TACACS+ Authentication
General Authentication Setup Procedure
Note If a complete access lockout occurs on the switch as a result of a TACACS+
configuration, see “Troubleshooting TACACS+ Operation” in the Trouble-
shooting chapter of the Management and Configuration Guide for your
switch.
1. Familiarize yourself with the requirements for configuring your
TACACS+ server application to respond to requests from the switch.
(Refer to the documentation provided with the TACACS+ server soft-
ware.) This includes knowing whether you need to configure an encryp-
tion key. (See “Using the Encryption Key” on page 4-26.)
2. Determine the following:
• The IP address(es) of the TACACS+
• The period you want the switch to
server(s) you want the switch to use
wait for a reply to an authentication
for authentication. If you will use
request before trying another
more than one server, determine
server.
which server is your first-choice for
• The username/password pairs you
authentication services.
want the TACACS+ server to use for
• The encryption key, if any, for
controlling access to the switch.
allowing the switch to communicate
• The privilege level you want for
with the server. You can use either a
each username/password pair
global key or a server-specific key,
administered by the TACACS+
depending on the encryption
server for controlling access to the
configuration in the TACACS+
switch.
server(s).
• The username/password pairs you
• The number of log-in attempts you
want to use for local authentication
will allow before closing a log-in
(one pair each for Operator and
session. (Default: 3)
Manager levels).
3. Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.
Note on Privilege When a TACACS+ server authenticates an access request from a switch,
Levels
it includes a privilege level code for the switch to use in determining which
privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of “15” as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/pass-
word pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.
4-6
