Administrator Guide
CONFIGURATION mode
line {aux 0 | console 0 | vty number [end-number]}
4. Assign the method-list to the terminal line.
LINE mode
login authentication {method-list-name | default}
To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC
Privilege mode.
If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically. For
example, if the TACACS+ server is reachable, but the server key is invalid, the system proceeds to the next authentication method. In the
following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.
First bold line: Server key purposely changed to incorrect value.
Second bold line: User authenticated using the secondary method.
Dell(conf)#
Dell(conf)#do show run aaa
!
aaa authentication enable default tacacs+ enable
aaa authentication enable LOCAL enable tacacs+
aaa authentication login default tacacs+ local
aaa authentication login LOCAL local tacacs+
aaa authorization exec default tacacs+ none
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 1 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
Dell(conf)#
Dell(conf)#do show run tacacs+
!
tacacs-server key 7 d05206c308f4d35b
tacacs-server host 10.10.10.10 timeout 1
Dell(conf)#
tacacs-server key angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on
vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line
vty0 (10.11.9.209)
Dell(conf)#username angeline password angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline
on vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
Monitoring TACACS+
To view information on TACACS+ transactions, use the following command.
• View TACACS+ transactions to troubleshoot problems.
EXEC Privilege mode
debug tacacs+
TACACS+ Remote Authentication and Authorization
The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet
sizes.
If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this
access class information from the TACACS+ server. The system must know the username and password of the incoming user before it
can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the
system closes the Telnet session immediately.
The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the
configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and
Security
823