General authentication process using a TACACS+ server

Authentication through a TACACS+ server operates generally as described below. For specific operating details, see the documentation you received with your TACACS+ server application.

Using a TACACS+ server for authentication

Using Using a TACACS+ server for authentication, after either switch detects an operator's logon request from a remote or directly connected terminal, the following events occur:

Procedure
  1. The switch queries the first-choice TACACS+ server for authentication of the request.
    • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server. If the switch does not receive a response from any TACACS+ server, then it uses its own local username/password pairs to authenticate the logon request, see Local authentication process (TACACS+).

    • If a TACACS+ server recognizes the switch, it forwards a username prompt to the requesting terminal via the switch.

  2. When the requesting terminal responds to the prompt with a username, the switch forwards it to the TACACS+ server.
  3. After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch.
  4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs:
    1. If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.
    2. If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4 In the default configuration, the switch allows up to three attempts to authenticate a login session. If the requesting terminal exhausts the attempt limit without a successful TACACS+ authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.