Онлайн-демонстрация
Связаться с нами
6.1.1. aaa authentication
Syntax
aaa authentication (login | enable) (default | LISTNAME) METHODLIST [METHODLIST] [METHODLIST] [METHODLIST]
no aaa authentication (login | enable) LISTNAME
Parameter
login |
Add/Edit login authentication list |
enable |
Add/Edit enable authentication list |
default |
Edit default authentication list |
LISTNAME |
Specify the list name for authentication type |
METHODLIST |
Specify the authenticate method, including none, local, enable, tacacs+, radius. |
Default
Default authentication list name for type login is “default” and default method is “local”.
Default authentication list name for type enable is “default” and default method is “enable”
Mode
Global Configuration
Usage
Login authentication is used when user try to login into the switch. Such as CLI login dialog and WEBUI login web page.
Enable authentication is used only on CLI for user trying to switch from User EXEC mode to Privileged EXEC mode.
Both of them support following authenticate methods.
Local: Use local user account database to authenticate. (This method is not supported for enable authentication)
Enable: Use local enable password database to authenticate.
Tacacs+: Use remote Tacas+ server to authenticate.
Radius: Use remote Radius server to authenticate.
None: Do nothing and just make user to be authenticated.
Each list allows you to combine these methods with different orders. For example, we want to authenticate login user with remote Tacacs+ server, but server may be crashed. Therefore, we need a backup plan, such as another Radius server. So we can configure the list with Tacacs+ server as first authentication method and Radius server as second one.
Use no form to delete the existing list. However, “default” list is not allowed to remove.
Example
This example shows how to add a login authentication list to authenticate with order tacacs+, radius, local.
Switch(config)# aaa authentication login test1 tacacs+ radius
This example shows how to show existing login authentication lists
Switch# show aaa authentication login lists
Login List Name | Authentication Method List
-----------------+-------------------------------
Default | local
test1 | tacacs+ radius local
This example shows how to add an enable authentication list to authenticate with order tacacs+, radius, enable.
Switch(config)# aaa authentication enable test1 tacacs+ radius enable
This example shows how to show existing enable authentication lists
Switch# show aaa authentication login lists
Enable List Name | Authentication Method List
-----------------+-------------------------------
Default | enable
test2 | tacacs+ radius enable