authentication
Configures user authentication parameters. Users are allowed
or denied access to the network based on the authentication parameters set.
Supported on the following devices:
- Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502,
AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543,
AP8533.
- Service Platforms:
NX5500, NX7500, NX9500, NX9600
- Virtual Platforms: CX9000, VX9000
Syntax
authentication [access-method|directed-request|server|service]
authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|
web)}
authentication directed-request
authentication server <1-2> [host|retry-timeout-factor|timeout]
authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authentication server <1-2> retry-timeout-factor <50-200>
authentication server <1-2> timeout <3-60> {attempts <1-10>}
authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}
Parameters
authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|
web)}
| access-method |
Configures access modes for TACACS authentication. The options are:
console, SSH, Telnet, Web, and all. |
| all |
Authenticates users using all access modes (console, SSH, and
Telnet) |
| console |
Authenticates users using console access only |
| ssh |
Authenticates users using SSH access only |
| telnet |
Authenticates users using Telnet access only |
| web |
Authenticates users using Web interface only |
authentication directed-request
| directed-request |
Enables user to specify TACACS server to use with `@server'. This option
is disabled by default. Note: The specified server should be present in the configured servers
list.
|
authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
| server <1-2> |
Configures a TACACS authentication server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server index from 1 - 2.
|
| host <IP/HOSTNAME> |
Sets the TACACS server‘s IP address or hostname |
| secret [0 <SECRET>| 2 <SECRET>| <SECRET>] |
Configures the secret key used to authenticate with the TACACS server
- 0 <SECRET> –
Configures a clear text secret
- 2 <SECRET> –
Configures an encrypted secret
- <SECRET> –
Specify the secret key. The shared key should not exceed 127
characters.
|
| port <1-65535> |
Optional. Specifies the port used to connect to the TACACS server
- <1-65535> –
Specify a value for the TCP authentication port from 1 - 65535. The
default port is 49.
|
authentication server <1-2> retry-timeout-factor <50-200>
| server <1-2> |
Configures a TACACS authentication server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server index from 1 - 2.
|
| retry-timeout-factor <50-200> |
Configures timeout scaling between two consecutive TACACS authentication
retries
- <50-200> –
Specify the scaling factor from 50 - 200. The default is 100.
A value of 100 indicates the interval between consecutive retires
remains the same irrespective of the number of retries.
A value
lesser than 100 indicates the interval between consecutive retries
reduces with each successive retry.
A value greater than 100
indicates the interval between consecutive retries increases with each
successive retry.
|
authentication server <1-2> timeout <3-60> {attempts <1-10>}
| server <1-2> |
Configures a TACACS authentication server. Up to 2 TACACS servers can be
configured
- <1-2> – Specify
the TACACS server index from 1- 2.
|
| timeout <3-60> |
Configures the timeout, in seconds, for each request sent to the TACACS
server. This is the time allowed to elapse before another request is sent to
the TACACS server. If a response is received from the TACACS server within
this time, no retry is attempted.
- <3-60> – Specify
a value from 3- 60 seconds. The default is 3 seconds.
|
| attempts <1-10> |
Optional. Indicates the number of retry attempts to make before giving
up
- <1-10> – Specify
a value from 1 -10. The default is 3.
|
authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}
| service <SERVICE-NAME> |
Configures the TACACS authentication service name |
| protocol <AUTHENTICATION- PROTO-NAME> |
Optional. Specify the authentication protocol used with this TACACS
policy Note: A maximum of
five entries is allowed.
|
Examples
nx9500-6C8809(config-aaa-tacacs-policy-test)#authentication directed-request
nx9500-6C8809(config-aaa-tacacs-policy-test)#show context
aaa-tacacs-policy test
authentication directed-request
accounting server preference authorized-server-number
accounting auth-fail
accounting commands
nx9500-6C8809(config-aaa-tacacs-policy-test)#
