Chapter 1 Controlling CSS Access
Controlling Remote User Access to the CSS
Controlling Remote User Access to the CSS
To control access to the CSS, you can configure the CSS to authenticate remote (virtual) or console users. The CSS can authenticate users by using the local user database, RADIUS server, or TACACS+ server. You can also allow user access without authenticating or disallowing all remote user access to the CSS.
You can set a maximum of three authentication methods: a primary, secondary, or tertiary authentication method. The primary method is the first authentication method that the CSS tries. If the primary authentication method fails (for example, the RADIUS server is down or is unreachable), the CSS tries the secondary method. And if the secondary method fails, then the CSS tries the tertiary method. In the event the tertiary method also fails, the CSS displays a message that authentication has failed.
The CSS does not attempt a secondary or tertiary authentication method under the following conditions:
•If the authentication method is local, and the local username is not found in the local user database.
•If the authentication method is local and the local username is found in the local user database, but the password is invalid.
•If the authentication method is radius, and the RADIUS server rejects the primary authentication request from the CSS.
•If the authentication method is tacacs, and the TACACS+ server rejects the primary authentication request from the CSS.
Before you can use RADIUS or TACACS+ as either the virtual authentication method or the console authentication method, you must enable communication with the RADIUS or TACACS+ security server. Use either the
This section includes the following topics:
•Configuring Virtual Authentication
•Configuring Console Authentication
To display virtual and console authentication settings, use the show
| Cisco Content Services Switch Security Configuration Guide |
