Configuring the switch authentication method

Syntax

aaa authentication <console|telnet|ssh|web|port-access|rest> login tacacs

Selects the access method for configuration.

Parameters


<enable>

Example: aaa authentication ssh enable tacacs local

The server grants privileges at the manager privilege level.

<login [privilege-mode]>

Example: aaa authentication login privilege-mode

The server grants privileges at the operator privilege level. If the privilege-mode option is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default: Single login disabled.

<local|tacacs|radius>

Selects the type of security access:

local

Authenticates with the manager and operator password you configure in the switch.

tacacs

Authenticates with a password and other data configured on a TACACS+ server.

radius

Authenticates with a password and other data configured on a RADIUS server.

[<local|none>]

If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.

Example
switch(config)# aaa 
 accounting          Configure the accounting service on the device.
 authentication      Configure authentication parameters on the switch.
 authorization       Configure authorization parameters on the switch.
 port-access         Configure 802.1X (Port Based Network Access), MAC 
                     address based network access, or web 
                     authentication-based network access or the MACsec Key 
                     Agreement (MKA) protocol, or 802.1X-2010 support on the
                     device.
 server-group        Configure the RADIUS server, NAS-ID for the RADIUS 
                     server group.

switch(config)# aaa authentication
 lockout-delay         The number of seconds after repeated login failures 
                       before a user may again attempt login.
 login                 Specify that switch respects the authentication server's
                       privilege level.
 mac-based             Configure authentication mechanism used to control 
                       mac-based port access to the switch.
 num-attempts          The number of login attempts allowed.
 port-access           Configure authentication mechanism used to control 
                       access to the network.
 rest                  Configure authentication mechanism used to control REST
                       access to the switch.
 ssh                   Configure authentication mechanism used to control SSH 
                       access to the switch.
 telnet                Configure authentication mechanism used to control 
                       Telnet access to the switch.
 unlock                Unlock the user locked out from SSH/Telnet/Console 
                       access.
 user-based-lockout    Locking users based on the username for other access 
                       excluding the console access.
 web                   Configure authentication mechanism used to control web 
                       access to the switch.
 web-based             Configure authentication mechanism used to control 
                       web-based port access to the switch.

switch(config)# aaa authentication ssh 
 client                Configure SSH client authentication for the switch.
 enable                Configure access to the privileged mode commands.
 login                 Configure login access to the switch.

switch(config)# aaa authentication ssh login 
 local                 Use local switch user/password database.
 tacacs                Use TACACS+ server.
 radius                Use RADIUS server.
 peap-mschapv2         Use RADIUS server with PEAP-MSChapv2.
 public-key            Use local switch public key authentication database.
 certificate           Use the X.509 certificate.
 two-factor            Use the two-factor authentication method.

switch(config)# aaa authentication ssh login tacacs 
 local                 Use local switch user/password database.
 none                  Do not use backup authentication methods.
 authorized            Allow access without authentication.
 server-group          Specify the server group to use.
 two-factor-type       Use the certificate or public key for the first 
                       authentication method and username/password for the 
                       second authentication method.

Syntax

aaa authentication num-attempts <1-10>
    

Specifies the maximum number of login attempts allowed in the current session. Default is 3.