HP ProCurve 9304M Security Manual page 43
Routing switches
Hide thumbs
Also See for ProCurve 9304M:
- Management and configuration manual (690 pages) ,
- Installation and configuration manual (504 pages) ,
- Installation and getting started manual (348 pages)
Table of Contents
Advertisement
Securing Access to Management Functions
NOTE: Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1
parameter is not required; it is provided for backwards compatibility.
Setting the Retransmission Limit
The retransmit parameter specifies how many times the HP device will resend an authentication request when
the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 – 5 times. The default is 3
times.
To set the TACACS/TACACS+ retransmit limit:
ProCurveRS(config)# tacacs-server retransmit 5
Syntax: tacacs-server retransmit <number>
Setting the Dead Time Parameter
The dead-time parameter specifies how long the HP device waits for the primary authentication server to reply
before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be
from 1 – 5 seconds. The default is 3 seconds.
To set the TACACS/TACACS+ dead-time value:
ProCurveRS(config)# tacacs-server dead-time 5
Syntax: tacacs-server dead-time <number>
Setting the Timeout Parameter
The timeout parameter specifies how many seconds the HP device waits for a response from the TACACS/
TACACS+ server before either retrying the authentication request, or determining that the TACACS/TACACS+
server is unavailable and moving on to the next authentication method in the authentication-method list. The
timeout can be from 1 – 15 seconds. The default is 3 seconds.
ProCurveRS(config)# tacacs-server timeout 5
Syntax: tacacs-server timeout <number>
Configuring Authentication-Method Lists for TACACS/TACACS+
You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC level and
CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create authentication
method lists specifically for these access methods, specifying TACACS/TACACS+ as the primary authentication
method.
Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication method and
up to six backup authentication methods are specified as alternates. If TACACS/TACACS+ authentication fails
due to an error, the device tries the backup authentication methods in the order they appear in the list.
When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a
separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and
CONFIG levels of the CLI.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for
securing Telnet/SSH access to the CLI:
ProCurveRS(config)# enable telnet authentication
ProCurveRS(config)# aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/SSH
access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is
performed using local user accounts instead.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method for
securing access to Privileged EXEC level and CONFIG levels of the CLI:
ProCurveRS(config)# aaa authentication enable default tacacs local none
June 2005
2 - 27
Advertisement
Table of Contents
