IronPort Systems 4108GL Caution Regarding the Use of Local for Login Primary Access

9-17

Using Passwords and TACACS+ To Protect Against Una uthorized Access

TACACS+ Authentication for Cent ral Control of Switch Access S ecurity

Using Passwords and

TACACS+

Table 9-3. Primary/Secondary Authentication Table

Caution Regarding the Use of Local for Login Primary Access

During local authentication (which uses passwords configure d in the switch

instead of in a TACACS+ server), the switch grants read-only access if you

enter the Operator password, and re ad-write access if you enter the Manag er

password. For example, if you configure authentication on the switch with

Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you

attempt to Telnet to the switch, you will be prompted for a local password. If

you enter the switch’s local Manager password (or, if there is no local Manager

password configured in the switch) you can bypass the TACACS+ server

authentication for Telnet Enable Primary and go d irectly to read-write (Man-

ager) access. Thus, for either the Telnet or console access method, configuring

TACACS+ authentication is not recommended, as it defeats the purpose of

using the TACACS+ authentication. If you want Enable Primary log-in

attempts to go to a TACACS+ server, then you should configure both Login

Primary and Enable Primary for Tacacs authentica tion instead of configuring

Access Method and

Privilege Level

Authentication Options Effect on Access Attempts

Primary Secondary

Console — Login local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/passwo rd access.

Console — Enable local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/passwo rd access.

Telne t — Login local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/passwo rd access.

tacacs non e If Tacacs+ server unavailable, denies acc ess.

Telne t — Enable local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/passwo rd access.

tacacs non e If Tacacs+ server unavailable, denies acc ess.

*When "local" is the primary option, you can also select "local" as the secondary opti on. However, in this case, a secondary

"local" is meaningless because the switch has only one lo cal level of username/password protection.