Accounting – HP 445946-001 User Manual

Accessing the switch

27

Alternate mapping between TACACS+ privilege levels and HP 10GbE switch management access levels
is shown in the table below. Use the command

/cfg/sys/tacacs/cmap ena

to use the alternate

TACACS+ privilege levels.

Table 5

Alternate TACACS+ privilege levels

User access level

TACACS+ level

user 0—1

oper 6—8

admin 14—15

You can customize the mapping between TACACS+ privilege levels and HP 10GbE switch management
access levels. Use the command

/cfg/sys/tacacs/usermap

to manually map each TACACS+

privilege level (0-15) to a corresponding HP 10GbE switch management access level (user, oper, admin,
none).
If the remote user is authenticated by the authentication server, the HP 10GbE switch verifies the privileges

of the remote user and authorizes the appropriate access. When both the primary and secondary

authentication servers are not reachable, the administrator has an option to allow backdoor access via
the console only or console and Telnet access. The default value is

disable

for Telnet access and

enable

for console access. The administrator also can enable secure backdoor

(

/cfg/sys/tacacs/secbd

) to allow access if both the primary and secondary TACACS+ servers fail to

respond.

Accounting

Accounting is the action of recording a user’s activities on the device for the purposes of billing and/or
security. It follows the authentication and authorization actions. If the authentication and authorization is

not performed via TACACS+, no TACACS+ accounting messages are sent out.
You can use TACACS+ to record and track software logins, configuration changes, and interactive

commands.
The switch supports the following TACACS+ accounting attributes:

•

protocol (console/telnet/ssh/http)

•

start_time

•

stop_time

•

elapsed_time

NOTE:

When using the browser-based Interface, the TACACS+ Accounting Stop records are sent

only if the Quit button on the browser is clicked.