HP PROCURVE 6208M-SX Installation And Getting Started Manual page 78

2. Set optional parameters. See "Setting Optional TACACS/TACACS+ Parameters" on page 3-21.
3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/
TACACS+" on page 3-22.
4. Optionally configure TACACS+ authorization. See "Configuring TACACS+ Authorization" on page 3-24.
5. Optionally configure TACACS+ accounting. See "Configuring TACACS+ Accounting" on page 3-25.
Identifying the TACACS/TACACS+ Servers
To use TACACS/TACACS+ servers to authenticate access to an HP device, you must identify the servers to the
HP device.
For example, to identify three TACACS/TACACS+ servers, enter commands such as the following:
HP9300(config)# tacacs-server host 207.94.6.161
HP9300(config)# tacacs-server host 207.94.6.191
HP9300(config)# tacacs-server host 207.94.6.122
Syntax: tacacs-server <ip-addr>|<hostname> [auth-port <number>]
The <ip-addr>|<hostname> parameter specifies the IP address or host name of the server. You can enter up to
eight tacacs-server host commands to specify up to eight different servers.
NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the
ip dns server-address <ip-addr> command at the global CONFIG level.
If you add multiple TACACS/TACACS+ authentication servers to the HP device, the device tries to reach them in
the order you add them. For example, if you add three servers in the following order, the software tries the servers
in the same order:
1. 207.94.6.161
2. 207.94.6.191
3. 207.94.6.122
You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For
example, to remove 207.94.6.161, enter the following command:
HP9300(config)# no tacacs-server host 207.94.6.161
NOTE: If you erase a tacacs-server command (by entering "no" followed by the command), make sure you also
erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (See "Configuring
Authentication-Method Lists for TACACS/TACACS+" on page 3-22.) Otherwise, when you exit from the CONFIG
mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not
be able to access the system.
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.
Setting Optional TACACS/TACACS+ Parameters
You can set the following optional parameters in a TACACS/TACACS+ configuration:
• TACACS+ key – This parameter specifies the value that the HP device sends to the TACACS+ server when
trying to authenticate user access.
• Retransmit interval – This parameter specifies how many times the HP device will resend an authentication
request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 – 5
times. The default is 3 times.
• Dead time – This parameter specifies how long the HP device waits for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value
can be from 1 – 5 seconds. The default is 3 seconds.
Securing Access
3 - 21