Configuring Username and Password Security

Saving Security Credentials in a Config File

The password port-accessvalues are configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see “Password Command Options” on page 2-12.

After you enter the complete password port-accesscommand syntax, the password is set. You are not prompted to enter the password a second time.

TACACS+ Encryption Key Authentication

You can use TACACS+ servers to authenticate users who request access to a switch through Telnet (remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:

Remote passwords assigned in a TACACS+ server

Local manager and operator passwords configured on the switch.

When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so.

For improved security, you can configure a global or server-specific encryption key that encrypts data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication sessions. The key configured on the switch must match the encryption key configured in each

TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.) For more information, see “TACACS+ Authentication” on page 5-1in this guide.

TACACS+ shared secret (encryption) keys can be saved by entering this command:

ProCurve(config)# tacacs-server key <keystring>

The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.

RADIUS Shared-Secret Key Authentication

You can use RADIUS servers as the primary authentication method for users who request access to a switch through Telnet, SSH, Web interface, console, or port-access (802.1X). The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server

2-15