HP (Hewlett-Packard) 2300 Switch User Manual


 
167
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
Terminology Used in TACACS Applications:
NAS (Network Access Server): This is an industry term for a TACACS-aware device that
communicates with a TACACS server for authentication services. Some other terms you may
see in literature describing TACACS operation are communication server, remote access
server, or terminal server. These terms apply to a Series 2500 switch when TACACS+ is
enabled on the switch (that is, when the switch is TACACS-aware).
TACACS+ Server: The server or management station configured as an access control server
for TACACS-enabled devices. To use TACACS+ with the Series 2500 switches and any other
TACACS-capable devices in your network, you must purchase, install, and configure a
TACACS+ server application on a networked server or management station in the network.
The TACACS+ server application you install will provide various options for access control
and access notifications. For more on the TACACS+ services available to you, see the
documentation provided with the TACACS+ server application you will use.
Authentication: The process for granting user access to a device through entry of a user
name and password and comparison of this username/password pair with previously stored
username/password data. Authentication also grants levels of access, depending on the
privileges assigned to a user name and password pair by a system administrator.
Local Authentication: This method uses username/password pairs configured locally
on the switch; one pair each for manager-level and operator-level access to the switch.
You can assign local usernames and passwords through the CLI or Web browser
interface. (Using the menu interface you can assign a local password, but not a user-
name.) Because this method assigns passwords to the switch instead of to individuals
who access the switch, you must distribute the password information on each switch to
everyone who needs to access the switch, and you must configure and manage password
protection on a per-switch basis. (For more on local authentication, see the password
and username information in the Configuration and Management Guide shipped with
your Series 2500 switch.
TACACS+ Authentication: This method enables you to use a TACACS+ server in your
network to assign a unique password, user name, and privilege level to each individual
or group who needs access to one or more switches or other TACACS-aware devices.
This allows you to administer primary authentication from a central server, and to do
so with more options than you have when using only local authentication. (You will still
need to use use local authentication as a backup if your TACACS+ servers become
unavailable.) This means, for example, that you can use a central TACACS+ server to
grant, change, or deny access to a specific individual on a specific switch instead of
having to change local user name and password assignments on the switch itself, and
then have to notify other users of the change.