HP ProCurve 9304M Security Manual page 71

• Local password for the Super User privilege level
• Local user accounts configured on the device
• Database on a TACACS or TACACS+ server
• Database on a RADIUS server
• No authentication
NOTE: The TACACS/TACACS+, RADIUS, and Telnet login password authentication methods are not supported
for SNMP access.
NOTE: To authenticate Telnet access to the CLI, you also must enable the authentication by entering the
enable telnet authentication command at the global CONFIG level of the CLI. You cannot enable Telnet
authentication using the Web management interface.
NOTE: You do not need an authentication-method list to secure access based on ACLs or a list of IP addresses.
See "Using ACLs to Restrict Remote Access" on page 2-4 or "Restricting Remote Access to the Device to Specific
IP Addresses" on page 2-7.
In an authentication-method list for a particular access method, you can specify up to seven authentication
methods. If the first authentication method is successful, the software grants access and stops the authentication
process. If the access is rejected by the first authentication method, the software denies access and stops
checking.
However, if an error occurs with an authentication method, the software tries the next method on the list, and so
on. For example, if the first authentication method is the RADIUS server, but the link to the server is down, the
software will try the next authentication method in the list.
NOTE: If an authentication method is working properly and the password (and user name, if applicable) is not
known to that method, this is not an error. The authentication attempt stops, and the user is denied access.
The software will continue this process until either the authentication method is passed or the software reaches
the end of the method list. If the Super User level password is not rejected after all the access methods in the list
have been tried, access is granted.
Configuration Considerations for Authentication-Method Lists
n
• For CLI access, you must configure authentication-method lists if you want the device to authenticate access
using local user accounts or a RADIUS server. Otherwise, the device will authenticate using only the locally
based password for the Super User privilege level.
• When no authentication-method list is configured specifically for Web management access, the device
performs authentication using the SNMP community strings:
• For read-only access, you can use the user name "get" and the password "public". The default read-only
community string is "public".
• Beginning with software release 05.1.00, there is no default read-write community string. Thus, by
default, you cannot open a read-write management session using the Web management interface. You
first must configure a read-write community string using the CLI. Then you can log on using "set" as the
user name and the read-write community string you configure as the password. See "Configuring
TACACS/TACACS+ Security" on page 2-20.
• If you configure an authentication-method list for Web management access and specify "local" as the primary
authentication method, users who attempt to access the device using the Web management interface must
supply a user name and password configured in one of the local user accounts on the device. The user
cannot access the device by entering "set" or "get" and the corresponding SNMP community string.
• For devices that can be managed using SNMP management applications, the default authentication method
(if no authentication-method list is configured for SNMP) is the CLI Super User level password. If no Super
June 2005
Securing Access to Management Functions
2 - 55