuring Station Management SNMPv1,2 Notification Recipient SNMPv3 Notification Recipient Page Page Page Modifying SNMP Notifications Page Page Filter Settings Page Included Add SNMP Notification Filter Page Managing Cisco Discovery Protocol Cisco Discovery Protocol Page Page Managing System Files Software Upgrade Save Configuration Save Configuration Copy Configuration Page Active Image Page DHCP Auto Configuration Managing Power-over-Ethernet Devices PoE Settings Page Defining PoE Settings Page Page Page Managing System Logs System Messages Set tings Page Enabling System Logs Page Debug System Messages (Memory) Page: Viewing the Device Memory Logs Clearing Message Logs Viewing the System Flash Logs System Messages (Flash) Page System Messages (Flash) Page System Messages (Flash) Page Remote Log Servers Page Page Modifying Syslog Server Set tings Page Page Viewing Statistics Viewing Ethernet Statistics Page Page Page Page GVRP Page GVRP Page 15 Sec EtherChannel Page Page Managing RMON Statistics Viewing RMON Statistics Page RMON History Control Page Port Resetting RMON Statistics Counters RMON Statistics Page Add RMON History Page RMON History Control Page EtherChannel Ports Page RMON History Control Page RMON History Table Page Page Page Page Page Page Page Page Page RMON Events Page Rising and Falling Falling Alarm Rising Alarm Page Page Aggregating Ports Defining EtherChannel Management Page EtherChannel Settings Page Defining EtherChannel Settings Edit EtherChannel Settings Page Page Edit EtherChannel Page Edit EtherChannel Page Modifying EtherChannel Settings Page Configuring LACP Page Modify LACP Parameter Settings LACP Page Long Short Managing Device Diagnostics Ethernet Por ts Page Ethernet Port Testing Page Page Performing GBIC Uplink Testing Configure Span (Port Mirroring) Page Tx O nl y Tx a nd Rx CPU Utilization Monitoring CPU Utilization