145
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
Telnet Password for a Terminal Line
When you power-up your switch for the first time, an automatic setup program runs to assign IP information and to create
a default configuration for continued use. The setup program also prompts you to configure your switch for Telnet access
through a password. If you did not configure this password during the setup program, you can configure it now through
the command-line interface (CLI).
Username and Password Pairs
You can configure username and password pairs, which are locally stored on the switch. These pairs are assigned to
lines or ports and authenticate each user before that user can access the switch. If you have defined privilege levels, you
can also assign a specific privilege level (with associated rights and privileges) to each username and password pair.
Multiple Privilege Levels
By default, the Cisco IOS software has two modes of password security: user EXEC and privileged EXEC. You can
configure up to 16 hierarchical levels of commands for each mode. By configuring multiple passwords, you can allow
different sets of users to have access to specified commands.
For example, if you want many users to have access to the clear line command, you can assign it level 2 security and
distribute the level 2 password fairly widely. But if you want more restricted access to the configure command, you can
assign it level 3 security and distribute that password to a more restricted group of users.
When you set a command to a privilege level, all commands whose syntax is a subset of that command are also set to
that level. For example, if you set the show ip traffic command to level 15, the show commands and show ip commands
are automatically set to privilege level 15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level level command global
configuration command.
Users can override the privilege level you set using the privilege level line configuration command by logging in to the
line and enabling a different privilege level. They can lower the privilege level by using the disable command. If users
know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might
specify a high level or privilege level for your console line to restrict line usage.
To return to the default line privilege level, use the no privilege level line configuration command.
Switch Access with TACACS+
This section describes how to enable and configure Terminal Access Controller Access Control System Plus (TACACS+),
which provides detailed accounting information and flexible administrative control over authentication and authorization
processes. TACACS+ is facilitated through authentication, authorization, accounting (AAA) and can be enabled only
through AAA commands.
TACACS+
TACACS+ is a security application that provides centralized validation of users attempting to gain access to your switch.
TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT
workstation. You should have access to and should configure a TACACS+ server before the configuring TACACS+
features on your switch.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows
for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and
accounting—independently. Each service can be tied into its own database to take advantage of other services available
on that server or on the network, depending on the capabilities of the daemon.
To Next Page
Loading...
Need help?
General