Configuring the switch’s authentication methods, E 16 – IronPort Systems 4108GL User Manual

9-16

Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security

Usi

n

g P

a

ssword

s a

nd

T

A

CA

CS

+

Configuring the Switch’s Authentication Methods

The

aaa authentication command configures the access control for console

port and Telnet access to the switch. That is, for both access methods, aaa
authentication specifies whether to use a TACACS+ server or the switch’s
local authentication, or (for some secondary scenarios) no authentication
(meaning that if the primary method fails, authentication is denied). This
command also reconfigures the number of access attempts to allow in a
session if the first attempt uses an incorrect username/password pair.

Syntax:

aaa authentication

aaa authentication num-attempts <1. . 10>

Table 9-2.

AAA Authentication Parameters

As shown in the next table, login and enable access is always available locally
through a direct terminal connection to the switch’s console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+
server goes down or otherwise becomes unavailable to the switch.

Name

Default

Range

Function

console
- or -
telnet

n/a

n/a

Specifies whether the command is configuring authentication for the console
port or Telnet access method for the switch.

enable
- or -
login

n/a

n/a

Specifies the privilege level for the access method being configured.
login: Operator (read-only) privileges
enable: Manager (read-write) privileges

local
- or -
tacacs

local

n/a

Specifies the primary method of authentication for the access method being
configured.
local: Use the username/password pair configured locally in the switch for
the privilege level being configured
tacacs: Use a TACACS+ server.

local
- or -
none

none

n/a

Specifies the secondary (backup) type of authentication being configured.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is

tacacs

, the only secondary method is

local

.

• If the primary method is

local

, the default secondary method is

none

.

num-attempts

3

1 - 10

In a given session, specifies how many tries at entering the correct username/
password pair are allowed before access is denied and the session terminated.