TACACS+ offers the following advantages over RADIUS as the authentication device:

TACACS+ is TCP-based, so it facilitates connection-oriented traffic.

It supports full-packet encryption, as opposed to password-only in authentication requests.

It supports decoupled authentication, authorization, and accounting.

The following table describes the TACACS+ Server Configuration Menu options.

Table 83 TACACS+ Server Configuration Menu options

Command

Description

 

 

prisrv <IP address>

Defines the primary TACACS+ server address.

 

 

secsrv <IP address>

Defines the secondary TACACS+ server address.

 

 

secret <1-32 characters>

This is the shared secret between the switch and the TACACS+ server(s).

 

 

secret2 <1-32 characters>

This is the secondary shared secret between the switch and the

 

TACACS+ server(s).

 

 

port <TCP port number>

Enter the number of the TCP port to be configured, between 1 and

 

65000. The default is 49.

 

 

retries <1-3>

Sets the number of failed authentication requests before switching to a

 

different TACACS+ server. The range is 1-3 requests. The default is 3

 

requests.

 

 

timeout <4-15>

Sets the amount of time, in seconds, before a TACACS+ server

 

authentication attempt is considered to have failed. The range is 4-15

 

seconds. The default is 5 seconds.

 

 

bckdoor enabledisable

Enables or disables the TACACS+ back door for Telnet, SSH/SCP,

 

or HTTP/HTTPS.

 

Enabling this feature allows you to bypass the TACACS+ servers. It is

 

recommended that you use Secure Backdoor to ensure the switch is

 

secured, because Secure Backdoor disallows access through the back

 

door when the TACACS+ servers are responding.

 

The default value is disabled.

secbd enabledisable

Enables or disables TACACS+ secure back door access through Telnet,

 

SSH/SCP, or HTTP/HTTPS only when the TACACS+ servers are not

 

responding.

 

This feature is recommended to permit access to the switch when the

 

TACACS+ servers become unresponsive. If no back door is enabled, the

 

only way to gain access when TACACS+ servers are unresponsive is to

 

use the back door via the console port. The default value is disabled.

cmap enabledisable

Enables or disables TACACS+ privilege-level mapping.

 

The default value is disabled.

 

 

usermap <0-15>

Maps a TACACS+ authorization level to a switch user level. Enter a

useroperadminnone

TACACS+ authorization level (0-15), followed by the corresponding HP

 

 

10GbE switch user level.

 

 

on

Enables the TACACS+ server.

 

 

off

Disables the TACACS+ server.

 

 

cur

Displays current TACACS+ configuration parameters.

 

 

 

Configuration Menu 117

Page 117
Image 117
HP BMD00022 manual Port TCP port number, Cmap enabledisable, Useroperadminnone