9-25
Using Passwords and TACACS+ To Protect Against Una uthorized Access
TACACS+ Authentication for Cent ral Control of Switch Access S ecurity
Using Passwords and
TACACS+
then it uses its own local username/password pairs to authenti-
cate the logon request. (See "Local Authentication Process", on
page 25.)
If a TACACS+ server recognizes the s witch, it forwards a user-
name prompt to the requesting terminal via the switch.
2. When the requesting terminal responds to the prompt with a username,
the switch forwards it to the TACACS+ server.
3. After the server receives the username input, the requesting terminal
receives a password prompt from the server via the switch.
4. When the requesting terminal responds to the prompt with a password,
the switch forwards it to the TACACS+ server and one of the following
actions occurs:
If the username/password pair received from the requesting
terminal matches a username/password pair previously stored in
the server, then the server passes access permission through the
switch to the terminal.
If the username/password pair entered at the requesting terminal
does not match a username/password pair previously stored in
the server, access is denied. In this case, the terminal is again
prompted to enter a username and repeat steps 2 through 4 . In
the default configuration, the switch allows up to three attempts
to authenticate a login session. If the requesting terminal
exhausts the attempt limit without a successful TACACS+
authentication, the login session is terminated and the operator
at the requesting terminal must initiate a new session before
trying again.
Local Authentication Process
When the switch is configured to use TACACS+, it reverts to local authentica-
tion only if one of these two conditions exists:
"Local" is the authentication option for the access method being used.
TACACS+ is the primary authentication mode for the access method
being used. However, the switch was unable to connect to any
TACACS+ servers (or no servers were configured) AND Local is the
secondary authentication mode being used.
(For a listing of authentication options, see Table 3 on page 17.)