169
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
TACACS+ Operation
TACACS+ in Series 2500 switches manages authentication of logon attempts through either the
Console port or Telnet. For both Console and Telnet you can configure a login (read-only) and an
enable (read/write) privilege level access. When your primary authentication control for switch
access is a TACACS+ server, you can also specify a local (switch-based) secondary authentication
control.
Note
In release F.02.02, TACACS+ does not affect Web browser interface access. See "Controlling Web
Browser Interface Access" on page 184.
General Authentication Setup Procedure
It is important to test the TACACS+ service before fully implementing it. Depending on the process
and parameter settings you use to set up and test TACACS+ authentication in your network, you
could accidentally lock all users, including yourself, out of access to a switch. While recovery is
simple, it may pose an inconvenience that can be avoided.To prevent an unintentional lockout on a
Series 2500 switch, use a procedure that configures and tests TACACS+ protection for one access
type (for example, Telnet access), while keeping the other access type (console, in this case) open
in case the Telnet access fails due to a configuration problem. The following procedure outlines a
general setup procedure.
Note
If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see
"Troubleshooting TACACS+ Operation" on page 186 for recovery methods.
1. Familiarize yourself with the requirements for configuring your TACACS+ server application to
respond to requests from a Series 2500 switch. (Refer to the documentation provided with the
TACACS+ server software.) This includes knowing whether you need to configure an encryption
key. (See “Using the Encryption Key” on page 183.)