Users Guide
Authentication, Authorization, and Accounting 309
TACACS+ Authentication Example
Use the following configuration to require TACACS+ authentication when
logging in over a Telnet connection:
1
Create a login authentication list called “tacplus” that contains the
method tacacs. If this method returns an error, the user will fail to login:
console#config
console(config)#aaa authentication login “tacplus” tacacs
2
Create an enable authentication list called “tacp” that contains the
method tacacs. If this method fails, then the user will fail to execute the
enable command:
console(config)#aaa authentication enable “tacp” tacacs
3
The following command is the first step in defining a TACACS+ server at
IP address 1.2.3.4. The result of this command is to place the user in
tacacs-server mode to allow further configuration of the server:
console(config)#tacacs-server host 1.2.3.4
4
Define the shared secret. This must be the same as the shared secret
defined on the TACACS+ server:
console(config-tacacs)#key “secret”
console(config-tacacs)#exit
5
Enter the configuration mode for the Telnet line.
console(config)#line telnet
6
Assign the tacplus login authentication method list to be used for users
accessing the switch via Telnet:
console(config-telnet)#login authentication tacplus
7
Assign the tacp enable authentication method list to be used for users
executing the enable command when accessing the switch via Telnet:
console(config-telnet)#enable authentication tacp
console(config-telnet)#exit
NOTE: A user logging in with this configuration would be placed in User Exec
mode with privilege level 1. To access Privileged Exec mode with privilege level 15,
use the enable command.