Table of Contents
Advertisement
When you configure authentication-method lists for TACACS/TACACS+ authentication, you must create a
separate authentication-method list for Telnet/SSH CLI access, and for access to the Privileged EXEC level and
CONFIG levels of the CLI.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method
for securing Telnet/SSH access to the CLI:
HP9300(config)# enable telnet authentication
HP9300(config)# aaa authentication login default tacacs local
The commands above cause TACACS/TACACS+ to be the primary authentication method for securing Telnet/
SSH access to the CLI. If TACACS/TACACS+ authentication fails due to an error with the server, authentication is
performed using local user accounts instead.
To create an authentication-method list that specifies TACACS/TACACS+ as the primary authentication method
for securing access to Privileged EXEC level and CONFIG levels of the CLI:
HP9300(config)# aaa authentication enable default tacacs local none
The command above causes TACACS/TACACS+ to be the primary authentication method for securing access to
Privileged EXEC level and CONFIG levels of the CLI. If TACACS/TACACS+ authentication fails due to an error
with the server, local authentication is used instead. If local authentication fails, no authentication is used; the
device automatically permits access.
Syntax: [no] aaa authentication enable | login default <method1> [<method2>] [<method3>] [<method4>]
[<method5>] [<method6>] [<method7>]
The web-server | enable | login parameter specifies the type of access this authentication-method list controls.
You can configure one authentication-method list for each type of access.
NOTE: If you configure authentication for Web management access, authentication is performed each time a
page is requested from the server. When frames are enabled on the Web management interface, the browser
sends an HTTP request for each frame. The HP device authenticates each HTTP request from the browser. To
limit authentications to one per page, disable frames on the Web management interface.
The <method1> parameter specifies the primary authentication method. The remaining optional <method>
parameters specify additional methods to try if an error occurs with the primary method. A method can be one of
the values listed in the Method Parameter column in the following table.
Method Parameter
line
enable
local
tacacs
tacacs+
Table 3.2: Authentication Method Values
Description
Authenticate using the password you configured for Telnet access. The
Telnet password is configured using the enable telnet password...
command.
Se
e "Setting a Telnet Password" on page 3-8.
Authenticate using the password you configured for the Super User
privilege level. This password is configured using the enable super
user-password... command. See "Setting Passwords for Management
Privilege Levels" on page 3-9.
Authenticate using a local user name and password you configured on
the device. Local user names and passwords are configured using the
username... command. See "Configuring a Local User Account" on
page 3-11.
Authenticate using the database on a TACACS server. You also must
identify the server to the device using the tacacs-server command.
Authenticate using the database on a TACACS+ server. You also must
identify the server to the device using the tacacs-server command.
Securing Access
3 - 23
Advertisement
Chapters
Table of Contents
