Cisco WS-C2960-24PC-L Software Guide - Page 485
Understanding How Authorization Works, Authorization Events, TACACS+ Primary and Fallback Options
UPC - 882658169328
View all Cisco WS-C2960-24PC-L manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 485 highlights
Chapter 30 Configuring Switch Access Using AAA Understanding How Authorization Works Console> (enable) set authentication enable local disable telnet local enable authentication set to disable for telnet session. Console> (enable) show tacacs Tacacs key: tintin_et_milou Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server 172.20.52.10 Console> (enable) Status ------primary Understanding How Authorization Works The Catalyst 4500 series switch supports TACACS+ and RADIUS authorization to control access to the switch. Authorization limits access to specified users using a dynamically applied access list (or user profile) based on the username and password pair. The access list resides on the host running the TACACS+ or RADIUS server. The server responds to the user password information and applies the access list. Authorization Events You can enable TACACS+ authorization for the following: • Commands-When the authorization feature is enabled for commands, the user must supply a valid username and password pair to execute certain commands. You can require authorization for all commands or for configuration (enable mode) commands only. When a user enters a command, the authorization server receives the command and user information and compares it against an access list. If the user is authorized to enter that command, the command is executed; otherwise, the command is not executed. • EXEC mode (normal login)-When the authorization feature is enabled for EXEC mode, the user must supply a valid username and password pair to access the EXEC mode. Authorization is required only if you have enabled the authorization feature. • Enable mode (privileged login)-When the authorization feature is enabled for enable mode, the user must supply a valid username and password pair to access enable mode. Authorization is required only if you have enabled the authorization feature for enable mode. TACACS+ Primary and Fallback Options You can specify the primary and fallback options that are used in the authorization process. The following primary options and fallback options are available: • tacacs+-If you have been authenticated and there is no response from the TACACS+ server, authorization succeeds immediately. • if-authenticated-If you have been authenticated and there is no response from the TACACS+ server, authorization succeeds immediately. • none-Authorization succeeds if the TACACS+ server does not respond. • deny-Authorization fails if the TACACS+ server fails to respond. The Deny option is a fallback option only. This is the default behavior. 78-15486-01 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 30-41