Local authentication process

When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions are met:
  • Local

    is the authentication option for the access method being used.

  • The switch is configured to query one or more TACACS+ servers for a primary authentication request, but has not received a response, and Local is the configured secondary option.

For local authentication, the switch uses the operator-level and manager-level user name/password sets previously configured locally on the switch. These are the user names and passwords you configure using the CLI password command, or the WebAgent.
  • If the operator at the requesting terminal correctly enters the user name/password pair for either access level (operator or manager), access is granted on the basis of which user name/password pair was used. For example, consider configuring Telnet primary access for TACACS+ and Telnet secondary access for local. If a TACACS+ access attempt fails, you can still get either the operator or manager level access by entering the correct user name/password pair for the level you want to enter.

  • If the user name/password pair entered at the requesting terminal does not match local user name/password pair previously configured in the switch, access is denied. In this case, the terminal is again prompted to enter a user name/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.