KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

121

122

123

124

125

126

127

128

129

130

Configures an optional global encryption key. Keys configured in the switch must

exactly match the encryption keys configured in the TACACS+ servers that the

switch will attempt to use for authentication.

[no]tacacs-server key

Removes the optional global encryption key. This does not affect any server-specific

encryption key assignments.

tacacs-server timeout < 1-255>

Changes the wait period for a TACACS server response.

Default: 5 seconds.

NOTE:

• As described in “Getting ready for TACACS+ authentication” (page 122), HP recommends

that youconfigure, test, and troubleshoot authentication via Telnet access before you configure

authentication via console port access. This helps to prevent accidentally locking yourself out

of switch access due to errors or problems in setting up authentication in either the switch or

your TACACS+ server.

• Encryption keys configured in the switch must exactly match the encryption keys configured

in the TACACS+ servers it is attempting to use for authentication.

A switch uses a global encryption key only with servers with no server-specific key. A global

key is more useful where the TACACS+ servers in use all have an identical key, and

server-specific keys are necessary where different TACACS+ servers have different keys.

If TACACS+ server "X" has no encryption key assigned, then configuring either a global

encryption key or a server-specific key in the switch for server "X" will block authentication

support from server "X".

Device running a TACACS+ server application

Syntax:

host ip-addr [key key-string ] | [oobm]

Specifies the IP address of a device running a TACACS+ server application.

Optionally, can also specify the unique, per-server encryption key to use when each

assigned server has its own, unique key. For more on the encryption key, see “Using

the encryption key” (page 133) and the documentation provided with your TACACS+

server application.

For switches that have a separate out-of-band management port, the oobm parameter

specifies that the TACACS+ traffic will go through the out-of-band management

(OOBM) port.

You can enter up to three IP addresses; one first-choice and two (optional) backups

(one second-choice and one third-choice).

Use show tacacs to view the current IP address list.

If the first-choice TACACS+ server fails to respond to a request, the switch tries the

second address, if any, in the show tacacs list. If the second address also fails, then

the switch tries the third address, if any.

See Figure 101 (page 131), the priority (first-choice, second-choice, and third-choice) of a TACACS+

server in the switch TACACS+ configuration depends on the order in which you enter the server

IP addresses:

126 TACACS+ Authentication