TACACS+ offers the following advantages over RADIUS as the authentication device:
TACACS+ is TCP-based, so it facilitates connection-oriented traffic.
It supports full-packet encryption, as opposed to password-only in authentication requests.
It supports decoupled authentication, authorization, and accounting.
The following table describes Switch TACACS+ Configuration controls:
Switch TACACS+ Configuration controls
Primary Tacacs+ IP Address
Secondary Tacacs+ IP Address
Tacacs+ port (1-65000)
Tacacs+ timeout (4-15)
Tacacs+ retries (1-3)
Enable/Disable Tacacs+ Server
Enable/Disable Tacacs+ Backdoor for
Enable/Disable Secure Tacacs+ Backdoor for
Enable/Disable Tacacs+ new privilege level
Secondary Tacacs+ Server Secret
Tacacs+ User Mappings Configuration
If TACACS+ is enabled, you must login using TACACS+ authentication when
connecting via the console or Telnet/SSH/HTTP/HTTPS. Backdoor for console is always enabled,
so you can connect using notacacs and the administrator password even if the backdoor or
secure backdoor are disabled.
If Telnet backdoor is enabled, type in notacacs as a backdoor to bypass TACACS+ checking,
and use the administrator password to log into the switch. The switch allows this even if TACACS+
servers are available.
If secure backdoor is enabled, type in notacacs as a backdoor to bypass TACACS+ checking,
and use the administrator password to log into the switch. The switch allows this only if TACACS+
Configures the primary TACACS+ server address.
Configures the secondary TACACS+ server address.
Configures the number of the TCP port to be configured,
between 1 and 65000. The default is 49.
Configures the amount of time, in seconds, before a TACACS+
server authentication attempt is considered to have failed. The
default timeout is 5 seconds.
Configures the number of failed authentication requests before
switching to a different TACACS+ server. The default retry count is
Enables or disables the TACACS+ server.
Enables or disables the TACACS+ backdoor for
Enables or disables the TACACS+ back door using secure
password for telnet/SSH/HTTP/HTTPS.
Enables or disables TACACS+ privilege-level mapping.
The default value is disabled.
Configures the shared secret (up to 32 characters) between the
switch and the TACACS+ server.
Configures the secondary shared secret (up to 32 characters)
between the switch and the TACACS+ server.
Maps a TACACS+ privilege level to a HP 10GbE switch user level,
Remote Privilege—Enter a TACACS+ privilege level (0-15)
Local Privilege—Select the corresponding switch user level.
Configuring the switch