HP Cisco MDS 9020 - Fabric Switch Configuration Manual page 763

Chapter 32 Configuring RADIUS and TACACS+
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
When you are successfully authenticated through a remote AAA server, then the following possible
Step 3
actions are taken:
• If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are
downloaded with an authentication response.
• If the AAA server protocol is TACACS+, then another request is sent to the same server to get the
user roles specified as custom attributes for the shell.
If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the
•
network-operator role.
When your user name and password are successfully authenticated locally, you are allowed to log in, and
Step 4
you are assigned the roles configured in the local database.
Figure 32-2
Figure 32-2
next server
OL-16184-01, Cisco MDS SAN-OS Release 3.x
shows a flow chart of the authorization and authentication process.
Switch Authorization and Authentication Flow
Start
Incoming Local
Incoming
access
access
request to request to
switch
switch
Remote
No more
First or
servers left
lookup
Found a
RADIUS server
RADIUS
Lookup
No
response
Accept
Access
permitted
Local
Success
database
lookup
Failure
Denied
access
Cisco MDS 9000 Family CLI Configuration Guide
Switch AAA Functionalities
Access
permitted
32-7