TACACS+ Authentication

Configuring TACACS+ on the Switch

Configuring the Switch’s Authentication Methods

The aaa authentication command configures the access control for console port and Telnet access to the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied). This command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect username/password pair.

Syntax: aaa authentication

< console telnet >

Selects either console (serial port) or Telnet access for configuration.

< enable login >

Selects either the Manager (enable) or Operator (login) access level.

< local tacacs radius >

Selects the type of security access:

local Authenticates with the Manager and Operator password you configure in the switch.

tacacs Authenticates with a password and other data configured on a TACACS+ server.

radius Authenticates with a password and other data configured on a RADIUS server. (Refer to “RADIUS Authentication and Accounting” on page 5-1.)

[< local none >]

If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.

aaa authentication num-attempts < 1-10 >

Specifies the maximum number of login attempts allowed in the current session. Default: 3

4-11