Management Access Authentication

You can assign authentication methods to the various management access methods, such as SSH, Telnet, HTTP, and HTTPS. The authentication can be performed locally or on a server.

If authorization is enabled, both the identity and read/write privileges of the user are verified. If authorization isn’t enabled, only the identity of the user is verified.

The authorization/authentication method used is determined by the order that the authentication methods are selected. If the first authentication method isn’t available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and don’t reply, the user is authorized/authenticated locally.

If authorization is enabled, and an authentication method fails or the user has insufficient privilege level, the user is denied access to the device. In other words, if authentication fails for an authentication method, the device stops the authentication attempt; it doesn’t continue and doesn’t attempt to use the next authentication method.

Similarly, if authorization isn’t enabled, and authentication fails for a method, the device stops the authentication attempt.

To define authentication methods for an access method:

Procedure

Step 1

Click Security > Management Access Authentication.

Step 2

Enter the Application (type) of the management access method.

Step 3

Select Authorization to enable both authentication and authorization of the user by the list of methods described below. If the field is not selected, only authentication is performed. If Authorization is enabled, the read/write privileges of users are checked. This privilege level is set in the User Accounts page.

Step 4

Use the arrows to move the authentication method between the Optional Methods column and the Selected Methods column. The first method selected is the first method that is used.

  • RADIUS—User is authorized/authenticated on a RADIUS server. You must have configured one or more RADIUS servers. For the RADIUS server to grant access to the web-based configuration utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.

  • TACACS+—User authorized/authenticated on the TACACS+ server. You must have configured one or more TACACS+ servers.

  • None—User is allowed to access the device without authorization/authentication.

  • Local—Username and password are checked against the data stored on the local device. These username and password pairs are defined in the User Accounts page.

    Note

    The Local or None authentication method must always be selected last. All authentication methods selected after Local or None are ignored.

Step 5

Click Apply. The selected authentication methods are associated with the access method.