Enhancements in Release F.02.02

TACACS+ Authentication for Centralized Control of Switch Access Security

Messages

The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application.

Table 14. Tacacs Messages

CLI Message

Meaning

 

 

Connecting to Tacacs server

The switch is attempting to contact the TACACS+ server identified in the switch’s

 

tacacs-serverconfiguration as the first-choice (or only) TACACS+ server.

Connecting to secondary Tacacs

The switch was not able to contact the first-choice TACACS+ server, and is now

server

attempting to contact the next (secondary) TACACS+ server identified in the switch’s

 

tacacs-server configuration.

Invalid password

The system does not recognize the username or the password or both. Depending on

 

the authentication method (tacacs or local), either the TACACS+ server application

 

did not recognize the username/password pair or the username/password pair did

 

not match the username/password pair configured in the switch.

No Tacacs servers responding

The switch has not been able to contact any designated TACACS+ servers. If this

 

message is followed by the Username prompt, the switch is attempting local authen-

 

tication.

Not legal combination of authentication methods

For console access, if you select tacacs as the primary authentication method, you must select local as the secondary authentication method. This prevents you from being locked out of the switch if all designated TACACS+ servers are inaccessible to the switch.

Record already exists

When resulting from a tacacs-server host <ip addr> command, indicates an attempt

 

to enter a duplicate TACACS+ server IP address.

 

 

Operating Notes

If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, TACACS+ operates regardless of any Authorized IP Manager configuration.

When TACACS+ is not enabled on the switch—or when the switch’s only designated TACACS+ servers are not accessible— setting a local Operator password without also setting a local Manager password does not protect the switch from manager-level access by unauthorized persons.)

185