Administrator Guide
If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically. For
example, if the TACACS+ server is reachable, but the server key is invalid, the system proceeds to the next authentication method. In the
following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.
First bold line: Server key purposely changed to incorrect value.
Second bold line: User authenticated using the secondary method.
Dell(conf)#
Dell(conf)#do show run aaa
!
aaa authentication enable default tacacs+ enable
aaa authentication enable LOCAL enable tacacs+
aaa authentication login default tacacs+ local
aaa authentication login LOCAL local tacacs+
aaa authorization exec default tacacs+ none
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 1 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
Dell(conf)#
Dell(conf)#do show run tacacs+
!
tacacs-server key 7 d05206c308f4d35b
tacacs-server host 10.10.10.10 timeout 1
Dell(conf)#tacacs-server key angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on
vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line
vty0 (10.11.9.209)
Dell(conf)#username angeline password angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline
on vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
Monitoring TACACS+
To view information on TACACS+ transactions, use the following command.
• View TACACS+ transactions to troubleshoot problems.
EXEC Privilege mode
debug tacacs+
TACACS+ Remote Authentication and Authorization
The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet
sizes.
If you have congured remote authorization, the system ignores the access class you have congured for the VTY line and gets this access
class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch
the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the system
closes the Telnet session immediately.
The following example demonstrates how to congure the access-class from a TACACS+ server. This conguration ignores the congured
access-class on the VTY line. If you have congured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the
896
Security