4-14
TACACS+ Authentication
Configuring TACACS+ on the Switch
As shown in the next table, login and enable access is always available locally
through a direct terminal connection to the switch’s console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+
server goes down or otherwise becomes unavailable to the switch.
Table 4-2. Primary/Secondary Authentication Table for Console and Telnet
Caution
Regarding the
Use of Local for
Login Primary
Access
During local authentication (which uses passwords configured in the switch
instead of in a TACACS+ server), the switch grants read-only access if you
enter the Operator password, and read-write access if you enter the Manager
password. For example, if you configure authentication on the switch with
Telnet Login Primary as local and Telnet Enable Primary as tacacs and then
attempt to Telnet to the switch, you will be prompted for a local password. If
you enter the switch’s local Manager password (or, if there is no local Manager
password configured in the switch), you bypass the TACACS+ server authen-
tication for Telnet Enable Primary and go directly to Manager access. Thus,
for either Telnet or Console access method, configuring Login Primary for
local authentication while configuring Enable Primary for tacacs authentica-
tion is not recommended, as it defeats the purpose of using the TACACS+
authentication. If you want Enable Primary log-in attempts to go to a
TACACS+ server, you should configure both Login Primary and Enable Pri-
mary for tacacs authentication.
Access Method and
Privilege Level
Authentication Options Effect on Access Attempts
Primary Secondary
Console — Login local none* Local username/password access only.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
Console — Enable local none* Local username/password access only.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
Telnet — Login local none* Local username/password access only.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs none If Tacacs+ server unavailable, denies access.
Telnet — Enable local none* Local username/password access only.
tacacs local If Tacacs+ server unavailable, uses local username/password access.
tacacs none If Tacacs+ server unavailable, denies access.
*When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a
secondary “local” is meaningless because the switch has only one local level of username/password protection.
To Next Page
Loading...
Need help?
General
