Configuring the TACACS+ server for single login

For the single login feature to work correctly you must check some entries in the User Setup on the TACACS+ server:

Procedure
  1. In the User Setup, scroll to the Advanced TACACS+ Settings section.
  2. Make sure the radio button for "Max Privilege for any AAA Client" is checked and the level is set to 15, as shown in Advanced TACACS+ settings section of the TACACS+ server user setup.
  3. Privileges are represented by the numbers 0 through 15, with zero allowing only operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that will allow manager level access on the switch.
    Advanced TACACS+ settings section of the TACACS+ server user setup
  4. Scroll down to the section that begins with "Shell", see The shell section of the TACACS+ server user setup. Check the Shell box.
  5. Check the Privilege level box and set the privilege level to 15 to allow "root" privileges. This allows you to use the single login option.
    The shell section of the TACACS+ server user setup

As shown in Configuring the switch TACACS+ server access, login and enable access is always available locally through a direct terminal connection to the switch console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.

Primary/secondary authentication table

Access method and privilege level

Authentication options

Effect on access attempts

Primary

Secondary

Console — Login

local

none*

Local username/password access only.

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

Console — Enable

local

none

Local username/password access only.

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

Telnet — Login

local

none*

Local username/password access only.

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

tacacs

none

If Tacacs+ server unavailable, denies access.

Telnet — Enable

local

none

Local username/password access only.

tacacs

local

If Tacacs+ server unavailable, uses local username/password access.

tacacs

none

If Tacacs+ server unavailable, denies access.

CAUTION: Regarding the use of local for login primary access:

During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password. For example, if you configure authentication on the switch with Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you attempt to Telnet to the switch, you will be prompted for a local password. If you enter the switch local manager password (or, if there is no local manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (manager) access. Thus, for either the Telnet or console access method, configuring Login Primary for Local authentication while configuring Enable Primary for TACACS+ authentication is not recommended, as it defeats the purpose of using the TACACS+ authentication. If you want Enable Primary log-in attempts to go to a TACACS+ server, then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication.

Access options

The following is a set of access options and the corresponding commands to configure them:

  • Console login (operator or read-only) access, primary using TACACS+ server and secondary using local
    switch(config)#aaa authentication console login tacacs local
  • Console enable (manager or read/write) access, primary using TACACS+ server and secondary using local
    switch(config)#aaa authentication console enable tacacs local
  • Telnet login (operator or read-only) access, primary using TACACS+ server and secondary using local
    switch(config)#aaa authentication Telnet login tacacs local
  • Telnet enable (manager or read/write) access, primary using TACACS+ server and secondary using local
    switch(config)#aaa authentication telnet enable tacacs local
  • Deny access and close the session after failure of two consecutive username/password pairs
    switch(config)#aaa authentication num-attempts 2