Enhancements in Release F.02.02

TACACS+ Authentication for Centralized Control of Switch Access Security

Configuring the Switch’s Authentication Methods

The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied). This command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect username/ password pair.

Syntax: aaa authentication < console telnet> < enable login > < local tacacs > < local none > aaa authentication num-attempts < 1. . 10 >

Table 12. AAA Authentication Parameters

Name

Default

Range

Function

console

n/a

n/a

Specifies whether the command is configuring authentication for the console

- or -

 

 

port or Telnet access method for the switch.

telnet

 

 

 

 

 

 

 

enable

n/a

n/a

Specifies the privilege level for the access method being configured.

- or -

 

 

login: Operator (read-only) privileges

login

 

 

enable: Manager (read-write) privileges

 

 

 

 

local

local

n/a

Specifies the primary method of authentication for the access method being

- or -

 

 

configured.

tacacs

 

 

local: Use the username/password pair configured locally in the switch for

 

 

 

the privilege level being configured

 

 

 

tacacs: Use a TACACS+ server.

 

 

 

 

local

none

n/a

Specifies the secondary (backup) type of authentication being configured.

- or -

 

 

local: The username/password pair configured locally in the switch for the

none

 

 

privilege level being configured

 

 

 

none: No secondary type of authentication for the specified

 

 

 

method/privilege path. (Available only if the primary method of

 

 

 

authentication for the access being configured is local.)

 

 

 

Note: If you do not specify this parameter in the command line, the switch

 

 

 

automatically assigns the secondary method as follows:

 

 

 

• If the primary method is tacacs, the only secondary method is local.

 

 

 

• If the primary method is local, the default secondary method is none.

 

 

 

 

num-attempts

3

1 - 10

In a given session, specifies how many tries at entering the correct username/

 

 

 

password pair are allowed before access is denied and the session terminated.

 

 

 

 

As shown in the following table, login and enable access is always available locally through a direct terminal connection to the switch’s console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.

174