174
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
Configuring the Switch’s Authentication Methods
The aaa authentication command configures the access control for console port and Telnet access to
the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+
server or the switch’s local authentication, or (for some secondary scenarios) no authentication
(meaning that if the primary method fails, authentication is denied). This command also reconfigures
the number of access attempts to allow in a session if the first attempt uses an incorrect username/
password pair.
Syntax: aaa authentication < console | telnet> < enable | login > < local | tacacs > < local | none >
aaa authentication num-attempts < 1. . 10 >
Table 12. AAA Authentication Parameters
As shown in the following table, login and enable access is always available locally through a direct
terminal connection to the switch’s console port. However, for Telnet access, you can configure
TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the
switch.
Name Default Range Function
console
- or -
telnet
n/a n/a Specifies whether the command is configuring authentication for the console
port or Telnet access method for the switch.
enable
- or -
login
n/a n/a Specifies the privilege level for the access method being configured.
login: Operator (read-only) privileges
enable: Manager (read-write) privileges
local
- or -
tacacs
local n/a Specifies the primary method of authentication for the access method being
configured.
local: Use the username/password pair configured locally in the switch for
the privilege level being configured
tacacs: Use a TACACS+ server.
local
- or -
none
none n/a Specifies the secondary (backup) type of authentication being configured.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is tacacs, the only secondary method is local.
• If the primary method is local, the default secondary method is none.
num-attempts 3 1 - 10 In a given session, specifies how many tries at entering the correct username/
password pair are allowed before access is denied and the session terminated.