Configuring Authentication For Network Access; Authentication Overview - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Authentication for Network Access
Table 12-3 CLI Authentication and Command Authorization Lockout Scenarios (continued)
Feature
Lockout Condition Description
TACACS+
You are logged in
command
as a user without
authorization
enough privileges
or as a user that
does not exist
Local command
You are logged in
authorization
as a user without
enough privileges
Configuring Authentication for Network Access
This section includes the following topics:
•
•
•
Authentication Overview
The FWSM lets you configure network access authentication using RADIUS or TACACS+ servers.
Although you can configure network access authentication for any protocol or service, you can
authenticate directly with HTTP, Telnet, or FTP only. A user must first authenticate with one of these
services before other traffic that requires authentication is allowed through. If you do not want to allow
HTTP, Telnet, or FTP through the FWSM, but want to authenticate other types of traffic, you can
configure virtual Telnet; the user Telnets to a given IP address configured on the FWSM, and the FWSM
provides a Telnet prompt. See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall
Services Module Command Reference for more information about the virtual telnet command.
A user at a given IP address only needs to authenticate one time for all rules and types, until the
authentication session expires. (See the timeout uauth command in the Catalyst 6500 Series Switch and
Cisco 7600 Series Router Firewall Services Module Command Reference for timeout values.) For
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-20
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
You enable command
authorization, but then
find that the user
cannot enter any more
commands.
Authentication Overview, page 12-20
Enabling Network Access Authentication, page 12-21
Enabling Secure Authentication of Web Clients, page 12-22
Workaround: Single Mode
Fix the TACACS+ server
user account.
If you do not have access to
the TACACS+ server and
you need to configure the
FWSM immediately, then
log into the maintenance
partition and reset the
passwords and aaa
commands. See the
"Clearing the Application
Partition Passwords and
AAA Settings" section on
page
17-9.
Log into the maintenance
partition and reset the
passwords and aaa
commands. See the
"Clearing the Application
Partition Passwords and
AAA Settings" section on
page
17-9.
Chapter 12
Configuring AAA
Workaround: Multiple Mode
Session into the FWSM
from the switch. From the
system execution space, you
can change to the context
and complete the
configuration changes. You
can also disable command
authorization until you fix
the TACACS+
configuration.
Session into the FWSM
from the switch. From the
system execution space, you
can change to the context
and change the user level.
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
