authentication

Configures user authentication parameters. Users are allowed or denied access to the network based on the authentication parameters set.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

authentication [access-method|directed-request|server|service]
authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|
web)}
authentication directed-request
authentication server <1-2> [host|retry-timeout-factor|timeout]
authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authentication server <1-2> retry-timeout-factor <50-200>
authentication server <1-2> timeout <3-60> {attempts <1-10>}
authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}

Parameters

authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|
web)}
access-method Configures access modes for TACACS authentication. The options are: console, SSH, Telnet, Web, and all.
all Authenticates users using all access modes (console, SSH, and Telnet)
console Authenticates users using console access only
ssh Authenticates users using SSH access only
telnet Authenticates users using Telnet access only
web Authenticates users using Web interface only
authentication directed-request
directed-request Enables user to specify TACACS server to use with `@server'. This option is disabled by default.
Note: The specified server should be present in the configured servers list.
authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server index from 1 - 2.
host <IP/HOSTNAME> Sets the TACACS server‘s IP address or hostname
secret [0 <SECRET>| 2 <SECRET>| <SECRET>] Configures the secret key used to authenticate with the TACACS server
  • 0 <SECRET> – Configures a clear text secret
  • 2 <SECRET> – Configures an encrypted secret
  • <SECRET> – Specify the secret key. The shared key should not exceed 127 characters.
port <1-65535> Optional. Specifies the port used to connect to the TACACS server
  • <1-65535> – Specify a value for the TCP authentication port from 1 - 65535. The default port is 49.
authentication server <1-2> retry-timeout-factor <50-200>
server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server index from 1 - 2.
retry-timeout-factor <50-200> Configures timeout scaling between two consecutive TACACS authentication retries
  • <50-200> – Specify the scaling factor from 50 - 200. The default is 100.

A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries.

A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry.

A value greater than 100 indicates the interval between consecutive retries increases with each successive retry.

authentication server <1-2> timeout <3-60> {attempts <1-10>}
server <1-2> Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
  • <1-2> – Specify the TACACS server index from 1- 2.
timeout <3-60> Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.
  • <3-60> – Specify a value from 3- 60 seconds. The default is 3 seconds.
attempts <1-10> Optional. Indicates the number of retry attempts to make before giving up
  • <1-10> – Specify a value from 1 -10. The default is 3.
authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}
service <SERVICE-NAME> Configures the TACACS authentication service name
protocol <AUTHENTICATION- PROTO-NAME> Optional. Specify the authentication protocol used with this TACACS policy
Note: A maximum of five entries is allowed.

Examples

nx9500-6C8809(config-aaa-tacacs-policy-test)#authentication directed-request
nx9500-6C8809(config-aaa-tacacs-policy-test)#show context
aaa-tacacs-policy test
 authentication directed-request
 accounting server preference authorized-server-number
 accounting auth-fail
 accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#

Related Commands

no (aaa-tacacs-policy-config-mode-command) Resets values or disables commands