TACACS+ Authentication

Configuring TACACS+ on the Switch

Configuring the Switch’s TACACS+ Server Access

The tacacs-server command configures these parameters:

The host IP address(es) for up to three TACACS+ servers; one first- choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.

An optional encryption key. This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term “secret key” or “secret” may be used instead of “encryption key”. If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.

The timeout value in seconds for attempts to contact a TACACS+

 

server. If the switch sends an authentication request, but does not

 

receive a response within the period specified by the timeout value,

 

the switch resends the request to the next server in its Server IP Addr

 

list, if any. If the switch still fails to receive a response from any

 

TACACS+ server, it reverts to whatever secondary authentication

 

method was configured using the aaa authentication command (local

 

or none; see “Configuring the Switch’s Authentication Methods” on

 

page 4-11.)

 

 

Note

As described under “General Authentication Setup Procedure” on page 4-5,

 

ProCurve recommends that you configure, test, and troubleshoot authentica-

 

tion via Telnet access before you configure authentication via console port

 

access. This helps to prevent accidentally locking yourself out of switch

 

access due to errors or problems in setting up authentication in either the

 

switch or your TACACS+ server.

 

 

4-15