IronPort Systems 4108GL Configuring the Switchs Authentication Methods

9-16

Using Passwords and TACACS+ To Protect Against Una uthorized Access

TACACS+ Authentication for Central Control of Switch Access Security

Using Passwords and

TACACS+

Configuring the Switch’s Authentication Methods

The aaa authentication command configures the access control for console

port and Telnet access to the switch. That is, for both access methods, aaa

authentication specifies whether to us e a TACACS+ server or the switch’s

local authentication, or (for some secondary scenarios) no authentication

(meaning that if the primary method fails, authentication is denied). This

command also reconfigures the number of a ccess attempts to allow in a

session if the first attempt uses an incorrect username/password pair.

Syntax: aaa authentication <console | telnet> <enable | login> <local | tacacs>

aaa authentication num-attempts <1. . 10>

Table 9-2. AAA Authentication Parameters

As shown in the next table, login and enable access is always available locally

through a direct terminal connection to the switch’s console port. However,

for Telnet access, you can configure TACACS+ to deny access if a TACACS+

server goes down or otherwise becomes unavailable to the switch.

Name Default Range Function

console

- or -

telnet

n/a n/a Specifies whether the command is config uring authentication for the console

port or Telnet access method for the switch.

enable

- or -

n/a n/a Specifies the privilege lev el for the access method being conf igured.

enable: Manager (read-write) privileges

local

- or -

tacacs

local n/a Specifies the primary method of authentication for the access method being

configured.

local: Use the username/password pair configured l ocally in the switch for

the privilege level being configured

tacacs: Use a TACACS+ server.

local

- or -

none

none n/a Specifies the secondary (backup) typ e of authentication being configured.

local: The username/password pair configured locally in the swit ch for the

privilege level being configured

none: No secondary type of authentication for the sp ecified

method/privilege path. (Available only if the primary method of

authentication for the access being configured is local. )

Note: If you do not specify this parameter in the command line, the switch

automatically assigns the secondary method as follows :

•If the primary method is tacacs, the only secondary method is local.

•If the primary method is local, the default sec ondary method is none.

num-attempts 3 1 - 10 In a given session, specifies how many tries at entering the correct username/

password pair are allowed before access is denied and the session te rminated.