Local authentication process, Local authentication process -25 – IronPort Systems 4108GL User Manual
Page 179
9-25
Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security
Usi
n
g P
a
sswor
ds and
TA
C
A
CS+
then it uses its own local username/password pairs to authenti-
cate the logon request. (See "Local Authentication Process", on
page 25.)
•
If a TACACS+ server recognizes the switch, it forwards a user-
name prompt to the requesting terminal via the switch.
2.
When the requesting terminal responds to the prompt with a username,
the switch forwards it to the TACACS+ server.
3.
After the server receives the username input, the requesting terminal
receives a password prompt from the server via the switch.
4.
When the requesting terminal responds to the prompt with a password,
the switch forwards it to the TACACS+ server and one of the following
actions occurs:
•
If the username/password pair received from the requesting
terminal matches a username/password pair previously stored in
the server, then the server passes access permission through the
switch to the terminal.
•
If the username/password pair entered at the requesting terminal
does not match a username/password pair previously stored in
the server, access is denied. In this case, the terminal is again
prompted to enter a username and repeat steps 2 through 4. In
the default configuration, the switch allows up to three attempts
to authenticate a login session. If the requesting terminal
exhausts the attempt limit without a successful TACACS+
authentication, the login session is terminated and the operator
at the requesting terminal must initiate a new session before
trying again.
Local Authentication Process
When the switch is configured to use TACACS+, it reverts to local authentica-
tion only if one of these two conditions exists:
■
"Local" is the authentication option for the access method being used.
■
TACACS+ is the primary authentication mode for the access method
being used. However, the switch was unable to connect to any
TACACS+ servers (or no servers were configured) AND
Local
is the
secondary authentication mode being used.
(For a listing of authentication options, see Table 3 on page 17.)