KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

121

122

123

124

125

126

127

128

129

130

5 TACACS+ Authentication

TACACS

Getting ready for TACACS+ authentication

To use TACACS+ authentication, you need the following:

• A TACACS+ server application installed and configured on one or more servers or management

stations in your network. There are several TACACS+ software packages available.

• A switch configured for TACACS+ authentication, with access to one or more TACACS+

servers.

NOTE: The effectiveness of TACACS+ security depends on correctly using your TACACS+ server

application. For this reason, HP recommends that you thoroughly test all TACACS+ configurations

used in your network.

TACACS-aware HP switches include the capability of configuring multiple backup TACACS+

servers. HP recommends that you use a TACACS+ server application that supports a redundant

backup installation. This allows you to configure the switch to use a backup TACACS+ server if it

loses access to the first-choice TACACS+ server.

TACACS+ does not affect WebAgent access. See “Controlling webagent access when using

TACACS+ authentication” (page 139)

General Authentication Setup Procedure

It is important to test the TACACS+ service before fully implementing it. Depending on the process

and parameter settings you use to set up and test TACACS+ authentication in your network, you

could accidentally lock all users, including yourself, out of access to a switch. While recovery is

simple, it can pose an inconvenience that can be avoided. To prevent an unintentional lockout on

the switch, use a procedure that configures and tests TACACS+ protection for one access type (for

example, Telnet access), while keeping the other access type (console, in this case) open in case

the Telnet access fails due to a configuration problem. The following procedure outlines a general

setup procedure.

NOTE: If a complete access lockout occurs on the switch as a result of a TACACS+ configuration,

see "Troubleshooting TACACS+ Operation" in the Management and Configuration Guide for your

switch.

1. Familiarize yourself with the requirements for configuring your TACACS+ server application

to respond to requests from the switch. (See the documentation provided with the TACACS+

server software.) This includes knowing whether you need to configure an encryption key, see

“Using the encryption key” (page 133).

2. Determine the following:

• The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication.

If you will use more than one server, determine which server is your first-choice for

authentication services.

• The encryption key, if any, for allowing the switch to communicate with the server. You

can use either a global key or a server-specific key, depending on the encryption

configuration in the TACACS+ server(s).

• The number of log-in attempts you will allow before closing a log-in session. ( Default: 3

• The period you want the switch to wait for a reply to an authentication request before

trying another server.

122 TACACS+ Authentication