HP (Hewlett-Packard) 2500 Switch User Manual


 
166
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
With authentication configured on the switch and TACACS+ configured and operating on a server in
your network, an attempt to log on through Telnet or the switch’s serial port will be passed to the
TACACS+ server for verification before permission is granted. Similarly, if an operator is using read-
only access to the switch and requests read-write access through the CLI
enable command by entering
a user name and password, the switch grants read-write access only after the TACACS+ server verifies
the request and returns permission to the switch.
Note
Software release F.02.02 for the Series 2500 switches enables TACACS+ authentication, which is the
ability to allow or deny access to a Series 2500 switch on the basis of correct username/password
pairs, and to specify the privilege level to allow if access is granted. This release does not support
TACACS+ authorization or accounting services.
Series 2500 Switch Authentication Options
With software release F.02.02 installed, the Series 2500 switches include these types of authentication:
Local: Employs a username/password pair assigned locally to the switch. This option allows
one username/password pair for manager-level privileges and another username/password
pair for operator-level privileges. Local authentication is automatically available in the
switch. The Management and Configuration Guide you received with your switch describes
this method.
TACACS+: Employs a username/password pair assigned remotely to a TACACS+ server
application. This option allows multiple username/password pairs for any privilege level
available on the switch. The remainder of this section describes TACACS+ authentication
on the Series 2500 switches.
None: The switch can be accessed by anyone without requiring a username/password pair.
This is the case when TACACS+ is not enabled on the switch and a local, manager-level
password is not configured in the switch. Allowing the switch to operate in this mode is not
recommended because it compromises switch and network access security.
TACACS+ on the Series 2500 switches uses an authentication hierarchy consisting of remote control
through a TACACS+ server and the local control (password and user name) built into the switch.
That is, with TACACS+ configured on the switch, if the switch cannot contact any designated
TACACS+ server, then it defaults to its own locally assigned username/password pairs to control
access. To use TACACS+ authentication in a Series 2500 switch, you must enable TACACS+ in the
switch and also purchase, install, and configure a third-party TACACS+ server application on the
device(s) in your network that you want to use for managing TACACS+ authentication.