TACACS+ Authentication

Configuring TACACS+ on the Switch

Configuring the Switch’s Authentication Methods

The aaa authentication command configures access control for the following access methods:

Console

Telnet

SSH

Web

Port-access (802.1X)

However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods. The command specifies whether to use a TACACS+ server or the switch’s local authentication, or (for some secondary scenarios) no authentication (meaning that if the primary method fails, authentication is denied). The command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect username/password pair.

Using the Privilege-Mode Option for Login

When using TACACS+ to control user access to the switch, you must first login with your username at the Operator privilege level using the password for Operator privileges, and then login again with the same username but using the Manger password to obtain Manager privileges. You can avoid this double login process by entering the privilege-modeoption with the aaa authentication login command to enable TACACS+ for a single login. The switch authenticates your username/password, then requests the privilege level (Operator or Manager) that was configured on the TACACS+ server for this username/ password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into Operator or Manager mode, depending on your privilege level.

ProCurve(config) aaa authentication login privilege-mode

The no version of the above command disables TACACS+ single login capa- bility.

4-11