authentication login
is attempted on the TACACS+ server. If the TACACS+ server is not available, the
local user name and password is checked.
Example
Console(config)#authentication enable radius
Console(config)#
Related Commands
enable password
- sets the password for changing command modes (244)
This command defines the login authentication method and precedence. Use the
no form to restore the default.
Syntax
authentication login {[local] [radius] [tacacs]}
no authentication login
local - Use local password.
radius - Use RADIUS server password.
tacacs - Use TACACS server password.
Default Setting
Local
Command Mode
Global Configuration
Command Usage
◆
RADIUS uses UDP while TACACS+ uses TCP. UDP only offers best effort delivery,
while TCP offers a connection-oriented transport. Also, note that RADIUS
encrypts only the password in the access-request packet from the client to the
server, while TACACS+ encrypts the entire body of the packet.
◆
RADIUS and TACACS+ logon authentication assigns a specific privilege level for
each user name and password pair. The user name, password, and privilege
level must be configured on the authentication server.
◆
You can specify three authentication methods in a single command to indicate
the authentication sequence. For example, if you enter "authentication login
radius tacacs local, " the user name and password on the RADIUS server is
verified first. If the RADIUS server is not available, then authentication is
attempted on the TACACS+ server. If the TACACS+ server is not available, the
local user name and password is checked.
Chapter 8
– 249 –
| Authentication Commands
Authentication Sequence