Cisco Systems 2960 Manual De Usuario
9-13
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 9 Configuring Switch-Based Authentication
Controlling Switch Access with TACACS+
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or to keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method does not respond, the software selects the next
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
These sections contain this configuration information:
•
•
•
•
•
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Note
Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.
HTTP connections that have been configured with a privilege level of 15.
Identifying the TACACS+ Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups to group existing server hosts
for authentication. You can group servers to select a subset of the configured server hosts and use them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.
for authentication. You can group servers to select a subset of the configured server hosts and use them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.