Access Security Guide K/KA/KB.15.15
• The username/password pairs you want the TACACS+ server to use for controlling access
to the switch.
• The privilege level you want for each username/password pair administered by the
TACACS+ server for controlling access to the switch.
• The username/password pairs you want to use for local authentication (one pair each
for operator and manager levels).
3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for
Telnet access (login and enable) to the switch. This includes the username/password sets for
logging in at the operator (read-only) privilege level and the sets for logging in at the manager
(read/write) privilege level.
NOTE: When a TACACS+ server authenticates an access request from a switch, it includes
a privilege level code for the switch to use in determining which privilege level to grant to the
terminal requesting access. The switch interprets a privilege level code of "15" as authorization
for the manager (read/write) privilege level access. Privilege level codes of 14 and lower
result in operator (read-only) access. Thus, when configuring the TACACS+ server response
to a request that includes a username/password pair that should havemanager privileges,
you must use a privilege level of 15. For more on this topic, see the documentation you received
with your TACACS+ server application.
If you are a first-time user of the TACACS+ service, HP recommends that you configure only
the minimum feature set required by the TACACS+ application to provide service in your
network environment. After you have success with the minimum feature set, you can then want
to try additional features that the application offers.
4. Ensure that the switch has the correct local username and password for manager access. (If
the switch cannot find any designated TACACS+ servers, the local manager and operator
username/password pairs are always used as the secondary access control method.)
CAUTION: Ensure that the switch has a local manager password. Otherwise, if authentication
through a TACACS+ server fails for any reason, unauthorized access will be available through
the console port or Telnet.
5. Using a terminal device connected to the switch console port, configure the switch for TACACS+
authentication only for Telnet login access and Telnet enable access. At this stage, do not
configure TACACS+ authentication for console access to the switch, as you may need to use
the console for access if the configuration for the Telnet method needs debugging.
6. Ensure that the switch is configured to operate on your network and can communicate with
your first-choice TACACS+ server. (At a minimum, this requires IP addressing and a successful
ping test from the switch to the server.)
7. On a remote terminal device, use Telnet to attempt to access the switch. If the attempt fails,
use the console access to check the TACACS+ configuration on the switch. If you make changes
in the switch configuration, check Telnet access again. If Telnet access still fails, check the
configuration in your TACACS+ server application for mis-configurations or missing data that
could affect the server's interoperation with the switch.
8. After your testing shows that Telnet access using the TACACS+ server is working properly,
configure your TACACS+ server application for console access. Then test the console access.
If access problems occur, check for and correct any problems in the switch configuration, and
then test console access again. If problems persist, check your TACACS+ server application
for mis-configurations or missing data that could affect the console access.
9. When you are confident that TACACS+ access through both Telnet and the switch console
operates properly, use the write memory command to save the switch running-config file
to flash.
TACACS 123