Table of Contents
Advertisement
TACACS+ offers the following advantages over RADIUS as the authentication device:
•
TACACS+ is TCP-based, so it facilitates connection-oriented traffic.
•
It supports full-packet encryption, as opposed to password-only in authentication requests.
•
It supports decoupled authentication, authorization, and accounting.
The following table describes the TACACS+ Server Configuration Menu options.
Table 83
TACACS+ Server Configuration Menu options
Command
prisrv <IP address>
secsrv <IP address>
secret <1-32 characters>
secret2 <1-32 characters>
port <TCP port number>
retries <1-3>
timeout <4-15>
bckdoor enable|disable
secbd enable|disable
cmap enable|disable
usermap <0-15>
user|oper|admin|none
on
off
cur
Description
Defines the primary TACACS+ server address.
Defines the secondary TACACS+ server address.
This is the shared secret between the switch and the TACACS+ server(s).
This is the secondary shared secret between the switch and the
TACACS+ server(s).
Enter the number of the TCP port to be configured, between 1 and
65000. The default is 49.
Sets the number of failed authentication requests before switching to a
different TACACS+ server. The range is 1-3 requests. The default is 3
requests.
Sets the amount of time, in seconds, before a TACACS+ server
authentication attempt is considered to have failed. The range is 4-15
seconds. The default is 5 seconds.
Enables or disables the TACACS+ back door for Telnet, SSH/SCP,
or HTTP/HTTPS.
Enabling this feature allows you to bypass the TACACS+ servers. It is
recommended that you use Secure Backdoor to ensure the switch is
secured, because Secure Backdoor disallows access through the back
door when the TACACS+ servers are responding.
The default value is disabled.
Enables or disables TACACS+ secure back door access through Telnet,
SSH/SCP, or HTTP/HTTPS only when the TACACS+ servers are not
responding.
This feature is recommended to permit access to the switch when the
TACACS+ servers become unresponsive. If no back door is enabled, the
only way to gain access when TACACS+ servers are unresponsive is to
use the back door via the console port. The default value is disabled.
Enables or disables TACACS+ privilege-level mapping.
The default value is disabled.
Maps a TACACS+ authorization level to a switch user level. Enter a
TACACS+ authorization level (0-15), followed by the corresponding HP
10GbE switch user level.
Enables the TACACS+ server.
Disables the TACACS+ server.
Displays current TACACS+ configuration parameters.
Configuration Menu 117
Advertisement
Table of Contents
