Cisco WS-C4003 Software Guide - Page 356
Authentication Overview, Understanding How Login Authentication Works, Understanding How Local
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 356 highlights
Understanding How Authentication Works Chapter 27 Configuring Switch Access Using AAA Authentication Overview You can configure any combination of these authentication methods to control access to the switch: • Login authentication • Local authentication • TACACS+ authentication • RADIUS authentication • Kerberos authentication • 802.1x authentication Note Kerberos authentication does not work if TACACS+ is used as the authentication method. When local authentication is enabled together with one or more other authentication methods, local authentication is always attempted last. However, you can specify different authentication methods for console and Telnet connections. For example, you might use local authentication for console connections and RADIUS authentication for Telnet connections. Understanding How Login Authentication Works Login authentication increases the security of the system by limiting unauthorized users from guessing the password. The user is only allowed a specific number of attempts to successfully log in to the switch. If the user fails to authorize the password, the system delays any subsequent accesses and captures the user ID and the IP address of the station in the syslog and in the SNMP trap. You can enable login authentication access attempts in a range between three and ten tries. The default access limit is three. When the limit is reached without a successful login, SNMP traps and syslog messages are generated and the lockout restriction occurs. If you set the login authentication to zero (0), the login limit checking is disabled. If you attempt to log in to privileged mode and fail, the system disables the execution of the enable command for the lockout period. The lockout time is configurable from the CLI and SNMP. The configurable range is 30 to 600 seconds. If you are locked out at the console, the console does not allow you to log in during that lockout time. If you are locked out with a Telnet session, the connection closes when the limit is reached, and any subsequent accesses from that station are closed immediately by the switch during the lockout time with appropriate notice. Understanding How Local Authentication Works Local authentication uses locally configured login and enable passwords to authenticate login attempts. The login and enable passwords are local to each switch and are not mapped to individual user names. Local authentication is enabled by default, but can be disabled if one of the other authentication methods is enabled. If local authentication is disabled and you then disable all other authentication methods, local authentication is reenabled automatically. You can enable local authentication and one or more of the other authentication methods at the same time. Local authentication is only attempted if the other authentication methods fail. 27-2 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02