21-2
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
78-13315-02
Chapter 21 Configuring Switch Access Using AAA
Understanding How Authentication Works
Authentication Overview
You can configure any combination of these authentication methods to control access to the switch:
•
Login authentication
•
Local authentication
•
RADIUS authentication
•
authentication
•
Kerberos authentication
•
802.1x authentication
Note
Kerberos authentication does not work if is used as the authentication method.
When you enable local authentication with one or more other authentication methods, local
authentication is always attempted last. However, you can specify different authentication methods
for console and Telnet connections. For example, you might use local authentication for console
connections and RADIUS authentication for Telnet connections.
Understanding How Login Authentication Works
Login authentication increases the security of the system by keeping unauthorized users from guessing
the password. The user is limited to a specific number of attempts to successfully log in to the switch.
If the user fails to authorize the password, the system delays accesses and captures the user ID and the
IP address of the station in the syslog and in the SNMP trap.
You can enable login authentication access attempts within a range of three (the default) to ten tries.
When a user reaches the set limit without successfully logging in, SNMP traps and syslog messages are
generated and the lockout restriction occurs. Setting the login authentication to zero (0) disables the
login limit checking.
If a user attempts to log in to privileged mode and fails, the system disables execution of the
enable
command for the lockout period.
The lockout time is configurable from the CLI and SNMP. The configurable range is 30 to 600 seconds.
If a user is locked out at the console, the console does not allow the user to log in during that lockout
time. If a user is locked out with a Telnet session, the connection closes when the limit is reached, and
any subsequent accesses from that station are closed immediately (with proper notice) by the switch
during the lockout time.
Understanding How Local Authentication Works
Local authentication uses locally configured login and enable passwords to authenticate login attempts.
The login and enable passwords are local to each switch and are not mapped to individual user names.
By default, local authentication is enabled. You can disable local authentication
only
after enabling one
or more of the other authentication methods. However, when local authentication is disabled, if you
disable all other authentication methods, local authentication is reenabled automatically.
You can enable local authentication and one or more of the other authentication methods at the same
time. The switch attempts local authentication only if the other authentication methods fail.