Configuring authentication-method lists for, Tacacs and tacacs – Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Page 54
34
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
Configuring authentication-method lists for
TACACS and TACACS+
You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC
level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create
authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as
the primary authentication method.
Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication
method and up to six backup authentication methods are specified as alternates. If
TACACS/TACACS+ authentication fails due to an error, the device tries the backup authentication
methods in the order they appear in the list.
When you configure authentication-method lists for TACACS/TACACS+ authentication, you must
create a separate authentication-method list for Telnet/SSH CLI access, and for access to the
Privileged EXEC level and CONFIG levels of the CLI.
To create an authentication method list that specifies TACACS/TACACS+ as the primary
authentication method for securing Telnet/SSH access to the CLI.
Brocade(config)# enable telnet authentication
Brocade(config)# aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for
securing Telnet/SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with
the server, authentication is performed using local user accounts instead.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary
authentication method for securing access to Privileged EXEC level and CONFIG levels of the CLI.
Brocade(config)# aaa authentication enable default tacacs local none
The command above causes TACACS/TACACS+ to be the primary authentication method for
securing access to Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+
authentication fails due to an error with the server, local authentication is used instead. If local
authentication fails, no authentication is used; the device automatically permits access.
Syntax: [no] aaa authentication enable | login default method1 [method2] [method3] [method4]
[method5] [method6] [method7]
The enable | login parameter specifies the type of access this authentication-method list controls.
You can configure one authentication-method list for each type of access.
The method1 parameter specifies the primary authentication method. The remaining optional
method parameters specify additional methods to try if an error occurs with the primary method. A
method can be one of the values listed in the Method Parameter column in the following table.
TABLE 4
Authentication method values
Method parameter
Description
line
Authenticate using the password you configured for Telnet access. The Telnet password is
configured using the enable telnet password… command. Refer to
enable
Authenticate using the password you configured for the Super User privilege level. This
password is configured using the enable super-user-password… command. Refer to