TACACS+ Authentication

Configuring TACACS+ on the Switch

Messages Related to TACACS+Operation

The switch generates the CLI messages listed below. However, you may see other messages generated in your TACACS+ server application. For information on such messages, refer to the documentation you received with the application.

CLI Message

Meaning

 

 

 

 

Connecting to Tacacs server

The switch is attempting to contact the TACACS+ server identified in the switch’s tacacs-

 

 

 

server configuration as the first-choice(or only) TACACS+ server.

Connecting to secondary

The switch was not able to contact the first-choiceTACACS+ server, and is now

Tacacs server

attempting to contact the next (secondary) TACACS+ server identified in the switch’s

 

 

 

tacacs-server configuration.

Invalid password

The system does not recognize the username or the password or both. Depending on the

 

 

 

authentication method (tacacs or local), either the TACACS+ server application did not

 

 

 

recognize the username/password pair or the username/password pair did not match the

 

 

 

username/password pair configured in the switch.

No Tacacs servers

The switch has not been able to contact any designated TACACS+ servers. If this message

responding

is followed by the Username prompt, the switch is attempting local authentication.

Not legal combination of

For console access, if you select tacacs as the primary authentication method, you must

authentication methods

select local as the secondary authentication method. This prevents you from being locked

 

 

 

out of the switch if all designated TACACS+ servers are inaccessible to the switch.

Record already exists

When resulting from a tacacs-server host <ip addr> command, indicates an attempt to

 

 

 

enter a duplicate TACACS+ server IP address.

 

 

 

 

 

 

 

 

Operating Notes

If you configure Authorized IP Managers on the switch, it is not necessary to include any devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic between a TACACS+ server and the switch is not subject to Authorized IP Manager controls configured on the switch. Also, the switch does not attempt TACACS+ authentication for a management station that the Authorized IP Manager list excludes because, independent of TACACS+, the switch already denies access to such stations.

4-25