Configuring RADIUS and TACACS+
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Authentication is the process of verifying the identity of the person or device accessing the switch. This
identity verification is based on the user ID and password combination provided by the entity trying to
access the switch. Cisco MDS 9000 Family switches allow you to perform local authentication (using
the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
When you log in to a Cisco MDS switch successfully using the Fabric Manager or Device Manager
through Telnet or SSH and if that switch is configured for AAA server-based authentication, a temporary
SNMP user entry is automatically created with an expiry time of one day. The switch authenticates the
SNMPv3 protocol data units (PDUs) with your Telnet or SSH login name as the SNMPv3 user. The
management station can temporarily use the Telnet or SSH login name as the SNMPv3 auth and priv
passphrase. This temporary SNMP login is only allowed if you have one or more active MDS shell
sessions. If you do not have an active session at any given time, your login is deleted and you will not
be allowed to perform SNMPv3 operations.
The following authorization roles exist in all Cisco MDS switches:
These roles cannot be changed or deleted. You can create additional roles and configure the following
If a user belongs only to one of the newly created roles and that role is subsequently deleted, then the
user immediately defaults to the network-operator role.
The accounting feature tracks and maintains a log of every management configuration used to access the
switch. This information can be used to generate reports for troubleshooting and auditing purposes.
Accounting logs can be stored locally or sent to remote AAA servers.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Network operator (network-operator)—Has permission to view the configuration only. The operator
cannot make any configuration changes.
Network administrator (network-admin)— Has permission to execute all commands and make
configuration changes. The administrator can also create and customize up to 64 additional roles.
Default-role—Has permission to use the GUI (Fabric Manager and Device Manager). This access is
automatically granted to all users for accessing the GUI.
Configure role-based authorization by assigning user roles locally or using remote AAA servers.
Configure user profiles on a remote AAA server to contain role information. This role information
is automatically downloaded and used when the user is authenticated through the remote AAA
Switch AAA Functionalities
Cisco MDS 9000 Family CLI Configuration Guide