Understanding How Login Authentication Works; Understanding How Local Authentication Works - Cisco WS-C2950SX-48-SI Configuration Manual

Understanding How Authentication Works
•
•
•
•
Kerberos authentication does not work if TACACS+ is used as the authentication method.
Note
When local authentication is enabled together with one or more other authentication methods, local
authentication is always attempted last. However, you can specify different authentication methods for
console and Telnet connections. For example, you might use local authentication for console connections
and RADIUS authentication for Telnet connections.
The following sections describe how the different authentication methods work.

Understanding How Login Authentication Works

Login authentication increases the security of the system by preventing unauthorized users from
guessing the password. The user is allowed only a specific number of attempts to successfully log in to
the switch. If the user fails to authorize the password, the system delays any subsequent accesses and
captures the user ID and the IP address of the station in the syslog and in the SNMP trap.
You can configure the maximum number of login attempts from the CLI and SNMP with the set
authentication login attempt command. (You would use the set authentication enable attempt
command to set login limits for accessing enable mode.) The configurable range is three (default) to ten
tries. Setting the limit to zero (0) disables login authentication.
All authentication methods (RADIUS, TACACS+, Kerberos, or local) are supported.
The lockout (delay) time is also configurable from the CLI and SNMP with the set authentication login
lockout command. (You would use the set authentication enable lockout <time> command to set a delay
time for accessing enable mode.) The configurable range is 30 to 43,200 seconds; setting the lockout time
to zero (0) disables this function.
If you are locked out at the console, the console does not allow you to log in during that lockout time. If
you are locked out from a Telnet session, the connection closes when the limit is reached. The switch
closes any subsequent access from that station during the lockout time and provides an appropriate
notice.

Understanding How Local Authentication Works

Local authentication uses locally configured login and enable passwords to authenticate login attempts.
The login and enable passwords are local to each switch and are not mapped to individual usernames.
Local authentication is enabled by default, but can be disabled if one of the other authentication methods
is enabled. If local authentication is disabled and you then disable all other authentication methods, local
authentication is reenabled automatically.
You can enable local authentication and one or more of the other authentication methods at the same
time. Local authentication is only attempted if the other authentication methods fail.
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide
30-2
Local user authentication
TACACS+ authentication
RADIUS authentication
Kerberos authentication
Chapter 30 Configuring Switch Access Using AAA
—
Release 8.1
78-15486-01