Support User Manuals

HP (Hewlett-Packard) 2600 Switch User Manual

Open as PDF

of 300

TACACS+ Authentication

Configuring TACACS+ on the Switch

Table 4-2. Primary/Secondary Authentication Table

Access Method and

Privilege Level

Authentication Options Effect on Access Attempts

Primary Secondary

Console — Login local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/password access.

Console — Enable local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/password access.

Telnet — Login local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/password access.

tacacs none If Tacacs+ server unavailable, denies access.

Telnet — Enable local none* Local username/password access only.

tacacs local If Tacacs+ server unavailable, uses local username/password access.

tacacs none If Tacacs+ server unavailable, denies access.

*When “local” is the primary option, you can also select “local” as the secondary option. However, in this case, a

secondary “local” is meaningless because the switch has only one local level of username/password protection.

Caution Regarding

the Use of Local for

Login Primary

Access

During local authentication (which uses passwords configured in the switch

instead of in a TACACS+ server), the switch grants read-only access if you

enter the Operator password, and read-write access if you enter the Manager

password. For example, if you configure authentication on the switch with

Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you

attempt to Telnet to the switch, you will be prompted for a local password. If

you enter the switch’s local Manager password (or,if there is no local Manager

password configured in the switch) you can bypass the TACACS+ server

authentication for Telnet Enable Primary and go directly to read-write (Man-

ager) access. Thus, for either the Telnet or console access method, configuring

Login Primary for Local authentication while configuring Enable Primary for

TACACS+ authentication is not recommended, as it defeats the purpose of

using the TACACS+ authentication. If you want Enable Primary log-in

attempts to go to a TACACS+ server, then you should configure both Login

Primary and Enable Primary for Tacacs authentication instead of configuring

Login Primary to Local authentication.

4-13

previous next