Configuring the switch authentication method
Syntax
aaa authentication <console|telnet|ssh|web|port-access|rest> login tacacs
Selects the access method for configuration.
Parameters
<enable>
Example:
aaa authentication ssh enable tacacs local
The server grants privileges at the manager privilege level.
<login [privilege-mode]>
Example:
aaa authentication login privilege-mode
The server grants privileges at the operator privilege level. If the
privilege-mode
option is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default:
Single login disabled.
<local|tacacs|radius>
Selects the type of security access:
local
Authenticates with the manager and operator password you configure in the switch.
tacacs
Authenticates with a password and other data configured on a TACACS+ server.
radius
Authenticates with a password and other data configured on a RADIUS server.
[<local|none>]
If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.
switch(config)# aaa accounting Configure the accounting service on the device. authentication Configure authentication parameters on the switch. authorization Configure authorization parameters on the switch. port-access Configure 802.1X (Port Based Network Access), MAC address based network access, or web authentication-based network access or the MACsec Key Agreement (MKA) protocol, or 802.1X-2010 support on the device. server-group Configure the RADIUS server, NAS-ID for the RADIUS server group. switch(config)# aaa authentication lockout-delay The number of seconds after repeated login failures before a user may again attempt login. login Specify that switch respects the authentication server's privilege level. mac-based Configure authentication mechanism used to control mac-based port access to the switch. num-attempts The number of login attempts allowed. port-access Configure authentication mechanism used to control access to the network. rest Configure authentication mechanism used to control REST access to the switch. ssh Configure authentication mechanism used to control SSH access to the switch. telnet Configure authentication mechanism used to control Telnet access to the switch. unlock Unlock the user locked out from SSH/Telnet/Console access. user-based-lockout Locking users based on the username for other access excluding the console access. web Configure authentication mechanism used to control web access to the switch. web-based Configure authentication mechanism used to control web-based port access to the switch. switch(config)# aaa authentication ssh client Configure SSH client authentication for the switch. enable Configure access to the privileged mode commands. login Configure login access to the switch. switch(config)# aaa authentication ssh login local Use local switch user/password database. tacacs Use TACACS+ server. radius Use RADIUS server. peap-mschapv2 Use RADIUS server with PEAP-MSChapv2. public-key Use local switch public key authentication database. certificate Use the X.509 certificate. two-factor Use the two-factor authentication method. switch(config)# aaa authentication ssh login tacacs local Use local switch user/password database. none Do not use backup authentication methods. authorized Allow access without authentication. server-group Specify the server group to use. two-factor-type Use the certificate or public key for the first authentication method and username/password for the second authentication method.
Syntax
aaa authentication num-attempts <1-10>
Specifies the maximum number of login attempts allowed in the current session. Default is 3.