Configuration Guide Vol. 1

10.3.3 Configuring authentication with TACACS + servers

<Structure of this section>

(1) Login Authentication Configuration Example

Points to note

The example below shows how to configure TACACS+ authentication and local authentication. Configure the settings so that local authentication is performed only when authentication failed due to an abnormality, for example, when communication with the TACACS+ server fails. If authentication failed due to denial, the whole authentication process ends at that point, and no local authentication is performed.

The usual setup for remote access must be completed in advance.

Command examples

  1. (config)# aaa authentication login default group tacacs+ local

    Sets TACACS+ authentication and local authentication, in that order, as the authentication methods to be used when a user logs in.

  2. (config)# aaa authentication login end-by-reject

    Configures the settings so that the whole authentication process ends when denied by TACACS+ authentication and no local authentication is performed.

  3. (config)# tacacs-server host 192.168.10.1 key "4h8dlir9r-w2"

    Sets IP address 192.168.10.1 as the server to be used for TACACS+ authentication and a shared key for communication with the server.

(2) Authentication setting when changing to administrator mode (enable command)

Points to note

The example below shows how to configure TACACS+ authentication and local authentication. Configure the settings so that local authentication is performed only when authentication failed due to an abnormality, for example, when communication with the TACACS+ server fails. If authentication failed due to denial, the whole authentication process ends at that point, and no local authentication is performed.

Also set the login user name to be sent as the user name attribute when performing TACACS+ authentication.

Command examples

  1. (config)# aaa authentication enable default group tacacs+ enable

    Sets TACACS+ authentication and local authentication, in that order, as the authentication methods to be used when the user changes to administrator mode (by the enable command).

  2. (config)# aaa authentication enable end-by-reject

    Configures the settings so that the whole authentication process ends when denied by TACACS+ authentication and no local authentication is performed.

  3. (config)# aaa authentication enable attribute-user-per-method

    Set the login user name to be sent as the user name attribute when performing TACACS+ authentication.

  4. (config)# tacacs-server host 192.168.10.1 key "4h8dlir9r-w2"

    Sets IP address 192.168.10.1 as the server to be used for TACACS+ authentication and a shared key for communication with the server.

[Product name label]

All Rights Reserved, Copyright(C), 2022, 2023, ALAXALA Networks, Corp.