Cisco WS-C2960-24PC-L Software Guide - Page 446
Understanding How Login Authentication Works, Understanding How Local Authentication Works
UPC - 882658169328
View all Cisco WS-C2960-24PC-L manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 446 highlights
Understanding How Authentication Works Chapter 30 Configuring Switch Access Using AAA • Local user authentication • TACACS+ authentication • RADIUS authentication • Kerberos authentication Note Kerberos authentication does not work if TACACS+ is used as the authentication method. When local authentication is enabled together with one or more other authentication methods, local authentication is always attempted last. However, you can specify different authentication methods for console and Telnet connections. For example, you might use local authentication for console connections and RADIUS authentication for Telnet connections. The following sections describe how the different authentication methods work. Understanding How Login Authentication Works Login authentication increases the security of the system by preventing unauthorized users from guessing the password. The user is allowed only a specific number of attempts to successfully log in to the switch. If the user fails to authorize the password, the system delays any subsequent accesses and captures the user ID and the IP address of the station in the syslog and in the SNMP trap. You can configure the maximum number of login attempts from the CLI and SNMP with the set authentication login attempt command. (You would use the set authentication enable attempt command to set login limits for accessing enable mode.) The configurable range is three (default) to ten tries. Setting the limit to zero (0) disables login authentication. All authentication methods (RADIUS, TACACS+, Kerberos, or local) are supported. The lockout (delay) time is also configurable from the CLI and SNMP with the set authentication login lockout command. (You would use the set authentication enable lockout command to set a delay time for accessing enable mode.) The configurable range is 30 to 43,200 seconds; setting the lockout time to zero (0) disables this function. If you are locked out at the console, the console does not allow you to log in during that lockout time. If you are locked out from a Telnet session, the connection closes when the limit is reached. The switch closes any subsequent access from that station during the lockout time and provides an appropriate notice. Understanding How Local Authentication Works Local authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to individual usernames. Local authentication is enabled by default, but can be disabled if one of the other authentication methods is enabled. If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically. You can enable local authentication and one or more of the other authentication methods at the same time. Local authentication is only attempted if the other authentication methods fail. 30-2 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01