General authentication process using a TACACS+ server
Authentication through a TACACS+ server operates
generally as described below. For specific operating details, see
the documentation you received with your TACACS+ server application.
Using Using a TACACS+ server for authentication,
after either switch detects an operator's logon request from
a remote or directly connected terminal, the following events occur:
Procedure
The switch queries the first-choice
TACACS+ server for authentication of the request.
If the switch does not receive a response from the
first-choice TACACS+ server, it attempts to query a secondary server.
If the switch does not receive a response from any TACACS+ server,
then it uses its own local username/password pairs to authenticate
the logon request, see Local authentication process (TACACS+).
If a TACACS+ server recognizes the switch, it forwards
a username prompt to the requesting terminal via the switch.
When the requesting terminal
responds to the prompt with a username, the switch forwards it to
the TACACS+ server.
After the server receives
the username input, the requesting terminal receives a password prompt
from the server via the switch.
When the requesting terminal
responds to the prompt with a password, the switch forwards it to
the TACACS+ server and one of the following actions occurs:
If the username/password
pair received from the requesting terminal matches a username/password
pair previously stored in the server, then the server passes access
permission through the switch to the terminal.
If the username/password
pair entered at the requesting terminal does not match a username/password
pair previously stored in the server, access is denied. In this case,
the terminal is again prompted to enter a username and repeat steps
2 through 4 In the default configuration, the switch allows up to
three attempts to authenticate a login session. If the requesting
terminal exhausts the attempt limit without a successful TACACS+ authentication,
the login session is terminated and the operator at the requesting
terminal must initiate a new session before trying again.