HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
4-15
TACACS+ Authentication
Configuring TACACS+ on the Switch
Configuring the Switch’s TACACS+ Server Access
The tacacs-server command configures these parameters:
The host IP address(es) for up to three TACACS+ servers; one first-
choice and up to two backups. Designating backup servers provides
for a continuation of authentication services in case the switch is
unable to contact the first-choice server.
An optional encryption key. This key helps to improve security, and
must match the encryption key used in your TACACS+ server appli-
cation. In some applications, the term “secret key” or “secret” may be
used instead of “encryption key”. If you need only one encryption key
for the switch to use in all attempts to authenticate through a
TACACS+ server, configure a global key. However, if the switch is
configured to access multiple TACACS+ servers having different
encryption keys, you can configure the switch to use different encryp-
tion keys for different TACACS+ servers.
The timeout value in seconds for attempts to contact a TACACS+
server. If the switch sends an authentication request, but does not
receive a response within the period specified by the timeout value,
the switch resends the request to the next server in its Server IP Addr
list, if any. If the switch still fails to receive a response from any
TACACS+ server, it reverts to whatever secondary authentication
method was configured using the aaa authentication command (local
or none; see “Configuring the Switch’s Authentication Methods” on
page 4-11.)
Note As described under “General Authentication Setup Procedure” on page 4-5,
ProCurve recommends that you configure, test, and troubleshoot authentica-
tion via Telnet access before you configure authentication via console port
access. This helps to prevent accidentally locking yourself out of switch
access due to errors or problems in setting up authentication in either the
switch or your TACACS+ server.