Authorizing and Authenticating the Switch

Detailed Steps

To authorize and authenticate the switch, follow these steps:

1. Log in to the required switch in the Cisco MDS 9000 Family, using the Telnet, SSH, DCNM-SAN or Device Manager, or console login options.
2. When you have configured server groups using the server group authentication method, an authentication request is sent to the first AAA server in the group.
• If the AAA server fails to respond, then the next AAA server is contacted and so on until the remote server responds to the authentication request.
• If all AAA servers in the server group fail to respond, then the servers in the next server group are contacted.
• If all configured methods fail, then by default local database is used for authentication. The next section will describe the way to disable this fallback.
3. When you are successfully authenticated through a remote AAA server, then the following possible actions are taken:
• If the AAA server protocol is RADIUS, then user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.
• If the AAA server protocol is TACACS+, then another request is sent to the same server to get the user roles specified as custom attributes for the shell.
• If user roles are not successfully retrieved from the remote AAA server, then the user is assigned the network-operator role if the show aaa user default-role command is enabled. You are denied access if this command is disabled.
4. When your user name and password are successfully authenticated locally, you are allowed to log in, and you are assigned the roles configured in the local database.

---

Copyright 2010-2013, Cisco Systems, Inc. All rights reserved.