Displaying Aaa Authentication; Authentication And Authorization Process - Cisco DS-X9530-SF1-K9 - Supervisor-1 Module - Control Processor Configuration Manual

Authentication and Authorization Process

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
Use this option cautiously. If configured, any user will be able to access the switch at any time.
Caution
Use the none option in the aaa authentication login command to disable password verification.
A user created using the username command will exist locally on the Cisco MDS 9000 Family switch.

Displaying AAA Authentication

The show aaa authentication command displays the configured authentication methods (see
Example
Example 28-12 Example 16-8 Displays Authentication Information
switch# show aaa authentication
Authentication and Authorization Process
Authentication is the process of verifying the identity of the person managing the switch. This identity
verification is based on the user ID and password combination provided by the person trying to manage
the switch. The Cisco MDS 9000 Family switches allow you to perform local authentication (using the
lookup database) or remote authentication (using one or more RADIUS servers or TACACS+ servers).
Figure 28-1
authentication process.
When you can log in to the required switch in the Cisco MDS 9000 Family, you can use the Telnet, SSH,
Step 1
Fabric Manager/Device Manager, or console login options.
When you have configured server groups using the server group authentication method, an
Step 2
authentication request is sent to the first AAA server in the group.
•
•
•
If you are successfully authenticated through a remote AAA server, then the following possibilities
Step 3
apply.
•
•
Cisco MDS 9000 Family CLI Configuration Guide
28-20
28-12).
No AAA Authentication
default: group TacServer local none
console: local none
iscsi: local
dhchap: local
shows a flow chart of the process. The following steps explain the authorization and
If the AAA server fails to respond, then the next AAA server is tried and so on until the remote
server responds to the authentication request.
If all AAA servers in the server group fail to respond, then the servers in the next server group are
tried.
If all configured methods fail, then the local database is used for authentication.
If AAA server protocol is RADIUS, then user roles specified in the
downloaded with an authentication response.
If AAA server protocol is TACACS+, then another request is sent to the same server to get the user
roles specified as custom attributes for the shell.
Chapter 28 Configuring RADIUS and TACACS+
attribute are
cisco-av-pair
OL-8222-01, Cisco MDS SAN-OS Release 3.x