Table of Contents
Advertisement
Managing Remote (TACACS+) Authentication and Authorization
Table 9-30 Keywords for cnfaaa_authen and cnfaaa-author Commands
Keyword
cisco
default
local
tacacs+
You can select multiple authentication methods. When a user attempts to authenticate, the switch uses
the authenticated methods in the configured order. If the first method attempted fails to get a pass or fail
for the user, the next method is attempted. For example, if the configured methods are "tacacs+ local"
and no TACACS+ servers are available, the switch will use the local database to authenticate users.
When TACACS+ is used for authentication, it is not very practical to use the local database for a backup.
A prime advantage of the TACACS+ method is that you do not have to configure users in the local
database on every switch. When the configuration uses the local database for backup, user data must be
entered into the AAA server at every switch in the network, and updates must be manually synchronized
on the switch and server. A more practical approach is to establish fault tolerance by setting up multiple
AAA servers.
The cisco method listed in
if it is not configured before the local or tacacs+ methods. This ensures that the user cisco can access
the switch when the AAA servers are unavailable.
To configure authentication, log in using a username with SERVICE_GP privileges or higher and enter
the cnfaaa-authen command using the following format:
M8850_LA.7.PXM.a > cnfaaa-authen <method> [<method>...]
Replace the method variables with one of the keywords listed in
command name is the preferred method. You can enter up to three methods. The second method is used
when the first method does not produce a pass or fail, and the third method is used when the second
method cannot authenticate the user.
Note
If you enter the cnfaaa-authen command and specify the tacacs+ method, and if no AAA servers are
configured, the command will fail. Configure AAA servers with the cnfaaa-server command before you
configure authentication.
Cisco MGX 8850 (PXM1E/PXM45), Cisco MGX 8950, Cisco MGX 8830, and Cisco MGX 8880 Configuration Guide
9-68
Description
The cisco keyword selects the local database for authentication or
authorization and limits access only to the user cisco.
Note
User cisco access method is always enabled and is used for
authentication and authorization when all other methods fail. However,
you can configure the user cisco access method to have a higher
priority than other authentication or authorization methods.
The default keyword selects the local (on the switch) database for
authentication or authorization. This keyword produces the same result as the
local keyword.
When this method is chosen for authorization (which is described in the next
section), it is only valid for group mode.
The local keyword selects the local database for authentication or
authorization.
When this method is chosen for authorization, it is only valid for group mode.
The tacacs+ keyword selects authentication or authorization through
TACACS+ protocol communications with an AAA server.
Table 9-30
is always enabled and is the last authentication method attempted
Chapter 9
Switch Operating Procedures
Table
9-30. The first method after the
Release 5.0.10, OL-3845-01 Rev. B0, August 16, 2004
Advertisement
Table of Contents
Troubleshooting
