Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
131132133134135136137138139140
Figure 106 Using a TACACS+ Server for Authentication
Using Figure 106 (page 136), after either switch detects an operator's logon request from a remote
or directly connected terminal, the following events occur:
1. The switch queries the first-choice TACACS+ server for authentication of the request.
If the switch does not receive a response from the first-choice TACACS+ server, it attempts
to query a secondary server. If the switch does not receive a response from any TACACS+
server, then it uses its own local username/password pairs to authenticate the logon
request, see “Local authentication process” (page 136).
If a TACACS+ server recognizes the switch, it forwards a username prompt to the
requesting terminal via the switch.
2. When the requesting terminal responds to the prompt with a username, the switch forwards
it to the TACACS+ server.
3. After the server receives the username input, the requesting terminal receives a password
prompt from the server via the switch.
4. When the requesting terminal responds to the prompt with a password, the switch forwards
it to the TACACS+ server and one of the following actions occurs:
If the username/password pair received from the requesting terminal matches a
username/password pair previously stored in the server, then the server passes access
permission through the switch to the terminal.
If the username/password pair entered at the requesting terminal does not match a
username/password pair previously stored in the server, access is denied. In this case,
the terminal is again prompted to enter a username and repeat steps 2 through 4 In the
default configuration, the switch allows up to three attempts to authenticate a login session.
If the requesting terminal exhausts the attempt limit without a successful TACACS+
authentication, the login session is terminated and the operator at the requesting terminal
must initiate a new session before trying again.
Local authentication process
When the switch is configured to use TACACS+, it reverts to local authentication only if one of
these two conditions exists:
"Local" is the authentication option for the access method being used.
TACACS+ is the primary authentication mode for the access method being used. Local is the
secondary authentication method if the switch is unable to connect to any TACAS+ servers.
For a listing of authentication options, see “Configuring the switch TACACS+ Server Access
(page 125).
For local authentication, the switch uses the operator-level and manager-level username/password
set(s) previously configured locally on the switch. (These are the usernames and passwords you
136 TACACS+ Authentication