Password Commands
Page 146 7450 ESS System Mangement Guide
authentication-order
Syntax authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
no authentication-order
Context config>system>security>password
Description This command configures the sequence in which password authentication, authorization, and
accounting is attempted among RADIUS, TACACS+, and local passwords.
The order should be from the most preferred authentication method to the least preferred. The pres-
ence of all methods in the command line does not guarantee that they are all operational. Specifying
options that are not available delays user authentication.
If all (operational) methods are attempted and no authentication for a particular login has been
granted, then an entry in the security log register the failed attempt. Both the attempted login identifi-
cation and originating IP address is logged with the a timestamp.
The no form of the command reverts to the default authentication sequence.
Default authentication-order radius tacplus local - The preferred order for password authentication is 1.
RADIUS, 2. TACACS+ and 3. local passwords.
Parameters method-1 — The first password authentication method to attempt.
Default radius
Values radius, tacplus, local
method-2 — The second password authentication method to attempt.
Default tacplus
Values radius, tacplus, local
method-3 — The third password authentication method to attempt.
Default local
Values radius, tacplus, local
radius — RADIUS authentication.
tacplus — TACACS+ authentication.
local — Password authentication based on the local password database.
exit-on-reject — When enabled and if one of the AAA methods configured in the authentication
order sends a reject, then the next method in the order will not be tried. If the exit-on-reject
keyword is not specified and if one AAA method sends a reject, the next AAA method will be
attempted. If in this process, all the AAA methods are exhausted, it will be considered as a reject.
Note that a rejection is distinct from an unreachable authentication server. When the exit-on-
reject keyword is specified, authorization and accounting will only use the method that provided
an affirmation authentication; only if that method is no longer readable or is removed from the
configuration will other configured methods be attempted. If the local keyword is the first
authentication and:
To Next Page
Loading...
