HP ProCurve 9304M Security Manual page 45

Syntax: aaa authentication login privilege-mode
The user's privilege level is based on the privilege level granted during login.
Configuring Enable Authentication to Prompt for Password Only
If Enable authentication is configured on the device, when a user attempts to gain Super User access to the
Privileged EXEC and CONFIG levels of the CLI, by default he or she is prompted for a username and password.
In this release, you can configure the HP device to prompt only for a password. The device uses the username
entered at login, if one is available. If no username was entered at login, the device prompts for both username
and password.
To configure the HP device to prompt only for a password when a user attempts to gain Super User access to the
Privileged EXEC and CONFIG levels of the CLI:
ProCurveRS(config)# aaa authentication enable implicit-user
Syntax: [no] aaa authentication enable implicit-user
Telnet/SSH Prompts When the TACACS+ Server is Unavailable
When TACACS+ is the first method in the authentication method list, the device displays the login prompt received
from the TACACS+ server. If a user attempts to login through Telnet or SSH, but none of the configured TACACS+
servers are available, the following takes place:
• If the next method in the authentication method list is "enable", the login prompt is skipped, and the user is
prompted for the Enable password (that is, the password configured with the enable super-user-password
command).
• If the next method in the authentication method list is "line", the login prompt is skipped, and the user is
prompted for the Line password (that is, the password configured with the enable telnet password
command).
Configuring TACACS+ Authorization
HP devices support TACACS+ authorization for controlling access to management functions in the CLI.
kinds of TACACS+ authorization are supported:
• Exec authorization determines a user's privilege level when they are authenticated
• Command authorization consults a TACACS+ server to get authorization for commands entered by the user
Configuring Exec Authorization
When TACACS+ exec authorization is performed, the HP device consults a TACACS+ server to determine the
privilege level of the authenticated user. To configure TACACS+ exec authorization on the HP device, enter the
following command:
ProCurveRS(config)# aaa authorization exec default tacacs+
Syntax: aaa authorization exec default tacacs+ | none
If you specify none, or omit the aaa authorization exec command from the device's configuration, no exec
authorization is performed.
A user's privilege level is obtained from the TACACS+ server in the "hp-privlvl" A-V pair. If the aaa authorization
exec default tacacs command exists in the configuration, the device assigns the user the privilege level specified
by this A-V pair. If the command does not exist in the configuration, then the value in the "hp-privlvl" A-V pair is
ignored, and the user is granted Super User access.
NOTE: If the aaa authorization exec default tacacs+ command exists in the configuration, following successful
authentication the device assigns the user the privilege level specified by the "hp-privlvl" A-V pair received from
the TACACS+ server. If the aaa authorization exec default tacacs+ command does not exist in the
configuration, then the value in the "hp-privlvl" A-V pair is ignored, and the user is granted Super User access.
June 2005
Securing Access to Management Functions
Two
2 - 29