Authentication parameters

Table 2: AAA Authentication Parameters

Name

Default

Range

Function

console, Telnet, SSH, web, port-access, or REST

n/a

n/a

Specifies the access method used when authenticating. TACACS+ authentication only uses the console, Telnet or SSH access methods.

enable

n/a

n/a

Specifies the manager (read/write) privilege level for the access method being configured.

login 
<privilege-mode>
              

privilege-mode disabled

n/a

login: Specifies the operator (read-only) privilege level for the access method being configured.The privilege-mode option enables TACACS+ for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server.

local

- or - tacacs

local

n/a

Specifies the primary method of authentication for the access method being configured. local: Use the user name/password pair configured locally in the switch for the privilege level being configured tacacs: Use a TACACS+ server.

local

- or - none

none

n/a

Specifies the secondary (backup) type of authentication being configured. local: The user name/password pair configured locally in the switch for the privilege level being configured.none: No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.)
NOTE: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows:
  • If the primary method is tacacs, the only secondary method is local.

  • If the primary method is local, the default secondary method is none.

num-attempts

3

1 - 10

In a given session, specifies how many attempts at entering the correct user name/password pair are allowed before access is denied and the session terminated.

Table 3: Primary/secondary authentication table

Access method and privilege level

Authentication options

Effect on access methods

Primary

Secondary

Console — Login

local

none*

Local user name/password access only.

tacacs

local

If TACACS+ server is unavailable, uses local user name/password access.

Console — Enable

local

none

Local user name/password access only.

tacacs

local

If TACACS+ server is unavailable, uses local user name/password access.

REST — Login

local

tacacs

none

local

Local user name/password access only.

If TACACS+server is unavailable, uses local user name/password access.

REST — Enable

local

tacacs

none

local

Local user name/password access only.

If TACACS+ server is unavailable, uses local user name/password access.

Telnet — Login

local

none*

Local user name/password access only.

tacacs

local

If TACACS+ server is unavailable, uses local user name/password access.

tacacs

none

If TACACS+ server is unavailable, denies access.

Telnet — Enable

local

none

Local user name/password access only.

tacacs

local

If TACACS+ server is unavailable, uses local user name/password access.

tacacs

none

If TACACS+ server is unavailable, denies access.

SSH — Login

local

tacacs

none

local

Local user name/password access only.

If TACACS+server is unavailable, uses local user name/password access.

SSH — Enable

local

tacacs

none

local

Local user name/password access only.

If TACACS+ server is unavailable, uses local user name/password access.

CAUTION:

Regarding the use of local for login primary access:

During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password. For example, authenticating the switch with Telnet Login Primary as Local and Telnet Enable Primary as TACACS+. When you attempt to Telnet to the switch, you are prompted for a local password. If you enter the switch local manager password (or, if there is no local manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (manager) access. Thus, for either the Telnet or console access method, it is recommended not to configure Login Primary for Local authentication while configuring Enable Primary for TACACS+. If you want to enable Primary log-in attempts to go to a TACACS+ server, configure both Login Primary and Enable Primary for TACACS+ authentication instead of configuring Login Primary to Local authentication.