Cisco WS-C2980G-A Software Guide - Page 447

Chapter 30 Configuring Switch Access Using AAA Understanding How Authentication Works Understanding How Local User Authentication Works Local user authentication uses local user accounts and passwords that you create to validate the login attempts of local users. Each switch can have a maximum of 25 local user accounts. Before you can enable local user authentication, you must define at least one local user account. You set up local user accounts by creating a unique username and password combination for each local user. Each username must be fewer than 65 characters and can be any alphanumeric character, at least one of which must be alphabetic. You configure each local user account with a privilege level; valid privilege levels are 0 or 15. A local user with a privilege level of 0 can access commands in normal mode, while a local user with a privilege level of 15 can access commands in both normal or privileged mode. Once a local user is logged in, the user can use only commands that are available for that privilege level. A local user can enter privileged mode only if that user enters the correct enable password. Note If you are running a CiscoView image or are logging in using HTTP login, the system completes its initial authentication using the username and password combination. You can enter privileged mode by either providing the privilege password or using the username and password combination, provided the local user has a privilege level of 15. Understanding How TACACS+ Authentication Works TACACS+ is an enhanced version of TACACS, which is a User Datagram Protocol (UDP)-based access-control protocol that is specified by RFC 1492. TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or device. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device. TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances: • When you first log onto a machine • When you send a service request that requires privileged access When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server. A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services. When the TACACS+ server receives the packet, it does the following: • Authenticates user information and notifies the client that authentication has either passed or failed. • Notifies the client that authentication will continue and that the client must provide additional information. This challenge-response process can continue through multiple iterations until authentication either passes or fails. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-3