Specifications
3-413
Cisco Wide Area Application Services Command Reference
OL-16451-01
Chapter 3 CLI Commands
(config) authentication login
The authentication login command determines whether the user has any level of permission to access
the WAAS device. The authentication configuration command authorizes the user with privileged
access (configuration access) to the WAAS device.
The authentication login local and the authentication configuration local commands use a local
database for authentication and authorization.
The authentication login tacacs and authentication configuration tacacs commands use a remote
TACACS+ server to determine the level of user access. The WAAS software supports only TACACS+
and not TACACS or Extended TACACS.
To configure TACACS+, use the authentication and tacacs commands. To enable TACACS+, use the
tacacs enable command. For more information on TACACS+ authentication, see the (config) tacacs
command.
The authentication login radius and authentication configuration radius commands use a remote
RADIUS server to determine the level of user access.
By default, the local method is enabled, with TACACS+ and RADIUS both disabled for login and
configuration. Whenever TACACS+ and RADIUS are disabled the local method is automatically
enabled. TACACS+, RADIUS, and local methods can be enabled at the same time.
The primary option specifies the first method to attempt for both login and configuration; the secondary
option specifies the method to use if the primary method fails. The tertiary option specifies the method
to use if both primary and secondary methods fail. The quaternary option specifies the method to use
if the primary, secondary, and tertiary methods fail. If all methods of an authentication login or
authentication configuration command are configured as primary, or all as secondary or tertiary, local
is attempted first, then TACACS+, and then RADIUS.
Enforcing Authentication with the Primary Method
The authentication fail-over server-unreachable global configuration command allows you to specify
that a failover to the secondary authentication method should occur only if the primary authentication
server is unreachable. This feature ensures that users gain access to the WAAS device using the local
database only when remote authentication servers (TACACS+ or RADIUS) are unreachable. For
example, when a TACACS+ server is enabled for authentication with a user authentication failover
configured and the user tries to log in to the WAAS device using an account defined in the local database,
login fails. Login succeeds only when the TACACS+ server is unreachable.
Login Authentication and Authorization Through the Local Database
Local authentication and authorization uses locally configured login and passwords to authenticate
administrative login attempts. The login and passwords are local to each WAAS device and are not
mapped to individual usernames.
By default, local login authentication is enabled first. You can disable local login authentication only
after enabling one or more of the other administrative login authentication methods. However, when
local login authentication is disabled, if you disable all other administrative login authentication
methods, local login authentication is reenabled automatically.
Specifying RADIUS Authentication and Authorization Settings
To configure RADIUS authentication on a WAAS device, you must first configure a set of RADIUS
authentication server settings on the WAAS device by using the radius-server global configuration
command. (See the (config) radius-server command.)
Use the authentication login radius global configuration command to enable RADIUS authentication
for normal login mode.