Authentication parameters

Table 8: AAA Authentication Parameters
Name	Default	Range	Function
console, Telnet, SSH, web, port-access, or REST	n/a	n/a	Specifies the access method used when authenticating. TACACS+ authentication only uses the console, Telnet or SSH access methods.
`enable`	n/a	n/a	Specifies the manager (read/write) privilege level for the access method being configured.
`login <privilege-mode>`	privilege-mode disabled	n/a	login: Specifies the operator (read-only) privilege level for the access method being configured.The privilege-mode option enables TACACS+ for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server.
`local` - or - `tacacs`	local	n/a	Specifies the primary method of authentication for the access method being configured. local: Use the user name/password pair configured locally in the switch for the privilege level being configured tacacs: Use a TACACS+ server.
`local` - or - `none`	none	n/a	Specifies the secondary (backup) type of authentication being configured. local: The user name/password pair configured locally in the switch for the privilege level being configured.none: No secondary type of authentication for the specified method/privilege path. (Available only if the primary method of authentication for the access being configured is local.) NOTE: If you do not specify this parameter in the command line, the switch automatically assigns the secondary method as follows: If the primary method is `tacacs`, the only secondary method is `local`. If the primary method is `local`, the default secondary method is `none`.
`num-attempts`	3	1 - 10	In a given session, specifies how many attempts at entering the correct user name/password pair are allowed before access is denied and the session terminated.

Table 9: Primary/secondary authentication table
Access method and privilege level	Authentication options		Effect on access methods
Access method and privilege level	Primary	Secondary	Effect on access methods
Console — Login	local	none*	Local user name/password access only.
Console — Login	tacacs	local	If TACACS+ server is unavailable, uses local user name/password access.
Console — Enable	local	none	Local user name/password access only.
Console — Enable	tacacs	local	If TACACS+ server is unavailable, uses local user name/password access.
REST — Login	local tacacs	none local	Local user name/password access only. If TACACS+server is unavailable, uses local user name/password access.
REST — Enable	local tacacs	none local	Local user name/password access only. If TACACS+ server is unavailable, uses local user name/password access.
Telnet — Login	local	none*	Local user name/password access only.
	tacacs	local	If TACACS+ server is unavailable, uses local user name/password access.
	tacacs	none	If TACACS+ server is unavailable, denies access.
Telnet — Enable	local	none	Local user name/password access only.
	tacacs	local	If TACACS+ server is unavailable, uses local user name/password access.
	tacacs	none	If TACACS+ server is unavailable, denies access.
SSH — Login	local tacacs	none local	Local user name/password access only. If TACACS+server is unavailable, uses local user name/password access.
SSH — Enable	local tacacs	none local	Local user name/password access only. If TACACS+ server is unavailable, uses local user name/password access.

CAUTION:

Regarding the use of local for login primary access:

During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the operator password, and read-write access if you enter the manager password. For example, authenticating the switch with Telnet Login Primary as Local and Telnet Enable Primary as TACACS+. When you attempt to Telnet to the switch, you are prompted for a local password. If you enter the switch local manager password (or, if there is no local manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (manager) access. Thus, for either the Telnet or console access method, it is recommended not to configure Login Primary for Local authentication while configuring Enable Primary for TACACS+. If you want to enable Primary log-in attempts to go to a TACACS+ server, configure both Login Primary and Enable Primary for TACACS+ authentication instead of configuring Login Primary to Local authentication.