Enhancements in Release F.02.02

TACACS+ Authentication for Centralized Control of Switch Access Security

Adding, Removing, or Changing the Priority of a TACACS+ Server. Suppose that the switch was already configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as the first-choice server:

First-Choice TACACS+ Server

Figure 85. Example of the Switch with Two TACACS+ Server Addresses Configured

To move the "first-choice" status from the "15" server to the "10" server, use the no tacacs-server host <ip- addr> command to delete both servers, then use tacacs-server host <ip-addr>to re-enter the "10" server first, then the "15" server.

The servers would then be listed with the new "first-choice" server, that is:

The "10" server is now the "first-choice" TACACS+ authentication device.

Figure 86. Example of the Switch After Assigning a Different "First-Choice" Server

To remove the 10.28.227.15 device as a TACACS+ server, you would use this command:

HP2512(config)# no tacacs-server host 10.28.227.15

Configuring an Encryption Key. Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt will fail.) Use a global encryption key if the same key applies to all TACACS+ servers the switch may use for authentication attempts. Use a per-server encryption key if different servers the switch may use will have different keys. (For more details on encryption keys, see “Using the Encryption Key” on page 183.)

179