Table of Contents
Advertisement
•
Web management access
•
Access to the Privileged EXEC level and CONFIG levels of the CLI
The TACACS and TACACS+ protocols define how authentication, authorization, and accounting information is
sent between an HP device and an authentication database on a TACACS/TACACS+ server. TACACS/TACACS+
services are maintained in a database, typically on a UNIX workstation or PC with a TACACS/TACACS+ server
running.
How TACACS+ Differs from TACACS
TACACS is a simple UDP-based access control protocol originally developed by BBN for MILNET. TACACS+ is
an enhancement to TACACS and uses TCP to ensure reliable delivery.
TACACS+ is an enhancement to the TACACS security protocol. TACACS+ improves on TACACS by separating
the functions of authentication, authorization, and accounting (AAA) and by encrypting all traffic between the HP
device and the TACACS+ server. TACACS+ allows for arbitrary length and content authentication exchanges,
which allow any authentication mechanism to be utilized with the HP device. TACACS+ is extensible to provide
for site customization and future development features. The protocol allows the HP device to request very precise
access control and allows the TACACS+ server to respond to each component of that request.
NOTE: TACACS+ provides for authentication, authorization, and accounting, but an implementation or
configuration is not required to employ all three.
TACACS/TACACS+ Authentication, Authorization, and Accounting
When you configure an HP device to use a TACACS/TACACS+ server for authentication, the device prompts
users who are trying to access the CLI for a user name and password, then verifies the password with the
TACACS/TACACS+ server.
If you are using TACACS+, HP recommends that you also configure authorization, in which the HP device
consults a TACACS+ server to determine which management privilege level (and which associated set of
commands) an authenticated user is allowed to use. You can also optionally configure accounting, which causes
the HP device to log information on the TACACS+ server when specified events occur on the device.
NOTE: In releases prior to 07.1.10, a user logging into the device via Telnet or SSH would first enter the User
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level.
Starting with release 07.1.10, a user that is successfully authenticated by a RADIUS or TACACS+ server is
automatically placed at the Privileged EXEC level after login.
TACACS Authentication
When TACACS authentication takes place, the following events occur:
1.
A user attempts to gain access to the HP device by doing one of the following:
•
Logging into the device using Telnet, SSH, or the Web management interface
•
Entering the Privileged EXEC level or CONFIG level of the CLI
2.
The user is prompted for a username and password.
3.
The user enters a username and password.
4.
The HP device sends a request containing the username and password to the TACACS server.
5.
The username and password are validated in the TACACS server's database.
6.
If the password is valid, the user is authenticated.
Securing Access
3 - 17
Advertisement
Chapters
Table of Contents
