KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

121

122

123

124

125

126

127

128

129

130

Specifies how long the switch waits for a TACACS+ server to respond to an

authentication request. If the switch does not detect a response within the timeout

period, it initiates a new request to the next TACACS+ server in the list. If all

TACACS+ servers in the list fail to respond within the timeout period, the switch

uses either local authentication (if configured) or denies access (if none configured

for local authentication).

Default: 5 seconds

Figure 99 Example of configuring a host-specific key

Configuring an encryption key

Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+

server that also uses an encryption key. (If the server expects a key, but the switch either does not

provide one, or provides an incorrect key, then the authentication attempt will fail.)

• Use a global encryption key if the same key applies to all TACACS+ servers the switch may

use for authentication attempts.

• Use a per-server encryption key if different servers the switch may use will have different

keys.(For more details on encryption keys, see “Using the encryption key” (page 133).

Configuring a global encryption key

To configure north01 as a global encryption key:

HPswitch(config) tacacs-server key north01

Configuring a per-server encryption key

To configure north01 as a per-server encryption key:

HPswitch(config)# tacacs-server host 10.28.227.63 key north01

An encryption key can contain up to 100 characters, without spaces, and is likely to be

case-sensitive in most TACACS+ server applications.

Deleting a global encryption key

To delete a global encryption key from the switch, use this command:

HPswitch(config)# no tacacs-server key

Deleting a per-server encryption key

To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without

the key parameter. For example, if you have north01 configured as the encryption key for a

TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you

would use this command:

HPswitch(config)# tacacs-server host 10.28.227.104

NOTE: You can save the encryption key in a configuration file by entering this command:

HPswitch(config)# tacacs-server key <keystring>

The <keystring> parameter is the encryption key in clear text.

NOTE: The show tacacs command lists the global encryption key, if configured. However, to

view any configured per-server encryption keys, you must use show config or show config

running (if you have made TACACS+ configuration changes without executing write mem).

128 TACACS+ Authentication