114 BigIron RX Series Configuration Guide53-1001986-01Configuring authentication-method lists4NOTETo authenticate Telnet access to the CLI, you also must enable the authentication by entering theenable telnet authentication command at the global CONFIG level of the CLI. You cannot enableTelnet authentication using the Web management interface.NOTEYou do not need an authentication-method list to secure access based on ACLs or a list of IPaddresses. Refer to “Using ACLs to restrict remote access” on page 65 or “Restricting remote accessto the device to specific IP addresses” on page 68.In an authentication-method list for a particular access method, you can specify up to sevenauthentication methods. If the first authentication method is successful, the software grantsaccess and stops the authentication process. If the access is rejected by the first authenticationmethod, the software denies access and stops checking.However, if an error occurs with an authentication method, the software tries the next method onthe list, and so on. For example, if the first authentication method is the RADIUS server, but the linkto the server is down, the software will try the next authentication method in the list.NOTEIf an authentication method is working properly and the password (and user name, if applicable) isnot known to that method, this is not an error. The authentication attempt stops, and the user isdenied access.The software will continue this process until either the authentication method is passed or thesoftware reaches the end of the method list. If the Super User level password is not rejected afterall the access methods in the list have been tried, access is granted.NOTEIf a user cannot be authenticated using local authentication, then the next method on theauthentication methods list is used to try to authenticate the user. If there is no method followinglocal authentication, then the user is denied access to the device.Configuration considerations for authentication-method listsConsider the following before configuring authentication-method lists:• For CLI access, you must configure authentication-method lists if you want the device toauthenticate access using local user accounts or a RADIUS server. Otherwise, the device willauthenticate using only the locally based password for the Super User privilege level.• When no authentication-method list is configured specifically for Web management access,the device performs authentication using the SNMP community strings:• For read-only access, you can use the user name “get” and the password “public”. Thedefault read-only community string is “public”.• There is no default read-write community string. Thus, by default, you cannot open aread-write management session using the Web management interface. You first mustconfigure a read-write community string using the CLI. Then you can log on using “set” asthe user name and the read-write community string you configure as the password. Referto “Configuring TACACS and TACACS+ security” on page 84.