[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]


Configuring More Than One Authentication Method

On a C-series platform, you can use more than one authentication method. You can configure the C-series platform to be a RADIUS and TACACS+ client by:

For each login attempt, the SRC software tries the authentication methods in the order configured, until the password matches. If one of the authentication methods in the authentication order fails to authenticate a user, the user is denied access to the C-series platform.

If password authentication does not appear in the prioritized list of authentication methods, the SRC software uses password authentication last. The SRC software always uses password authentication, whether or not it appears in the list of authentication methods to be used. As a result, users can log in to the C-series platform through password authentication if configured authentication servers are unavailable.

Figure 16 shows three authentication scenarios. In the first two, a user is authenticated while authentication servers are unavailable. In the third scenario, a users is not authenticated by an active server.


Figure 16: Authentication Order: RADIUS, TACACS+, Password

Configuring Authentication Order

To configure the order in which to use authentication servers:

  1. From configuration mode, access the [system] hierarchy level.
  2. Specify the authentication order.
  3. [edit system]
    
    user@host# set authentication-order [(radius | tacplus | password)] 
    
    
    

Specify one or more of the following in the preferred order, from first authentication method tried to last tried:

If you do not include the authentication-order statement, users are verified based on their configured passwords.

Configuring TACACS+ or RADIUS Authentication

To configure the SRC software to try to authenticate users through TACACS+ and, if the TACACS+ server is unavailable, to use password authentication:

or

[edit]
user@host# set system authentication-order tacplus

To configure the SRC software to try to authenticate users through RADIUS and, if the RADIUS server is unavailable, to use password authentication:

or

[edit]
user@host# set system authentication-order radius

Configuring TACACS+ and RADIUS Authentication

To configure the SRC software to try to authenticate users through TACACS+and, if the TACACS+ server is unavailable, to use RADIUS authentication; and then, if the RADIUS server is unavailable, to use password authentication:

or

[edit]
user@host# set system authentication-order [tacplus radius]

To configure the SRC software to try to authenticate users through RADIUS and, if the RADIUS server is unavailable, to use TACACS+ authentication; and then, if the TACACS+ server is unavailable, to use password authentication:

or

[edit]
user@host# set system authentication-order [radius tacplus]


[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]