BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
50 Chapter 1: Accessing the Switch BMD00113, September 2009
The following rules apply to TACACS+ command authorization and logging:
Only commands from a Console, Telnet, or SSH connection are sent for authorization and
logging. SNMP, BBI, or file-copy commands (for example, TFTP or sync) are not sent.
Only leaf-level commands are sent for authorization and logging. For example, /cfg is not
sent, but /cfg/sys/tacacs/cauth is sent.
The full path of each command is sent for authorization and logging. For example:
/cfg/sys/tacacs/cauth
Command arguments are not sent for authorization. For /cauth ena, only /cauth is
authorized. The command and its first argument are logged, if issued on the same line.
Only executed commands are logged.
Invalid commands are checked by BLADE OS, and are not sent for authorization or logging.
Authorization is performed on each leaf-level command separately. If the user issues multiple
commands at once, each command is sent separately as a full path.
Only the following global commands are sent for authorization and logging:
apply
diff
ping
revert
save
telnet
traceroute
TACACS+ Password Change
BLADE OS supports TACACS+ password change. When enabled, users can change their
passwords after successful TACACS+ authorization. Use the command
/cfg/sys/tacacs/passch to enable or disable this feature.
Use the following commands to change the password for the primary and secondary TACACS+
servers:
>> # /cfg/sys/tacacs/chpass_p (Change primary TACACS+ password)
>> # /cfg/sys/tacacs/chpass_s (Change secondary TACACS+ password)