TACACS+ Authentication

Configuring TACACS+ on the Switch

Table 4-2. Primary/Secondary Authentication Table

Access Method and

Authentication Options

Effect on Access Attempts

Privilege Level

Primary

Secondary

 

 

 

 

 

 

 

Console — Login

local

none*

Local username/password access only.

 

 

 

 

 

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

 

 

 

 

Console — Enable

local

none

Local username/password access only.

 

 

 

 

 

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

 

 

 

 

 

 

 

 

Telnet — Login

local

none*

Local username/password access only.

 

 

 

 

 

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

 

 

 

 

 

tacacs

none

If Tacacs+ server unavailable, denies access.

 

 

 

 

Telnet — Enable

local

none

Local username/password access only.

 

 

 

 

 

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

 

 

 

 

 

tacacs

none

If Tacacs+ server unavailable, denies access.

 

 

 

 

Caution Regarding

During local authentication (which uses passwords configured in the switch

the Use of Local for

instead of in a TACACS+ server), the switch grants read-only access if you

Login Primary

enter the Operator password, and read-write access if you enter the Manager

Access

password. For example, if you configure authentication on the switch with

 

Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you

 

attempt to Telnet to the switch, you will be prompted for a local password. If

 

you enter the switch’s local Manager password (or, if there is no local Manager

 

password configured in the switch) you can bypass the TACACS+ server

 

authentication for Telnet Enable Primary and go directly to read-write (Man-

 

ager) access. Thus, for either the Telnet or console access method, configuring

 

Login Primary for Local authentication while configuring Enable Primary for

 

TACACS+ authentication is not recommended, as it defeats the purpose of

 

using the TACACS+ authentication. If you want Enable Primary log-in

 

attempts to go to a TACACS+ server, then you should configure both Login

 

Primary and Enable Primary for Tacacs authentication instead of configuring

 

Login Primary to Local authentication.

 

 

4-16