TACACS+ Authentication

How Authentication Operates

How Authentication Operates

General Authentication Process Using a TACACS+

Server

Authentication through a TACACS+ server operates generally as described below. For specific operating details, refer to the documentation you received with your TACACS+ server application.

First-Choice

Terminal “A” Directly Accessing This

TACACS+ Server

Switch Via Switch’s Console Port

 

 

 

 

ProCurve Switch

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A

 

 

 

 

 

 

 

Configured for

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TACACS+ Operation

 

 

 

 

 

 

 

 

 

 

 

Second-Choice

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TACACS+ Server

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Optional)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Terminal “B” Remotely

 

 

 

 

ProCurve Switch

 

 

 

 

Accessing This Switch Via Telnet

Third-Choice

 

 

 

Configured for

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TACACS+ Server

 

 

 

TACACS+ Operation

 

 

 

 

 

 

 

B

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(Optional)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 4-8. Using a TACACS+ Server for Authentication

Using figure 4-8, above, after either switch detects an operator’s logon request from a remote or directly connected terminal, the following events occur:

1.The switch queries the first-choice TACACS+ server for authentication of the request.

If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server. If the switch does not receive a response from any TACACS+ server, then it uses its own local username/password pairs to authenti- cate the logon request. (See “Local Authentication Process” on page 4-26.)

If a TACACS+ server recognizes the switch, it forwards a user- name prompt to the requesting terminal via the switch.

2.When the requesting terminal responds to the prompt with a username, the switch forwards it to the TACACS+ server.

3.After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch.

4-24