9-23
Using Passwords and TACACS+ To Protect Against Una uthorized Access
TACACS+ Authentication for Cent ral Control of Switch Access S ecurity
Using Passwords and
TACACS+
To remove the 10.28.227.15 device as a TACACS+ server, you would use this
command:
HP4108(config)# no tacacs-server host 10.28.227.15
Configuring an Encryption Key. Use an encryption key in the switch if the
switch will be requesting authentication from a TACACS+ server that also uses
an encryption key. (If the server expects a key, but the switch either does not
provide one, or provides an incorrect key, then the authentic ation attempt will
fail.) Use a global encryption key if the same key applies to all TACACS+
servers the switch may use for authentication attempts. Use a per-server
encryption key if different servers the switch may use will have different keys.
(For more details on encryption keys, see “Using the Encryption Key” on page
26.)
To configure north01 as a global encryption key:
HP4108(config) tacacs-server key north01
To configure north01 as a per-server encryption key:
HP4108(config)tacacs-server host 10.28.227.63 key north01
An encryption key can contain up to 100 ch aracters, without spaces, and is
likely to be case-sensitive in most TACACS+ server applications.
To delete a global encryption key from the switch, use this command:
HP4108(config)# no tacacs-server key
To delete a per-server encryption key in the switch, re-enter the tacacs-server
host command without the key parameter. For example, if you have north01
configured as the encryption key for a TACACS+ server with the IP address
of 10.28.227.104 and you wanted to eliminate the key, you would use this
command:
HP4108(config)# tacacs-server host 10.28.227.104
Note
The show tacacs command lists the global encryption key, if configured.
However, to view any configured per-server encryption keys, you must use
show config or show config running (if you have made TACACS+ configuration
changes without executing write mem).