Chapter 3
Configuring the Switch for the First Time
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process
occurs:
1.
2.
3.
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods used to authenticate, to authorize, or to keep accounts on
a user. Use method lists to designate one or more security protocols, ensuring a backup system if the
initial method fails. The software uses the first method listed to authenticate, to authorize, or to keep
accounts on users; if that method does not respond, the software selects the next method in the list. This
process continues until there is successful communication with a listed method or the method list is
exhausted.
This section contains the following configuration information:
•
•
•
OL-30933-01
When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt, which is then displayed to the user. The user enters a username, and the switch then contacts
the TACACS+ daemon to obtain a password prompt. The switch displays the password prompt to
the user, the user enters a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a conversation between the daemon and the user until the daemon receives enough
information to authenticate the user. The daemon prompts for a username and password
combination, but can include other items such as the user's mother's maiden name.
The switch eventually receives one of these responses from the TACACS+ daemon:
ACCEPT—The user is authenticated and service can begin. If the switch is configured to
•
require authorization, authorization begins at this time.
REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
•
the login sequence, depending on the TACACS+ daemon.
ERROR—An error occurred at some time during authentication with the daemon or in the
•
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
CONTINUE—The user is prompted for additional authentication information.
•
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user and
the services that the user can access:
Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
•
Connection parameters, including the host or client IP address, access list, and user timeouts
•
Default TACACS+ Configuration, page 3-18
Identifying the TACACS+ Server Host and Setting the Authentication Key, page 3-18
Configuring TACACS+ Login Authentication, page 3-19
Controlling Access to Privileged EXEC Commands
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
3-17