9-11
Using Passwords and TACACS+ To Protect Against Una uthorized Access
TACACS+ Authentication for Cent ral Control of Switch Access S ecurity
Using Passwords and
TACACS+
Notes
The effectiveness of TACACS+ security depends on correctly using your
TACACS+ server application. For this reas on, HP recommends that you
thoroughly test all TACACS+ configurations used in your network.
TACACS-aware HP switches include the capability of configuring multiple
backup TACACS+ servers. HP recommends that you use a TACACS+ server
application that supports a redundant backup installation. This allows you to
configure the switch to use a backup TACACS+ server if it loses access to the
first-choice TACACS+ server.
In release G.01.xx, TACACS+ does not affect web browser interface access.
See "Controlling Web Browser Interface Access" on page 28.
General Authentication Setup ProcedureIt is important to test the TACACS+ ser vice before fully implementing it.
Depending on the process and parameter settings you use to set up and test
TACACS+ authentication in your network, you could accidentally lock all
users, including yourself, out of access to a switch. While recovery is simple,
it may pose an inconvenience that can be avoided.To prevent an unintentional
lockout on a Switch 4108GL, use a procedure that configures and tests
TACACS+ protection for one access type (for example, Telnet access), while
keeping the other access type (console, in this case) open in case the Telnet
access fails due to a configuration problem. The fol lowing procedure outlines
a general setup procedure.
Note
If a complete access lockout occurs on the sw itch as a result of a TACACS+
configuration, see "Troubleshooting TACACS+ Operation" on page “Trouble-
shooting TACACS+ Operation” on page 18-13 for recovery methods.
1. Familiarize yourself with the requirements for configuring your
TACACS+ server application to respond to requests from a Switch
4108GL. (Refer to the documentation provided with the TACACS+ server
software.) This includes knowing whether you need to configure an
encryption key. (See “Using the Encryption Key” on page 26.)