TACACS+ Authentication

 

General Authentication Setup Procedure

2. Determine the following:

 

• The IP address(es) of the TACACS+

• The period you want the switch to

server(s) you want the switch to use

wait for a reply to an authentication

for authentication. If you will use

request before trying another

more than one server, determine

server.

which server is your first-choice for

• The username/password pairs you

authentication services.

want the TACACS+ server to use for

• The encryption key, if any, for

controlling access to the switch.

allowing the switch to communicate

• The privilege level you want for

with the server. You can use either a

each username/password pair

global key or a server-specific key,

administered by the TACACS+

depending on the encryption

server for controlling access to the

configuration in the TACACS+

switch.

server(s).

• The username/password pairs you

• The number of log-in attempts you

want to use for local authentication

will allow before closing a log-in

(one pair each for Operator and

session. (Default: 3)

Manager levels).

3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager (read/ write) privilege level.

Note on

When a TACACS+ server authenticates an access request from a switch,

Privilege Levels

it includes a privilege level code for the switch to use in determining which

 

privilege level to grant to the terminal requesting access. The switch

 

interprets a privilege level code of "15" as authorization for the Manager

 

(read/write) privilege level access. Privilege level codes of 14 and lower

 

result in Operator (read-only) access. Thus, when configuring the

 

TACACS+ server response to a request that includes a username/pass-

 

word pair that should have Manager privileges, you must use a privilege

 

level of 15. For more on this topic, refer to the documentation you received

 

with your TACACS+ server application.

 

If you are a first-time user of the TACACS+ service, HP recommends that

 

 

you configure only the minimum feature set required by the TACACS+

 

application to provide service in your network environment. After you

 

have success with the minimum feature set, you may then want to try

 

additional features that the application offers.

 

4. Ensure that the switch has the correct local username and password for

 

Manager access. (If the switch cannot find any designated TACACS+

 

servers, the local manager and operator username/password pairs are

 

always used as the secondary access control method.)

2-7