TACACS+ Authentication

General Authentication Setup Procedure

other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure.

Note

If a complete access lockout occurs on the switch as a result of a TACACS+

 

configuration, see “Troubleshooting TACACS+ Operation” in the Trouble-

 

shooting chapter of the Management and Configuration Guide for your

 

switch.

 

1. Familiarize yourself with the requirements for configuring your

 

 

TACACS+ server application to respond to requests from the switch.

 

(Refer to the documentation provided with the TACACS+ server soft-

 

ware.) This includes knowing whether you need to configure an encryp-

 

tion key. (See “Using the Encryption Key” on page 4-27.)

 

2. Determine the following:

The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication. If you will use more than one server, determine which server is your first-choice for authentication services.

The encryption key, if any, for allowing the switch to communicate with the server. You can use either a global key or a server-specific key, depending on the encryption configuration in the TACACS+ server(s).

The number of log-in attempts you will allow before closing a log-in session. (Default: 3)

The period you want the switch to wait for a reply to an authentication request before trying another server.

The username/password pairs you want the TACACS+ server to use for controlling access to the switch.

The privilege level you want for each username/password pair administered by the TACACS+ server for controlling access to the switch.

The username/password pairs you want to use for local authentication (one pair each for Operator and Manager levels).

3.Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager (read/ write) privilege level.

4-6