Configuring TACACS+ on the Switch
Figure 4-8. Using a TACACS+ Server for Authentication
Using figure 4-8, above, after either switch detects an operator's logon request
from a remote or directly connected terminal, the following events occur:
The switch queries the first-choice TACACS+ server for authentication
of the request.
If the switch does not receive a response from the first-choice
TACACS+ server, it attempts to query a secondary server. If the
switch does not receive a response from any TACACS+ server,
then it uses its own local username/password pairs to authenti-
cate the logon request. (See "Local Authentication Process" on
If a TACACS+ server recognizes the switch, it forwards a user-
name prompt to the requesting terminal via the switch.
When the requesting terminal responds to the prompt with a username,
the switch forwards it to the TACACS+ server.
After the server receives the username input, the requesting terminal
receives a password prompt from the server via the switch.
When the requesting terminal responds to the prompt with a password,
the switch forwards it to the TACACS+ server and one of the following
If the username/password pair received from the requesting
terminal matches a username/password pair previously stored in
the server, then the server passes access permission through the
switch to the terminal.
If the username/password pair entered at the requesting terminal
does not match a username/password pair previously stored in
the server, access is denied. In this case, the terminal is again
prompted to enter a username and repeat steps 2 through 4. In
the default configuration, the switch allows up to three attempts
to authenticate a login session. If the requesting terminal
exhausts the attempt limit without a successful TACACS+
authentication, the login session is terminated and the operator
at the requesting terminal must initiate a new session before