1-4
Cisco SFS 7000 Series Product Family Command Reference Guide
OL-9163-02
Chapter 1 Using the CLI
Entering CLI Modes
When local authentication is in effect and a user logs in, the user must be configured as a CLI user. The
login username and password are verified against the local CLI user database. If a match is found, the
login succeeds, and the user is assigned a pre-configured privilege level.
When TACACS+ authentication is in effect, the login username and password are passed to the
TACACS+ server for verification. The TACACS+ server verifies the login username and password, and
it sends back a reply. No TACACS+ user information is stored locally. The show user all command
shows local users only.
The config TACACS-server host command (see config TACACS-server host, page 2-22) configures the
IP address of TACACS+ servers. There can be three TACACS+ servers configured. The first server is
queried, the second server is queried if the first server is not reachable, and the third server is queried if
the both of the other servers are not reachable.
Cisco supports only TACACS+ authentication; therefore, no privilege level is verified against the
TACACS+ server. All users authenticated by the TACACS+ server are given unrestricted rights. If a
TACACS+ user makes changes to system configuration, the log will include the TACACS+ username
and the config information, just as it does for a local user.
Like RADIUS users, the TACACS+ users do not have associating SNMP community strings. There are
no SNMP logins for TACACS+ users.
Note The following are limitations to TACACS+ authentication:
TACACS+ authorization and accounting are not supported.
TACACS+ single-connection not supported. Each login authentication makes its own connection to the
TACACS+ server.
TACACS+ user privilege level is always unrestricted.
Customizing the Login Prompt
The CLI checks the file login-banner for customized text to include in the prompt. Use the copy
command to place a file named login-banner in the config directory of the switch. You can do this with
FTP:
copy ftp://user:xxx.x.x.x/my-banner config:login-banner
Entering CLI Modes
The CLI uses the following three command modes:
• User Execute mode
• Privileged Execute mode
• Global Configuration mode
local and then TACAS Verifies against the chassis database then checks the TACAS client.
TACAS and then local Checks the TACAS client and then verifies against the chassis
database.
Authentication How it Works