|
|
This chapter describes how to configure local authentication, RADIUS authentication, and TACACS+ authentication to control access to the switch command-line interface (CLI).
This chapter consists of these sections:
These sections describe how the different authentication methods work:
You can configure any combination of these authentication methods to control access to the switch:
When multiple authentication methods are enabled, local authentication is always attempted last if enabled. In supervisor engine software release 4.4 and later, you can specify the authentication method to use for console and Telnet connections independently. For example, you might use local authentication for console connections and RADIUS authentication for Telnet connections.
Local authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to individual usernames.
Local authentication is enabled by default, but can be disabled if TACACS+ authentication is enabled. If local authentication is disabled and you then disable TACACS+ authentication, local authentication is reenabled automatically.
You can enable local authentication and TACACS+ authentication at the same time. Local authentication is only attempted if TACACS+ authentication fail.
RADIUS is a client-server authentication and authorization access protocol used by Network Access Servers (NASs) to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses UDP for transport between the RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key on the switch, it must be the same as the one configured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not configure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network.
You can configure the following RADIUS parameters on the switch:
RADIUS authentication is disabled by default. You can enable RADIUS authentication and other authentication methods at the same time. You can specify which method to use first using the primary keyword.
If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically.
TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances:
When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services. On the Catalyst 5000 series switches, only the authentication feature is supported.
When the TACACS+ server receives the packet, it does the following:
You can configure a TACACS+ key on the client and server. If you configure a key on the switch, it must be the same as the one configured on the TACACS+ servers. The TACACS+ clients and servers use the key to encrypt all TACACS+ packets transmitted. If you do not configure a TACACS+ key, packets are not encrypted.
You can configure the following TACACS+ parameters on the switch:
TACACS+ authentication is disabled by default. You can enable TACACS+ authentication and local authentication at the same time.
If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically.
Table 16-1 shows the default authentication configuration.
| Feature | Default Value |
|---|---|
Local login authentication (console and Telnet) | Enabled |
Local enable authentication (console and Telnet) | Enabled |
RADIUS login authentication (console and Telnet) | Disabled |
RADIUS enable authentication (console and Telnet) | Disabled |
RADIUS server IP address | None specified |
RADIUS server UDP auth-port | Port 1812 |
RADIUS key | None specified |
RADIUS server timeout | 5 seconds |
RADIUS server deadtime | 0 (servers not marked dead) |
RADIUS retransmit attempts | 2 times |
TACACS+ login authentication (console and Telnet) | Disabled |
TACACS+ enable authentication (console and Telnet) | Disabled |
TACACS+ key | None specified |
TACACS+ login attempts | 3 |
TACACS+ server timeout | 5 seconds |
TACACS+ directed request | Disabled |
These guidelines apply when configuring authentication on the switch:
These sections describe how to configure local authentication on the switch:
To enable local authentication on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable local login authentication on the switch. Use the console or telnet keywords if you want to enable local authentication only for console port or Telnet connection attempts. | set authentication login local enable [console | telnet | both] |
Step 2 Enable local enable authentication on the switch. Use the console or telnet keywords if you want to enable local authentication only for console port or Telnet connection attempts. | set authentication enable local enable [console | telnet | both] |
Step 3 Verify the local authentication configuration. | show authentication |
This example shows how to enable local login and enable authentication for both console and Telnet connections, and how to verify the configuration:
Console> (enable) set authentication login local enable local login authentication set to enable for console and telnet session. Console> (enable) set authentication enable local enable local enable authentication set to enable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Console> (enable)
The login password controls access to the user mode CLI.
To set the login password for local authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Set the login password for access. Enter your old password (press Return on a switch with no password configured), enter your new password, and reenter your new password. | set password |
This example shows how to set the login password on the switch:
Console> (enable) set password Enter old password:<old_password> Enter new password:<new_password> Retype new password:<new_password> Password changed. Console> (enable)
The enable password controls access to the privileged mode CLI.
To set the enable password for local authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Set the password for privileged mode. Enter your old password (press Return on a switch with no password configured), enter your new password, and reenter your new password. | set enablepass |
This example shows how to set the enable password on the switch:
Console> (enable) set enablepass Enter old password:<old_password> Enter new password:<new_password> Retype new password:<new_password> Password changed. Console> (enable)
 | Caution Make sure that RADIUS or TACACS+ authentication is configured and operating correctly before disabling local login or enable authentication. If you disable local authentication and RADIUS or TACACS+ is not configured correctly, or if the RADIUS or TACACS+ server is not online, you might be unable to log in to the switch. |
To disable local authentication on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable local login authentication on the switch. Use the console or telnet keywords if you want to disable local authentication only for console port or Telnet connection attempts. | set authentication login local disable [console | telnet | both] |
Step 2 Disable local enable authentication on the switch. Use the console or telnet keywords if you want to disable local authentication only for console port or Telnet connection attempts. | set authentication enable local disable [console | telnet | both] |
Step 3 Verify the local authentication configuration. | show authentication |
This example shows how to disable local login and enable authentication for both console and Telnet connections, and how to verify the configuration (you must have RADIUS or TACACS+ authentication enabled before you disable local authentication):
Console> (enable) set authentication login local disable local login authentication set to disable for console and telnet session. Console> (enable) set authentication enable local disable local enable authentication set to disable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local disabled disabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local disabled disabled Console> (enable)
To recover a lost local authentication password, perform this task. You must complete steps 3-7 within 30 seconds or the recovery will fail. If you lost both the login and enable passwords, repeat the process for each password.
Step 1 Connect to the switch through the supervisor engine console port (you cannot recover the password if you are connected through a Telnet connection).
Step 2 Enter the reset system command to reboot the switch.
Step 3 At the "Enter Password" prompt, press Return (the login password is null for 30 seconds when you are connected to the console port).
Step 4 Enter privileged mode using the enable command.
Step 5 At the "Enter Password" prompt, press Return (the enable password is null for 30 seconds when you are connected to the console port).
Step 6 Enter the set password or set enablepass comand, as appropriate.
Step 7 When prompted for your old password, press Return.
Step 8 Enter and confirm your new password.
These sections describe how to configure RADIUS authentication on the switch:
To specify one or more RADIUS servers, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address of up to three RADIUS servers. Specify the primary server using the primary keyword. Optionally, specify the destination UDP port to use on the server. | set radius server ip_addr [auth-port port_number] [primary] |
Step 2 Verify the RADIUS server configuration. | show radius |
This example shows how to specify a RADIUS server and verify the configuration:
Console> (enable) set radius server 172.20.52.3 172.20.52.3 with auth-port 1812 added to radius server table as primary server. Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Radius Deadtime: 0 minutes Radius Key: Radius Retransmit: 2 Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable)
You can enable RADIUS authentication for login and enable access to the switch. If desired, you can use the console and telnet keywords to specify that RADIUS authentication be used only on console or Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword to force the switch to try RADIUS authentication first.
To configure RADIUS authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable RADIUS authentication for login mode. | set authentication login radius enable [console | telnet | both] [primary] |
Step 2 Enable RADIUS authentication for enable mode. | set authentication enable radius enable [console | telnet | both] [primary] |
Step 3 Verify the RADIUS configuration. | show authentication |
This example shows how to enable RADIUS authentication and verify the configuration:
Console> (enable) set authentication login radius enable radius login authentication set to enable for console and telnet session. Console> (enable) set authentication enable radius enable radius enable authentication set to enable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Console> (enable)
The RADIUS key is used to encrypt and authenticate all communication between the RADIUS client and server. You must configure the same key on the switch and the RADIUS server.
The length of the key is limited to 65 characters. It can include any printable ASCII characters except tabs.
To specify the RADIUS key, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the RADIUS key used to encrypt packets sent to the RADIUS server. | set radius key key |
Step 2 Verify the RADIUS configuration. | show radius |
This example shows how to specify the RADIUS key and verify the configuration (in normal mode, the RADIUS key value is hidden):
Console> (enable) set radius key Secret_RADIUS_key Radius key set to Secret_RADIUS_key Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 0 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: 2 Radius Timeout: 5 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable)
You can specify the timeout interval between retransmissions to the RADIUS server. The default timeout is 5 seconds.
To specify the RADIUS timout interval, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the RADIUS timeout interval. | set radius timeout seconds |
Step 2 Verify the RADIUS configuration. | show radius |
This example shows how to specify the RADIUS timeout interval and verify the configuration:
Console> (enable) set radius timeout 10 Radius timeout set to 10 seconds. Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 0 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: 2 Radius Timeout: 10 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable)
You can specify the number of times the switch will attempt to contact a RADIUS server before the next configured server is tried. By default, each RADIUS server will be tried two times.
To specify the RADIUS retransmit count, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the RADIUS server retransmit count. | set radius retransmit count |
Step 2 Verify the RADIUS configuration. | show radius |
This example shows how to specify the RADIUS retransmit count and verify the configuration:
Console> (enable) set radius retransmit 4 Radius retransmit count set to 4. Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 0 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: 4 Radius Timeout: 10 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 Console> (enable)
You can configure the switch so that, when a RADIUS server does not respond to an authentication request, the switch marks that server as dead for the length of time specified by the deadtime. Any authentication requests received during the deadtime interval (such as other users attempting to login to the switch) are not sent to a RADIUS server marked dead. Configuring a deadtime speeds up the authentication process by eliminating timeouts and retransmissions to the dead RADIUS server.
If you configure only one RADIUS server, or if all of the configured servers are marked dead, the deadtime is ignored because there are no alternate servers available.
To set the RADIUS deadtime, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the RADIUS server deadtime interval. | set radius deadtime minutes |
Step 2 Verify the RADIUS configuration. | show radius |
This example shows how to set the RADIUS deadtime interval and verify the configuration:
Console> (enable) set radius deadtime 5 Radius deadtime set to 5 minute(s). Console> (enable) show radius Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius enabled(primary) enabled(primary) local enabled enabled Radius Deadtime: 5 minutes Radius Key: Secret_RADIUS_key Radius Retransmit: 4 Radius Timeout: 10 seconds Radius-Server Status Auth-port ----------------------------- ------- ------------ 172.20.52.3 primary 1812 172.20.52.2 1812 Console> (enable)
To clear one or more RADIUS servers, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address of the RADIUS server to clear from the configuration. Use the all keyword to clear all of the servers from the configuration. | clear radius server [ip_addr | all] |
Step 2 Verify the RADIUS server configuration. | show radius |
This example shows how to clear a single RADIUS server from the configuration:
Console> (enable) clear radius server 172.20.52.3 172.20.52.3 cleared from radius server table. Console> (enable)
This example shows how to clear all RADIUS servers from the configuration:
Console> (enable) clear radius server all All radius servers cleared from radius server table. Console> (enable)
To clear the RADIUS key, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Clear the RADIUS key. | clear radius key |
Step 2 Verify the RADIUS configuration. | show radius |
This example shows how to specify the RADIUS key and verify the configuration:
Console> (enable) clear radius key Radius key cleared. Console> (enable)
If you disable RADIUS authentication with both TACACS+ and local authentication disabled, local authentication is reenabled automatically.
To disable RADIUS authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable RADIUS authentication for login mode. | set authentication login radius disable [console | telnet | both] |
Step 2 Disable RADIUS authentication for enable mode. | set authentication enable radius disable [console | telnet | both] |
Step 3 Verify the RADIUS configuration. | show radius |
This example shows how to disable RADIUS authentication:
Console> (enable) set authentication login radius disable radius login authentication set to disable for console and telnet session. Console> (enable) set authentication enable radius disable radius enable authentication set to disable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Console> (enable)
These sections describe how to configure TACACS+ authentication on the switch:
Specify one or more TACACS+ servers before you enable TACACS+ authentication on the switch. The first server you specify is the primary server, unless you explicitly make one server the primary using the primary keyword.
To specify one or more TACACS+ servers, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address of one or more TACACS+ servers. | set tacacs server ip_addr [primary] |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to specify TACACS+ servers and verify the configuration:
Console> (enable) set tacacs server 172.20.52.3 172.20.52.3 added to TACACS server table as primary server. Console> (enable) set tacacs server 172.20.52.2 primary 172.20.52.2 added to TACACS server table as primary server. Console> (enable) set tacacs server 172.20.52.10 172.20.52.10 added to TACACS server table as backup server. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable)
You can enable TACACS+ authentication for login and enable access to the switch. If desired, you can use the console and telnet keywords to specify that TACACS+ authentication be used only on console or Telnet connections. If you are using both RADIUS and TACACS+, you can use the primary keyword to force the switch to try TACACS+ authentication first.
To enable TACACS+ authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable TACACS+ authentication for login mode. Use the console or telnet keywords if you want to enable TACACS+ only for console port or Telnet connection attempts. | set authentication login tacacs enable [console | telnet | both] [primary] |
Step 2 Enable TACACS+ authentication for enable mode. Use the console or telnet keywords if you want to enable TACACS+ only for console port or Telnet connection attempts. | set authentication enable tacacs enable [console | telnet | both] [primary] |
Step 3 Verify the TACACS+ configuration. | show authentication |
This example shows how to enable TACACS+ authentication for console and Telnet connections and how to verify the configuration:
Console> (enable) set authentication login tacacs enable tacacs login authentication set to enable for console and telnet session. Console> (enable) set authentication enable tacacs enable tacacs enable authentication set to enable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Console> (enable)
To specify the TACACS+ key, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the key used to encrypt packets. | set tacacs key key |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to specify the TACACS+ key and verify the configuration:
Console> (enable) set tacacs key Secret_TACACS_key The tacacs key has been set to Secret_TACACS_key. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable)
You can specify the timeout interval between retransmissions to the TACACS+ server. The default timeout is 5 seconds.
To specify the TACACS+ timout interval, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the TACACS+ timeout interval. | set tacacs timeout seconds |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to set the server timeout interval and verify the configuration:
Console> (enable) set tacacs timeout 30 Tacacs timeout set to 30 seconds. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Tacacs key: Secret_TACACS_key Tacacs login attempts: 3 Tacacs timeout: 30 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable)
You can specify the number of failed login attempts allowed.
To specify the number of login attempts allowed, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the number of allowed login attempts. | set tacacs attempts number |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to set the number of login attempts and verify the configuration:
Console> (enable) set tacacs attempts 5 Tacacs number of attempts set to 5. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable)
When TACACS+ directed request is enabled, users must specify the hostname of a configured TACACS+ server (in the form username@server_hostname) or the authentication request will fail.
To enable TACACS+ directed request, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable TACACS+ directed request on the switch. | set tacacs directedrequest enable |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to enable TACACS+ directed request and verify the configuration:
Console> (enable) set tacacs directedrequest enable Tacacs direct request has been enabled. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs enabled(primary) enabled(primary) radius disabled disabled local enabled enabled Tacacs key: Secret_TACACS_key Tacacs login attempts: 5 Tacacs timeout: 30 seconds Tacacs direct request: enabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 172.20.52.2 primary 172.20.52.10 Console> (enable)
To disable TACACS+ directed request, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable TACACS+ directed request on the switch. | set tacacs directedrequest disable |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to disable TACACS+ directed request:
Console> (enable) set tacacs directedrequest disable Tacacs direct request has been disabled. Console> (enable)
To clear one or more TACACS+ servers, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address of the TACACS+ server to clear from the configuration. Use the all keyword to clear all of the servers from the configuration. | clear tacacs server [ip_addr | all] |
Step 2 Verify the TACACS+ server configuration. | show tacacs |
This example shows how to clear a specific TACACS+ server from the configuration:
Console> (enable) clear tacacs server 172.20.52.3 172.20.52.3 cleared from TACACS table Console> (enable)
This example shows how to clear all TACACS+ servers from the configuration:
Console> (enable) clear tacacs server all All TACACS servers cleared Console> (enable)
To clear the TACACS+ key, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Clear the TACACS+ key. | clear tacacs key |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to clear the TACACS+ key:
Console> (enable) clear tacacs key TACACS server key cleared. Console> (enable)
If you disable TACACS+ authentication with both RADIUS and local authentication disabled, local authentication is reenabled automatically.
To disable TACACS+ authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable TACACS+ authentication for login mode. Use the console or telnet keywords if you want to disable TACACS+ only for console port or Telnet connection attempts. | set authentication login tacacs disable [console | telnet | both] |
Step 2 Disable TACACS+ authentication for enable mode. Use the console or telnet keywords if you want to disable TACACS+ only for console port or Telnet connection attempts. | set authentication enable tacacs disable [console | telnet | both] |
Step 3 Verify the TACACS+ configuration. | show authentication |
This example shows how to disable TACACS+ authentication for console and Telnet connections and how to verify the configuration:
Console> (enable) set authentication login tacacs disable tacacs login authentication set to disable for console and telnet session. Console> (enable) set authentication enable tacacs disable tacacs enable authentication set to disable for console and telnet session. Console> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Console> (enable)
Figure 16-1 shows a simple network topology using TACACS+ authentication.
In this example, TACACS+ authentication is enabled and local authentication is disabled for both login and enable access to the switch for all Telnet connections. When Workstation A attempts to connect to the switch, the user is challenged for a TACACS+ username and password.
However, only local authentication is enabled for both login and enable access on the console port. Any user with access to the directly connected terminal can access the switch using the login and enable passwords.
This example shows how to configure the switch so that TACACS+ authentication is enabled for Telnet connections and local authentication is enabled for console connections. In addition, a TACACS+ encryption key is specified.
Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled disabled radius disabled disabled local enabled(primary) enabled(primary) Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- Console> (enable) set tacacs server 172.20.52.10 172.20.52.10 added to TACACS server table as primary server. Console> (enable) set tacacs key tintin_et_milou The tacacs key has been set to tintin_et_milou. Console> (enable) set authentication login tacacs enable telnet tacacs login authentication set to enable for telnet session. Console> (enable) set authentication enable tacacs enable telnet tacacs enable authentication set to enable for telnet session. Console> (enable) set authentication login local disable telnet local login authentication set to disable for telnet session. Console> (enable) set authentication enable local disable telnet local enable authentication set to disable for telnet session. Console> (enable) show tacacs Login Authentication: Console Session Telnet Session --------------------- ---------------- ---------------- tacacs disabled enabled(primary) radius disabled disabled local enabled(primary) disabled Enable Authentication: Console Session Telnet Session ---------------------- ----------------- ---------------- tacacs disabled enabled(primary) radius disabled disabled local enabled(primary) disabled Tacacs key: tintin_et_milou Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.10 primary Console> (enable)
Posted: Mon Jul 19 12:41:49 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.