TACACS+ Authentication

How Authentication Operates

Local Authentication Process

When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists:

“Local” is the authentication option for the access method being used.

TACACS+ is the primary authentication mode for the access method being used. However, the switch was unable to connect to any TACACS+ servers (or no servers were configured) AND Local is the secondary authentication mode being used.

(For a listing of authentication options, see table 4-2, “Primary/Secondary Authentication Table” on 4-16.)

For local authentication, the switch uses the operator-level and manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the web browser interface, or the menu interface—which enables only local password configuration).

If the operator at the requesting terminal correctly enters the user- name/password pair for either access level, access is granted.

If the username/password pair entered at the requesting terminal does not match either username/password pair previously configured

 

locally in the switch, access is denied. In this case, the terminal is

 

again prompted to enter a username/password pair. In the default

 

configuration, the switch allows up to three attempts. If the requesting

 

terminal exhausts the attempt limit without a successful authentica-

 

tion, the login session is terminated and the operator at the requesting

 

terminal must initiate a new session before trying again.

 

 

Note

The switch’s menu allows you to configure only the local Operator and

 

Manager passwords, and not any usernames. In this case, all prompts for local

 

authentication will request only a local password. However, if you use the CLI

 

or the web browser interface to configure usernames for local access, you will

 

see a prompt for both a local username and a local password during local

 

authentication.

 

 

4-26