HP (Hewlett-Packard) 2600-PWR Series Switch User Manual


 
4-24
TACACS+ Authentication
Configuring TACACS+ on the Switch
For example, you would use the next command to configure a global encryp-
tion key in the switch to match a key entered as
north40campus in two target
TACACS+ servers. (That is, both servers use the same key for your switch.)
Note that you do not need the server IP addresses to configure a global key in
the switch:
ProCurve(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP
address of 10.28.227.87) that has
south10campus for an encryption key. Because
this key is different than the one used for the two servers in the previous
example, you will need to assign a server-specific key in the switch that applies
only to the designated server:
ProCurve(config)# tacacs-server host 10.28.227.87 key
south10campus
With both of the above keys configured in the switch, the
south10campus key
overrides the
north40campus key only when the switch tries to access the
TACACS+ server having the 10.28.227.87 address.
Controlling Web Browser Interface
Access When Using TACACS+
Authentication
Configuring the switch for TACACS+ authentication does not affect web
browser interface access. To prevent unauthorized access through the web
browser interface, do one or more of the following:
Configure local authentication (a Manager user name and password
and, optionally, an Operator user name and password) on the switch.
Configure the switch’s Authorized IP Manager feature to allow web
browser access only from authorized management stations. (The
Authorized IP Manager feature does not interfere with TACACS+
operation.)
Disable web browser access to the switch by going to the System
Information screen in the Menu interface and configuring the
Web
Agent Enabled
parameter to No.