HP 2800 User Manual

TACACS+ Authentication
Controlling Web Browser Interface Access When Using TACACS+ Authentication

For example, you would use the next command to configure a global encryp­
tion key in the switch to match a key entered as

north40campus

in two target

TACACS+ servers. (That is, both servers use the same key for your switch.)
Note that you do not need the server IP addresses to configure a global key in
the switch:

HPswitch

(config)# tacacs-server key north40campus

Suppose that you subsequently add a third TACACS+ server (with an IP
address of 10.28.227.87) that has

south10campus

for an encryption key. Because

this key is different than the one used for the two servers in the previous
example, you will need to assign a server-specific key in the switch that applies
only to the designated server:

HPswitch

(config)# tacacs-server host 10.28.227.87 key

south10campus

With both of the above keys configured in the switch, the

south10campus

key

overrides the

north40campus

key only when the switch tries to access the

TACACS+ server having the 10.28.227.87 address.

Controlling Web Browser Interface
Access When Using TACACS+
Authentication

Configuring the switch for TACACS+ authentication does not affect web
browser interface access. To prevent unauthorized access through the web
browser interface, do one or more of the following:

■■

Configure local authentication (a Manager user name and password
and, optionally, an Operator user name and password) on the switch.

■■

Configure the switch’s Authorized IP Manager feature to allow web
browser access only from authorized management stations. (The
Authorized IP Manager feature does not interfere with TACACS+
operation.)

■■

Disable web browser access to the switch by going to the System
Information screen in the Menu interface and configuring the

Web

Agent Enabled

parameter to

No.

4-24