HP ProCurve 6120G/XG Manual page 166
Hp procurve series 6120 blade switches access security guide
Hide thumbs
Also See for ProCurve 6120G/XG:
- Configuration manual (662 pages) ,
- Manual (469 pages) ,
- Management manual (222 pages)
Table of Contents
Advertisement
TACACS+ Authentication
Configuring TACACS+ on the Switch
Name
Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per-server
encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see "Using the
Encryption Key" on page 4-27 and the documentation provided with your TACACS+ server application. The oobm parameter
specifies that the operation will go out from the out-of-band management interface. If this parameter is not specified, the
operation goes out from the data interface. Refer to Appendix G, "Network Out-of-Band Management" in the Management and
Configuration Guide for more information on out-of-band management.
For switches that have a separate out-of-band management port, the oobm parameter specifies that the TACACS+ traffic will
go through the out-of-band management (OOBM) port.
You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one third-choice).
Use show tacacs to view the current IP address list.
If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs
list. If the second address also fails, then the switch tries the third address, if any.
(See figure 4-3, "Example of the Switch's TACACS+ Configuration Listing" on 4-10.)
The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch's TACACS+ configuration depends
on the order in which you enter the server IP addresses:
1.When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice TACACS+
server.
2.When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-
choice (backup) TACACS+ server.
3.When there are two TACACS+ servers already configured, entering another server IP address makes that server the
third-choice (backup) TACACS+ server.
• The above position assignments are fixed. Thus, if you remove one server and replace it with another, the new server assumes
the priority position that the removed server had. For example, suppose you configured three servers, A, B, and C, configured
in order:
First-Choice:
A
Second-Choice:
B
Third-Choice:
C
• If you removed server B and then entered server X, the TACACS+ server order of priority would be:
First-Choice:
A
Second-Choice:
X
Third-Choice:
C
• If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new address
will take the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1) remove A and B,
and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C.
• The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in the list
and then re-enter them in order, with the new first-choice server address first, and so on.
To add a new address to the list when there are already three addresses present, you must first remove one of the currently
listed addresses.
See also "General Authentication Process Using a TACACS+ Server" on page 4-24.
key <key-string>
4-20
Default
Range
none (null) n/a
Hide quick links:
Advertisement
Table of Contents
