Manualshelf

ProLiant BL p-Class GbE2 Interconnect Switch Application Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProLiant BL p-Class C-GbE2 Interconnect Switch
21222324252627282930
Accessing the GbE2 Interconnect Switch 21
TACACS+ authentication
GbE2 software supports authentication, authorization, and accounting with networks using the Cisco Systems
TACACS+ protocol. The HP ProLiant BL p-Class GbE2 Interconnect Switch functions as the Network Access Server
(NAS) by interacting with the remote client and initiating authentication and authorization sessions with the
TACACS+ access server. The remote user is defined as someone requiring management access to the HP ProLiant
BL p-Class GbE2 Interconnect Switch either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
TACACS+ uses TCP-based connection-oriented transport; whereas RADIUS is UDP based. TCP offers a
connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional
programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport,
but it lacks the level of built-in support that a TCP transport offers.
TACACS+ offers full packet encryption whereas RADIUS offers password-only encryption in authentication
requests.
TACACS+ separates authentication, authorization, and accounting.
How TACACS+ authentication works
TACACS+ works much in the same way as RADIUS authentication.
1. Remote administrator connects to the switch and provides user name and password.
NOTE: The user name and password can have a maximum length of 15 characters. The password
cannot be left blank.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using TACACS+ protocol, the authentication server instructs the switch to grant or deny administrative
access.
During a session, if additional authorization checking is needed, the switch checks with a TACACS+ server to
determine if the user is granted permission to use a particular command.
TACACS+ authentication features in GbE2 Interconnect Switch
Authentication is the action of determining the identity of a user, and is generally done when the user first
attempts to log in to a device or gain access to its services. GbE2 software supports ASCII inbound login to the
device. PAP, CHAP and ARAP login methods, TACACS+ change password requests, and one-time password
authentication are not supported.
Authorization
Authorization is the action of determining a user’s privileges on the device, and usually takes place after
authentication.
The default mapping between TACACS+ authorization privilege levels and switch management access levels is
shown in the table below. The privilege levels listed in the following table must be defined on the TACACS+
server.
Table 4 Default TACACS+ privilege levels
User access level TACACS+ level
user 0
oper 3
admin 6