Controlling Switch Access with TACACS+
TACACS+ Operation
When a user attempts a simple ASCII login by authenticating to a switch using TACACS+, this process
occurs:
1.
2.
3.
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
Catalyst 2928 Switch Software Configuration Guide
8-12
When the connection is established, the switch contacts the TACACS+ daemon to obtain a username
prompt to show to the user. The user enters a username, and the switch then contacts the TACACS+
daemon to obtain a password prompt. The switch displays the password prompt to the user, the user
enters a password, and the password is then sent to the TACACS+ daemon.
TACACS+ allows a dialog between the daemon and the user until the daemon receives enough
information to authenticate the user. The daemon prompts for a username and password
combination, but can include other items, such as the user's mother's maiden name.
The switch eventually receives one of these responses from the TACACS+ daemon:
ACCEPT—The user is authenticated and service can begin. If the switch is configured to
•
require authorization, authorization begins at this time.
•
REJECT—The user is not authenticated. The user can be denied access or is prompted to retry
the login sequence, depending on the TACACS+ daemon.
•
ERROR—An error occurred at some time during authentication with the daemon or in the
network connection between the daemon and the switch. If an ERROR response is received, the
switch typically tries to use an alternative method for authenticating the user.
CONTINUE—The user is prompted for additional authentication information.
•
After authentication, the user undergoes an additional authorization phase if authorization has been
enabled on the switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an
ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response
contains data in the form of attributes that direct the EXEC or NETWORK session for that user and
the services that the user can access:
•
Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services
•
Connection parameters, including the host or client IP address, access list, and user timeouts
Chapter 8
Configuring Switch-Based Authentication
OL-23389-01