Command:

set authentication login

Mode:

Switch> (enable)


Syntax:

set authentication login attempt count [console | remote]

set authentication login lockout time [console | remote]

set authentication login {radius | tacacs | kerberos}enable [console | telnet | http | all] [primary]

set authentication login {radius | tacacs | kerberos}disable [console | telnet | http | all]

set authentication login local {enable | disable} [console | telnet | http | all]


Syntax Description:

attempt count

Keyword and variable that specify the number of login attempts.

remote

(Optional) Keyword that specifies the authentication method applies to remote logins such as Telnet, SSH, kerberos, and HTTP.

lockout time

Keyword and variable that specify that the period of time a user is locked out of the switch after unsuccessfully attempting login.

radius

Keyword that specifies RADIUS authentication for normal mode access.

tacacs

Keyword that specifies TACACS+ authentication for normal mode access.

kerberos

Keyword that specifies Kerberos authentication for normal mode access.

enable

Keyword that enables the specified authentication method for normal mode access.

console

(Optional) Keyword that applies the authentication method to console sessions.

telnet

(Optional) Keyword that applies the authentication method to Telnet sessions.

http

(Optional) Keyword that applies the authentication method to HTTP sessions.

all

(Optional) Keyword that applies the authentication method to all sessions.

primary

(Optional) Keyword that specifies that the specified authentication method be tried first.

disable

Keyword that disables the specified authentication method for normal mode access.

local

Keyword that specifies local authentication for normal mode access.

 


Command Description:

Use the set authentication login command to configure the switch to use TACACS+, Kerberos, RADIUS, or local authentication to authenticate normal (login) mode access on the switch.


Examples:

This command allows you to choose the authentication method for the web interface. If you configure the authentication method for the HTTP session as RADIUS, then the username or password is validated using the RADIUS protocol, and TACACS+ and Kerberos authentication is set to disable for the HTTP sessions. By default, the HTTP login is validated using the local login password.

You can specify the authentication method for console, telnet, http, or all by entering the console, telnet, http, or all keywords. If you do not specify console, telnet, http, or all, the authentication method default is for all sessions. 

The maximum number of login attempts from SNMP and the command-line interface (CLI) can be configured. The configurable range is from 0 to 10. To disable login attempts, set the level to 0. Failed login system logs are generated at level 5. If you are attempting access to enable mode, and the password fails more than the number of attempts allowed, the system will disable the execution of the enable command for the lockout time.

The lockout time is configurable from SNMP and the CLI. The configurable range is from 30 to 600 seconds (half a minute to ten minutes). For console login, the console will not allow logging in during that time. For remote logins the connection will be closed when the limit is reached, and any subsequent login attempts from that station will be closed immediately by the switch.

When attempt limit checking is disabled, the lockout restriction is no longer applicable.

This example shows how to set the login attempt to 5 for both console and remote sessions:

Console> (enable) set authentication login attempt 5

Login authentication attempts for console and remote login set to 5.

Console> (enable)

 

This example shows how to set the login attempt to 7 for remote sessions:

Console> (enable) set authentication login attempt 7 remote

Login authentication attempts for remote login set to 7.

Console> (enable)

 

This example shows how to set the login attempt to 8 for console sessions:

Console> (enable) set authentication login attempt 8 console

Login authentication attempts for console login set to 8.

Console> (enable)

 

This example shows how to set the lockout time for both console and remote sessions to 50 seconds:

Console> (enable) set authentication login lockout 50

Login lockout time for console and remote login set to 50 seconds.

Console> (enable)

 

This example shows how to set the lockout time for console sessions to 5 minutes:

Console> (enable) set authentication login lockout 300 console

Login lockout time for console login set to 5 minutes.

Console> (enable)

 

This example shows how to set the lockout time for remote sessions to 7 minutes and 10 seconds:

Console> (enable) set authentication login lockout 430 remote

Login lockout time for console and remote login set to 7 minutes and 10 seconds.

Console> (enable)

 

This example shows how to disable TACACS+ authentication access for Telnet sessions:

Console> (enable) set authentication login tacacs disable telnet

tacacs login authentication set to disable for the telnet sessions.
Console> (enable)

 

This example shows how to disable RADIUS authentication access for console sessions:

Console> (enable) set authentication login radius disable console

radius login authentication set to disable for the console sessions.
Console> (enable)
 

This example shows how to disable Kerberos authentication access for Telnet sessions:

Console> (enable) set authentication login kerberos disable telnet

kerberos login authentication set to disable for the telnet sessions.
Console> (enable)
 

This example shows how to set TACACS+ authentication access as the primary method for HTTP sessions:

Console> (enable) set authentication login tacacs enable http primary

tacacs login authentication set to enable for HTTP sessions as primary authentication
method.
Console> (enable)

 


Misconceptions:
None

Related Commands:
show authentication

� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)