Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
121122123124125126127128129130
5. Check the Privilege level box and set the privilege level to 15 to allow "root" privileges. This
allows you to use the single login option.
Figure 98 The shell section of the TACACS+ server user setup
As shown in “Configuring the switch TACACS+ Server Access (page 125), login and enable access
is always available locally through a direct terminal connection to the switch console port. However,
for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down
or otherwise becomes unavailable to the switch.
Configuring the switch TACACS+ Server Access
The tacacs-server command configures these parameters:
The host IP address(es) for up to three TACACS+ servers; one first-choice and up to two
backups. Designating backup servers provides for a continuation of authentication services
in case the switch is unable to contact the first-choice server.
An optionalencryption key. This key helps to improve security, and must match the encryption
key used in your TACACS+ server application. In some applications, the term "secret key" or
"secret" may be used instead of "encryption key". If you need only one encryption key for
the switch to use in all attempts to authenticate through a TACACS+ server, configure a global
key. However, if the switch is configured to access multiple TACACS+ servers having different
encryption keys, you can configure the switch to use different encryption keys for different
TACACS+ servers.
The timeoutvalue in seconds for attempts to contact a TACACS+ server. If the switch sends an
authentication request, but does not receive a response within the period specified by the
timeout value, the switch resends the request to the next server in its Server IP Addr list, if any.
If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever
secondary authentication method was configured using the aaa authentication command
(local or none), see “Configuring the switch authentication methods” (page 124).
Syntax:
tacacs-server host < ip-addr > [key key-string ] | [oobm]
Adds a TACACS+ server and optionally assigns a server-specific encryption key.
If the switch is configured to access multiple TACACS+ servers having different
encryption keys, you can configure the switch to use different encryption keys for
different TACACS+ servers.
[no]tacacs-server host< ip-addr>
Removes a TACACS+ server assignment (including its server-specific encryption
key, if any).
tacacs-server key<key-string>
Configuring 125