147
Configuring Switch-Based Authentication
Information About Configuring Switch-Based Authentication
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process occurs:
1. When the connection is established, the switch contacts the TACACS+ daemon to obtain a username prompt to
show to the user. The user enters a username, and the switch then contacts the TACACS+ daemon to obtain a
password prompt. The switch displays the password prompt to the user, the user enters a password, and the
password is then sent to the TACACS+ daemon.
TACACS+ allows a dialog between the daemon and the user until the daemon receives enough information to
authenticate the user. The daemon prompts for a username and password combination, but can include other items,
such as the user’s mother’s maiden name.
2. The switch eventually receives one of these responses from the TACACS+ daemon:
• ACCEPT—The user is authenticated and service can begin. If the switch is configured to require authorization,
authorization begins at this time.
• REJECT—The user is not authenticated. The user can be denied access or is prompted to retry the login
sequence, depending on the TACACS+ daemon.
• ERROR—An error occurred at some time during authentication with the daemon or in the network connection
between the daemon and the switch. If an ERROR response is received, the switch typically tries to use an
alternative method for authenticating the user.
• CONTINUE—The user is prompted for additional authentication information.
After authentication, the user undergoes an additional authorization phase if authorization has been enabled on the
switch. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+
authorization.
3. If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT
authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that
direct the EXEC or NETWORK session for that user and the services that the user can access:
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
• Connection parameters, including the host or client IP address, access list, and user timeouts
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When
enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Note: Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP
connections that have been configured with a privilege level of 15.
TACACS+ Server Host and the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts for
authentication. You can group servers to select a subset of the configured server hosts and use them for a particular
service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server
hosts.
To Next Page
Loading...
Need help?
General
