108
Enhancements
Release M.10.34 Enhancements
Release M.10.34 Enhancements
Release M.10.34 includes the following enhancement:
■ Enhancement (PR_1000412747) — TACACS+ Single Sign-on for Administrators
Concurrent TACAS+ and SFTP
It is now possible to have SFTP/SCP sessions run concurrently with TACACS+ authentication.
Because the initial login must be with a username/password that has manager level privileges, you
must configure TACACS+ single sign--on in order for TACACS+ and SFTP/SCP to coexist.
To configure TACACS+ single sign-on, user the aaa authentication login privilege-mode command.
3. If you disable the use of dynamic VLANs in an
authentication session using the no aaa port-access gvrp-vlans
command, client sessions that were authenticated with a
dynamic VLAN continue and are not deauthenticated.
(This behavior differs form how static VLAN assignment is
handled in an authentication session. If you remove the
configuration of the static VLAN used to create a temporary
client session, the 802.1X, MAC, or Web authenticated client
is deauthenticated.)
However, if a RADIUS-configured dynamic VLAN used for
an authentication session is deleted from the switch through
normal GVRP operation (for example, if no GVRP
advertisements for the VLAN are received on any switch
port), authenticated clients using this VLAN are
deauthenticated.
For information on how static and dynamic VLANs are
assigned in a RADIUS-based 802.1X, MAC, or Web
authentication session, refer to the “How RADIUS-Based
Authentication Affects VLAN Operation” section in the
“RADIUS Authentication and Accounting” chapter of the
Access Security Guide.
Syntax: aaa authentication
<login [privilege-mode] >
Selects the Operator access level. If the privilege-mode option is entered,
TACACS+ is enabled for a single login. The authorized privilege level
(Operator or Manager) is granted by the TACACS+ server.
Default: Single login disabled.
