Filter
Top Products
9-16
Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security
Using Passwords and
TACACS+
Configuring the Switch’s Authentication Methods
The aaa authentication command configures the access control for console
port and Telnet access to the switch. That is, for both access methods, aaa
authentication specifies whether to use a TACACS+ server or the switch’s
local authentication, or (for some secondary scenarios) no authentication
(meaning that if the primary method fails, authentication is denied). This
command also reconfigures the number of access attempts to allow in a
session if the first attempt uses an incorrect username/password pair.
Syntax: aaa authentication <console | telnet> <enable | login> <local | tacacs>
<local | none>
aaa authentication num-attempts <1. . 10>
Table 9-2. AAA Authentication Parameters
As shown in the next table, login and enable access is always available locally
through a direct terminal connection to the switch’s console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+
server goes down or otherwise becomes unavailable to the switch.
Name Default Range Function
console
- or -
telnet
n/a n/a Specifies whether the command is configuring authentication for the console
port or Telnet access method for the switch.
enable
- or -
login
n/a n/a Specifies the privilege level for the access method being configured.
login: Operator (read-only) privileges
enable: Manager (read-write) privileges
local
- or -
tacacs
local n/a Specifies the primary method of authentication for the access method being
configured.
local: Use the username/password pair configured locally in the switch for
the privilege level being configured
tacacs: Use a TACACS+ server.
local
- or -
none
none n/a Specifies the secondary (backup) type of authentication being configured.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is
tacacs, the only secondary method is local.
• If the primary method is
local, the default secondary method is none.
num-attempts 3 1 - 10 In a given session, specifies how many tries at entering the correct username/
password pair are allowed before access is denied and the session terminated.