Authentication parameters

AAA Authentication Parameters
Name	Default	Range	Function
console, Telnet, SSH, web or port-access	n/a	n/a	Specifies the access method used when authenticating. TACACS+ authentication only uses the console, Telnet or SSH access methods.
enable	n/a	n/a	Specifies the manager (read/write) privilege level for the access method being configured.
`login <privilege-mode>`	privilege-mode disabled	n/a	login: Specifies the operator (read-only) privilege level for the access method being configured.The privilege-mode option enables TACACS+ for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server.
`local` - or - `tacacs`	local	n/a	Specifies the primary method of authentication for the access method being configured. local: Use the user name/password pair configured locally in the switch for the privilege level being configuredtacacs: Use a TACACS+ server.
`local` - or - `none`	none	n/a	Specifies the secondary (backup) type of authentication being configured. local: The user name/password pair configured locally in the switch for the privilege level being configured.none: No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.)Note: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: If the primary method is `tacacs`, the only secondary method is `local`. If the primary method is `local`, the default secondary method is `none`.
`num-attempts`	3	1 - 10	In a given session, specifies how many tries at entering the correct user name/password pair are allowed before access is denied and the session terminated.

Primary/secondary authentication table
Access method and privilege level	Authentication options		Effect on access attempts
Access method and privilege level	Primary	Secondary	Effect on access attempts
Console — Login	local	none*	Local user name/password access only.
Console — Login	tacacs	local	If Tacacs+ server unavailable, uses local user name/password access.
Console — Enable	local	none	Local user name/password access only.
Console — Enable	tacacs	local	If Tacacs+ server unavailable, uses local user name/password access.
Telnet — Login	local	none*	Local user name/password access only.
	tacacs	local	If Tacacs+ server unavailable, uses local user name/password access.
	tacacs	none	If Tacacs+ server unavailable, denies access.
Telnet — Enable	local	none	Local user name/password access only.
	tacacs	local	If Tacacs+ server unavailable, uses local user name/password access.
	tacacs	none	If Tacacs+ server unavailable, denies access.

CAUTION:

Regarding the use of local for login primary access:

During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password. For example, if you configure authentication on the switch with Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you attempt to Telnet to the switch, you are prompted for a local password. If you enter the switch local manager password (or, if there is no local manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (manager) access. Thus, for either the Telnet or console access method, configuring Login Primary for Local authentication while configuring Enable Primary for TACACS+ authentication is not recommended, as it defeats the purpose of using the TACACS+ authentication. If you want Enable Primary log-in attempts to go to a TACACS+ server, then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication.

Access options

Following is a set of access options and the corresponding commands to configure them

console login (operator or read-only) access, primary using TACACS+ server and secondary access

switch (config)# aaa authentication console login tacacs local

console enable (manager or read/write) access, primary using TACACS+ server and secondary using local.

switch (config)# aaa authentication console enable tacacs local

Telnet login (operator or read-only) access, primary using TACACS+ server and secondary using local.

switch (config)# aaa authentication Telnet login tacacs local

Telnet enable (manager or read/write) access, primary using TACACS+ server and secondary using Local.

switch (config)# aaa authentication telnet enable tacacs local

deny access and close the session after failure of two consecutive user name/password pairs

switch (config)# aaa authentication num-attempts 2