TACACS+ Authentication

 

 

 

Configuring TACACS+ on the Switch

 

 

 

 

Name

Default

Range

Function

 

 

 

 

 

 

enable

n/a

n/a

Specifies the Manager (read/write) privilege level for the access

 

 

 

 

method being configured.

 

 

 

 

login <privilege-

privilege-mode

n/a

login: Specifies the Operator (read-only) privilege level for the

 

mode>

disabled

 

access method being configured.

 

 

 

The privilege-modeoption enables TACACS+ for a single login. The

 

 

 

authorized privilege level (Operator or Manager) is returned to the

 

 

 

switch by the TACACS+ server.

 

 

 

 

local

local

n/a

Specifies the primary method of authentication for the access

 

- or -

 

 

method being configured.

tacacs

 

 

local: Use the username/password pair configured locally in the

 

 

 

switch for the privilege level being configured

 

 

 

tacacs: Use a TACACS+ server.

 

 

 

 

local

none

n/a

Specifies the secondary (backup) type of authentication being

 

- or -

 

 

configured.

none

 

 

local: The username/password pair configured locally in the switch

 

 

 

for the

 

 

 

privilege level being configured

 

 

 

none: No secondary type of authentication for the specified

 

 

 

method/privilege path. (Available only if the primary method of

 

 

 

authentication for the access being configured is local.)

 

 

 

Note: If you do not specify this parameter in the command line, the

 

 

 

switch automatically assigns the secondary method as follows:

 

 

 

• If the primary method is tacacs, the only secondary method is

 

 

 

local.

 

 

 

• If the primary method is local, the default secondary method is

 

 

 

none.

 

 

 

 

num-attempts

3

1 - 10

In a given session, specifies how many tries at entering the correct

 

 

 

 

username/password pair are allowed before access is denied and

 

 

 

the session terminated.

 

 

 

 

 

Configuring the TACACS+ Server for Single Login

In order for the single login feature to work correctly, you need to check some entries in the User Setup on the TACACS+ server.

In the User Setup, scroll to the Advanced TACACS+ Settings section. Make sure the radio button for “Max Privilege for any AAA Client” is checked and the level is set to 15, as shown in Figure 4-4.Privileges are represented by the numbers 0 through 15, with zero allowing only Operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow Manager level access on the switch.

4-13