Chapter 34
Configuring RADIUS and TACACS+
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Step 3
When you are successfully authenticated through a remote AAA server, then the following possible
actions are taken:
•
•
•
Step 4
When your user name and password are successfully authenticated locally, you are allowed to log in, and
you are assigned the roles configured in the local database.
Figure 34-2
Figure 34-2
OL-18084-01, Cisco MDS NX-OS Release 4.x
If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are
downloaded with an authentication response.
If the AAA server protocol is TACACS+, then another request is sent to the same server to get the
user roles specified as custom attributes for the shell.
If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the
network-operator role.
shows a flow chart of the authorization and authentication process.
Switch Authorization and Authentication Flow
Start
Incoming
Local
Incoming
access
access
request to
request to
switch
switch
Remote
No more
First or
servers left
next server
lookup
Found a
RADIUS server
RADIUS
Lookup
No
response
Accept
Access
permitted
Local
Success
database
lookup
Failure
Denied
access
Cisco MDS 9000 Family CLI Configuration Guide
Switch AAA Functionalities
Access
permitted
34-7