Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
131132133134135136137138139140
Figure 105 Example of TACACS+ operation
TACACS+ uses an authentication hierarchy consisting of both:
remote passwords assigned in a TACACS+ server
local passwords configured on the switch.
TACACS+ in the switches covered in this guide manages authentication of logon attempts through
either the Console port or Telnet. TACACS+ uses an authentication hierarchy consisting of (1)
remote passwords assigned in a TACACS+ server and (2) local passwords configured on the
switch. That is, with TACACS+ configured, the switch first tries to contact a designated TACACS+
server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults
to its own locally assigned passwords for authentication control (if configured to do so). For both
Console and Telnet access you can configure a login (read-only) and an enable (read/write)
privilege level access.
TACACS+ does not affect WebAgent access. See “Controlling webagent access when using
TACACS+ authentication” (page 139).
Operating notes
If you configure Authorized IP managers on the switch, it is not necessary to include any
devices used as TACACS+ servers in the authorized manager list. That is, authentication traffic
between a TACACS+ server and the switch is not subject to Authorized IP manager controls
configured on the switch. Also, the switch does not attempt TACACS+ authentication for a
management station that the Authorized IP manager list excludes because, independent of
TACACS+, the switch already denies access to such stations.
When TACACS+ is not enabled on the switch-or when the switch only designated TACACS+
servers are not accessible-setting a local operator password without also setting a local manager
password does not protect the switch from manager-level access by unauthorized persons.
When using the copy command to transfer a configuration to a TFTP server, any optional,
server-specific and global encryption keys in the TACACS configuration will not be included
in the transferred file. Otherwise, a security breach could occur, allowing access to the
TACACS+ username/password information.
About TACACS+ authentication
General authentication process using a TACACS+ server
Authentication through a TACACS+ server operates generally as described below. For specific
operating details, see the documentation you received with your TACACS+ server application.
Overview 135