KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

131

132

133

134

135

136

137

138

139

140

CAUTION: Regarding the use of local for login primary access:

During local authentication (which uses passwords configured in the switch instead of in a TACACS+

server), the switch grants read-only access if you enter the operator password, and read-write

access if you enter the manager password. For example, if you configure authentication on the

switch with Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you attempt

to Telnet to the switch, you will be prompted for a local password. If you enter the switch local

manager password (or, if there is no local manager password configured in the switch) you can

bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write

(manager) access. Thus, for either the Telnet or console access method, configuring Login Primary

for Local authentication while configuring Enable Primary for TACACS+ authentication is not

recommended, as it defeats the purpose of using the TACACS+ authentication. If you want Enable

Primary log-in attempts to go to a TACACS+ server, then you should configure both Login Primary

and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local

authentication.

Example 2 Access options

Following is a set of access options and the corresponding commands to configure them

console login (operator or read-only) access, primary using TACACS+ server and secondary access

HP Switch (config)# aaa authentication console login tacacs local

console enable (manager or read/write) access, primary using TACACS+ server and secondary

using local.

HP Switch (config)# aaa authentication console enable tacacs local

Telnet login (operator or read-only) access, primary using TACACS+ server and secondary using

local.

HP Switch (config)# aaa authentication Telnet login tacacs local

Telnet enable (manager or read/write) access, primary using TACACS+ server and secondary

using Local.

HP Switch (config)# aaa authentication telnet enable tacacs local

deny access and close the session after failure of two consecutive username/password pairs

HP Switch (config)# aaa authentication num-attempts 2

Controlling webagent access when using TACACS+ authentication

Configuring the switch for TACACS+ authentication does not affect WebAgent access. To prevent

unauthorized access through the WebAgent, do one or more of the following:

• Configure local authentication (a manager user name and password and, optionally, an

operator user name and password) on the switch.

• Configure the switch Authorized IP manager feature to allow WebAgent access only from

authorized management stations. (The Authorized IP manager feature does not interfere with

TACACS+ operation.)

• Disable WebAgent access to the switch by going to the System Information screen in the Menu

interface and configuring the Web Agent Enabled parameter to No.

Overview 139