HP (Hewlett-Packard) 2500 Switch User Manual


 
185
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
Messages
The switch generates the CLI messages listed below. However, you may see other messages
generated in your TACACS+ server application. For information on such messages, refer to the
documentation you received with the application.
Table 14. Tacacs Messages
Operating Notes
If you configure Authorized IP Managers on the switch, it is not necessary to include any
devices used as TACACS+ servers in the authorized manager list. That is, TACACS+ operates
regardless of any Authorized IP Manager configuration.
When TACACS+ is not enabled on the switch—or when the switch’s only designated
TACACS+ servers are not accessible— setting a local Operator password without also
setting a local Manager password does not protect the switch from manager-level access
by unauthorized persons.)
CLI Message Meaning
Connecting to Tacacs server The switch is attempting to contact the TACACS+ server identified in the switch’s
tacacs-server configuration as the first-choice (or only) TACACS+ server.
Connecting to secondary Tacacs
server
The switch was not able to contact the first-choice TACACS+ server, and is now
attempting to contact the next (secondary) TACACS+ server identified in the switch’s
tacacs-server configuration.
Invalid password The system does not recognize the username or the password or both. Depending on
the authentication method (tacacs or local), either the TACACS+ server application
did not recognize the username/password pair or the username/password pair did
not match the username/password pair configured in the switch.
No Tacacs servers responding The switch has not been able to contact any designated TACACS+ servers. If this
message is followed by the Username prompt, the switch is attempting local authen-
tication.
Not legal combination of authen-
tication methods
For console access, if you select tacacs as the primary authentication method, you
must select local as the secondary authentication method. This prevents you from
being locked out of the switch if all designated TACACS+ servers are inaccessible to
the switch.
Record already exists When resulting from a tacacs-server host <ip addr> command, indicates an attempt
to enter a duplicate TACACS+ server IP address.