TACACS+ Authentication

Overview

Overview

Feature

Default

Menu

CLI

Web

view the switch’s authentication configuration

n/a

page 4-9

view the switch’s TACACS+ server contact

n/a

page

configuration

 

 

4-10

 

configure the switch’s authentication methods

disabled

page

 

 

 

4-11

 

configure the switch to contact TACACS+ server(s)

disabled

page

 

 

 

4-18

 

 

 

 

 

 

TACACS+ authentication enables you to use a central server to allow or deny access to the switches covered in this guide (and other TACACS-aware devices) in your network. This means that you can use a central database to create multiple unique username/password sets with associated privilege levels for use by individuals who have reason to access the switch from either the switch’s console port (local access) or Telnet (remote access).

 

A3 or

 

B3

 

A2 or

Primary

B2

TACACS+

 

 

Server

 

 

 

The switch passes the login requests from terminals A and B to the TACACS+ server for authentication. The TACACS+ server determines whether to allow access to the switch and what privilege level to allow for a given access request.

A4

A1

 

 

 

 

 

 

 

 

 

 

Terminal “A” Directly

Switch Configured for

 

 

 

A

 

 

 

Accessing the Switch

TACACS+ Operation

 

 

 

 

 

 

 

 

 

Via Switch’s Console

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Port

 

 

 

 

 

 

 

 

 

 

 

B4

B

B1

 

 

Terminal “B” Remotely Accessing The Switch Via Telnet

Access Request

 

 

 

 

 

 

 

A1 - A4: Path for Request from

 

 

 

 

 

 

 

 

 

 

 

 

Terminal A (Through Console Port)

TACACS Server

 

B1 - B4: Path for Request from

Response

 

Terminal B (Through Telnet)

 

 

 

 

 

 

 

 

 

Figure 4-1. Example of TACACS+ Operation

TACACS+ in the switches covered in this guide manages authentication of logon attempts through either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1) remote passwords assigned in a TACACS+ server and (2) local passwords configured on the switch. That is, with TACACS+ configured, the switch first tries to contact a designated

4-2