HP ProCurve 9304M Security Manual page 42
Routing switches
Hide thumbs
Also See for ProCurve 9304M:
- Management and configuration manual (690 pages) ,
- Installation and configuration manual (504 pages) ,
- Installation and getting started manual (348 pages)
Table of Contents
Advertisement
Security Guide for ProCurve 9300/9400 Series Routing Switches
To specify different TACACS+ servers for authentication, authorization, and accounting:
ProCurveRS(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only
key abc
ProCurveRS(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only
key def
ProCurveRS(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only key
ghi
Syntax: tacacs-server host <ip-addr> | <server-name> [authentication-only | authorization-only |
accounting-only | default] [key <string>]
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for authorization and/or
accounting. If the authenticating server cannot perform the requested function, then the next server in the
configured list of servers is tried; this process repeats until a server that can perform the requested function is
found, or every server in the configured list has been tried.
Setting Optional TACACS/TACACS+ Parameters
You can set the following optional parameters in a TACACS/TACACS+ configuration:
•
TACACS+ key – This parameter specifies the value that the HP device sends to the TACACS+ server when
trying to authenticate user access.
•
Retransmit interval – This parameter specifies how many times the HP device will resend an authentication
request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 – 5 times.
The default is 3 times.
•
Dead time – This parameter specifies how long the HP device waits for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value
can be from 1 – 5 seconds. The default is 3 seconds.
•
Timeout – This parameter specifies how many seconds the HP device waits for a response from a TACACS/
TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+
servers are unavailable and moving on to the next authentication method in the authentication-method list.
The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Setting the TACACS+ Key
The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over
the network. The value for the key parameter on the HP device should match the one configured on the
TACACS+ server. The key can be from 1 – 32 characters in length and cannot include any space characters.
NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the HP device.
To specify a TACACS+ server key:
ProCurveRS(config)# tacacs-server key rkwong
Syntax: tacacs-server key [0 | 1] <string>
When you display the configuration of the HP device, the TACACS+ keys are encrypted. For example:
ProCurveRS(config)# tacacs-server key 1 abc
ProCurveRS(config)# write terminal
...
tacacs-server host 1.2.3.5 auth-port 49
tacacs key 1 $!2d
2 - 26
June 2005
Advertisement
Table of Contents
