Cisco Systems SN 5428-2 Saw User Manual


 
9-16
Cisco SN 5428-2 Storage Router Software Configuration Guide
OL-5239-01
Chapter 9 Configuring Authentication
Creating Authentication Lists
Creating Authentication Lists
iSCSI, Enable and Login authentication use lists of defined authentication services to administer security
functions. The list that is created for Enable and Login authentication must be named default. iSCSI
authentication supports a variety of authentication lists.
Use the procedures that follow according to the type of authentication required:
iSCSI authentication
Enable authentication
Login authentication
iSCSI authentication
Use the commands in the following procedure to build a unique list of authentication services to be used
for iSCSI authentication.
Note If local or local-case is the first service in the authentication list and a user name match is not found, the
next service in the list will be tried. If local or local-case is not the first service, authentication fails if a
user name match is not found. Authentication always fails if a RADIUS or TACACS+ server fails to find
a user name match.
Step 3
aaa group server tacacs+
sysadmin server 10.7.0.22
Add a TACACS+ server to the named group. For example, add the
TACACS+ server at IP address 10.7.0.22 to the group named
sysadmin.
Because no port is specified, authentication requests to this server
use the default port 49. Servers are accessed in the order in which
they are defined within the named group.
Step 4
aaa group server tacacs+
sysadmin server 10.7.0.41
Add another TACACS+ server to the named group. For example,
add the TACACS+ server at IP address 10.7.0.41 to the group
named sysadmin.
Command Description
Command Description
Step 1
enable Enter Administrator mode.
Step 2
aaa authentication iscsi
webservices2 local group janus
group tacacs+
Create a unique list of authentication services for iSCSI
authentication.
For example, create the list called webservices2 so that AAA first
tries to perform authentication using the local username database.
If AAA fails to find a user name match, an attempt is made to
contact a RADIUS server in the server group named janus. If no
RADIUS server in group janus is found, RADIUS returns an error
and AAA tries to use perform authentication using all configured
TACACS+ servers. If no TACACS+ server is found, TACACS+
returns an error and authentication fails. If a RADIUS or
TACACS+ server does not find a user name and password match,
authentication fails and no other methods are attempted.