Security Guide for ProCurve 9300/9400 Series Routing Switches
User Action
User enters the command:
[no] aaa accounting system default
start-stop <method-list>
User enters other commands
AAA Security for Commands Pasted Into the Running-Config
If AAA security is enabled on the device, commands pasted into the running-config are subject to the same AAA
operations as if they were entered manually.
When you paste commands into the running-config, and AAA command authorization and/or accounting is
configured on the device, AAA operations are performed on the pasted commands. The AAA operations are
performed before the commands are actually added to the running-config. The server performing the AAA
operations should be reachable when you paste the commands into the running-config file. If the device
determines that a pasted command is invalid, AAA operations are halted on the remaining commands. The
remaining commands may not be executed if command authorization is configured.
TACACS/TACACS+ Configuration Considerations
•
You must deploy at least one TACACS/TACACS+ server in your network.
•
HP devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to use the
servers in the order you add them to the device's configuration.
•
You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary
authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary
method for the same type of access. However, you can configure backup authentication methods for each
access type.
•
You can configure the HP device to authenticate using a TACACS or TACACS+ server, not both.
TACACS Configuration Procedure
For TACACS configurations, use the following procedure:
1. Identify TACACS servers. See "Identifying the TACACS/TACACS+ Servers" on page 2-25.
2. Set optional parameters. See "Setting Optional TACACS/TACACS+ Parameters" on page 2-26.
3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/TACACS+"
on page 2-27.
TACACS+ Configuration Procedure
For TACACS+ configurations, use the following procedure:
1. Identify TACACS+ servers. See "Identifying the TACACS/TACACS+ Servers" on page 2-25.
2 - 24
Applicable AAA Operations
Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
System accounting start (TACACS+):
aaa accounting system default start-stop <method-list>
Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
June 2005