5-1
5
TACACS+ Authentication
Overview
TACACS+ authentication enables you to use a central server to allow or deny 
access to the switches covered in this guide (and other TACACS-aware 
devices) in your network. This means that you can use a central database to 
create multiple unique username/password sets with associated privilege 
levels for use by individuals who have reason to access the switch from either 
the switch’s console port (local access) or Telnet (remote access). 
Figure 5-1. Example of TACACS+ Operation
Feature Default Menu CLI Web
view the switch’s authentication configuration n/a     — page 5-8    —
view the switch’s TACACS+ server contact 
configuration
n/a     — page 5-9    —
configure the switch’s authentication methods disabled     — page 
5-10
    —
configure the switch to contact TACACS+ server(s) disabled     — page 
5-17
    —
 B
 Switch Configured for 
TACACS+ Operation
Terminal “A” Directly 
Accessing the Switch 
Via Switch’s Console 
Port
Terminal “B” Remotely Accessing The Switch Via Telnet
 A
Primary 
TACACS+ 
Server
The switch passes the login 
requests from terminals A and B 
to the TACACS+ server for 
authentication. The TACACS+ 
server determines whether to 
allow access to the switch and 
what privilege level to allow for 
a given access request.
Access Request                         A1 - A4: Path for Request from       
                                                                                                     Terminal A (Through Console Port) 
TACACS Server           B1 - B4: Path for Request from      
Response                Terminal B (Through Telnet)     
B1
A2 or 
B2
A3 or 
B3
B4
A1
A4