HP (Hewlett-Packard) 2500 Switch User Manual


 
182
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
If the username/password pair received from the requesting terminal matches a user-
name/password pair previously stored in the server, then the server passes access
permission through the switch to the terminal.
If the username/password pair entered at the requesting terminal does not match a
username/password pair previously stored in the server, access is denied. In this case,
the terminal is again prompted to enter a username and repeat steps 2 through 4. In the
default configuration, the switch allows up to three attempts to authenticate a login
session. If the requesting terminal exhausts the attempt limit without a successful
TACACS+ authentication, the login session is terminated and the operator at the
requesting terminal must initiate a new session before trying again.
Local Authentication Process
When the switch is configured to use TACACS+, it reverts to local authentication only if one of these
two conditions exists:
"Local" is the authentication option for the access method being used.
The switch has been configured to query a TACACS+ server for an authentication request,
but has not received a response
(For a listing of authentication options, see Table 13 on page 175.)
For local authentication, the switch uses the operator-level and manager-level username/password
set(s) previously configured locally on the switch. (These are the usernames and passwords you can
configure using the CLI password command, the Web browser interface, or the menu interface—
which enables only local password configuration).
If the operator at the requesting terminal correctly enters the username/password pair for
either access level, access is granted.
If the username/password pair entered at the requesting terminal does not match either
username/password pair previously configured locally in the switch, access is denied. In this
case, the terminal is again prompted to enter a username/password pair. In the default
configuration, the switch allows up to three attempts. If the requesting terminal exhausts the
attempt limit without a successful authentication, the login session is terminated and the
operator at the requesting terminal must initiate a new session before trying again.