TACACS+ Authentication
Configuring TACACS+ on the Switch
TableAccess Method and | Authentication Options | Effect on Access Attempts | |
Privilege Level | Primary | Secondary |
|
|
| ||
|
|
|
|
Console — Login | local | none* | Local username/password access only. |
|
|
|
|
| tacacs | local | If Tacacs+ server unavailable, uses local username/password access. |
|
|
|
|
Console — Enable | local | none* | Local username/password access only. |
|
|
|
|
| tacacs | local | If Tacacs+ server unavailable, uses local username/password access. |
|
|
|
|
|
|
|
|
Telnet — Login | local | none* | Local username/password access only. |
|
|
|
|
| tacacs | local | If Tacacs+ server unavailable, uses local username/password access. |
|
|
|
|
| tacacs | none | If Tacacs+ server unavailable, denies access. |
|
|
|
|
Telnet — Enable | local | none* | Local username/password access only. |
|
|
|
|
| tacacs | local | If Tacacs+ server unavailable, uses local username/password access. |
|
|
|
|
| tacacs | none | If Tacacs+ server unavailable, denies access. |
|
|
|
|
*When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a secondary “local” is meaningless because the switch has only one local level of username/password protection.
| Caution Regarding | During local authentication (which uses passwords configured in the switch |
the Use of Local for | instead of in a TACACS+ server), the switch grants |
| Login Primary | enter the Operator password, and |
Access | password. For example, if you configure authentication on the switch with |
| Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you |
| attempt to Telnet to the switch, you will be prompted for a local password. If |
| you enter the switch’s local Manager password (or, if there is no local Manager |
| password configured in the switch) you can bypass the TACACS+ server |
| authentication for Telnet Enable Primary and go directly to |
| ager) access. Thus, for either the Telnet or console access method, configuring |
| Login Primary for Local authentication while configuring Enable Primary for |
| TACACS+ authentication is not recommended, as it defeats the purpose of |
| using the TACACS+ authentication. If you want Enable Primary |
| attempts to go to a TACACS+ server, then you should configure both Login |
| Primary and Enable Primary for Tacacs authentication instead of configuring |
| Login Primary to Local authentication. |
|
|