HP 4100GL User Manual

TACACS+ Authentication

General Authentication Setup Procedure

2. Determine the following:

• The IP address(es) of the TACACS+

server(s) you want the switch to use
for authentication. If you will use
more than one server, determine
which server is your first-choice for
authentication services.

• The encryption key, if any, for

allowing the switch to communicate
with the server. You can use either a
global key or a server-specific key,
depending on the encryption
configuration in the TACACS+
server(s).

• The number of log-in attempts you

will allow before closing a log-in
session. (Default: 3)

• The period you want the switch to

wait for a reply to an authentication
request before trying another
server.

• The username/password pairs you

want the TACACS+ server to use for
controlling access to the switch.

• The privilege level you want for

each username/password pair
administered by the TACACS+
server for controlling access to the
switch.

• The username/password pairs you

want to use for local authentication
(one pair each for Operator and
Manager levels).

3.

Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.

N o t e o n

When a TACACS+ server authenticates an access request from a switch,

P r i v i l e g e L e v e l s

it includes a privilege level code for the switch to use in determining which

privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of "15" as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/pass

-

word pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.

If you are a first-time user of the TACACS+ service, HP recommends that
you configure only the minimum feature set required by the TACACS+
application to provide service in your network environment. After you
have success with the minimum feature set, you may then want to try
additional features that the application offers.

4.

Ensure that the switch has the correct local username and password for
Manager access. (If the switch cannot find any designated TACACS+
servers, the local manager and operator username/password pairs are
always used as the secondary access control method.)

2-7