HP (Hewlett-Packard) 2300 Switch User Manual


 
170
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
2. Ensure that the switch is configured to operate on your network and can communicate with
your first-choice TACACS+ server. (At a minimum, this requires IP addressing and a successful
ping test from the switch to the server.)
3. Determine the following:
4. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for
Telnet access (login and enable) to the switch. This includes the username/password sets for
logging in at the Operator (read-only) privilege level and the sets for logging in at the Manager
(read/write) privilege level.
Note on Privilege Levels
When a TACACS+ server authenticates an access request from a switch, it includes a privilege
level code for the switch to use in determining which privilege level to grant to the terminal
requesting access. The switch interprets a privilege level code of "15" as authorization for the
Manager (read/write) privilege level access. Privilege level codes of 14 and lower result in
Operator (read-only) access. Thus, when configuring the TACACS+ server response to a request
that includes a username/password pair that should have Manager privileges, you must use a
privilege level of 15. For more on this topic, refer to the documentation you received with your
TACACS+ server application.
If you are a first-time user of the TACACS+ service, HP recommends that you configure only the
minimum feature set required by the TACACS+ application to provide service in your network
environment. After you have success with the minimum feature set, you may then want to try
additional features that the application offers.
5. Ensure that the switch has the correct local username and password for Manager access. (If the
switch cannot find any designated TACACS+ servers, the local manager and operator username/
password pairs are always used as the secondary access control method.)
The IP address(es) of the TACACS+
server(s) you want the switch to use
for authentication. If you will use
more than one server, determine
which server is your first-choice for
authentication services.
The encryption key, if any, that
should be used to allow the switch
to communicate with the server.
The period you want the switch to
wait for a reply to an authentication
request before trying another server.
The username/password pairs you want
the TACACS+ server to use for control-
ling access to the switch.
The privilege level you want for each
username/password pair administered
by the TACACS+ server for controlling
access to the switch.
The username/password pairs you want
to use for local authentication (one pair
each for Operator and Manager levels).