HP procurve 2500 Benutzerhandbuch
166
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
With authentication configured on the switch and TACACS+ configured and operating on a server in
your network, an attempt to log on through Telnet or the switch’s serial port will be passed to the
TACACS+ server for verification before permission is granted. Similarly, if an operator is using read-
only access to the switch and requests read-write access through the CLI
your network, an attempt to log on through Telnet or the switch’s serial port will be passed to the
TACACS+ server for verification before permission is granted. Similarly, if an operator is using read-
only access to the switch and requests read-write access through the CLI
enable
command by entering
a user name and password, the switch grants read-write access only after the TACACS+ server verifies
the request and returns permission to the switch.
the request and returns permission to the switch.
N o t e
Software release F.02.02 for the Series 2500 switches enables TACACS+ authentication, which is the
ability to allow or deny access to a Series 2500 switch on the basis of correct username/password
pairs, and to specify the privilege level to allow if access is granted. This release does not support
TACACS+ authorization or accounting services.
ability to allow or deny access to a Series 2500 switch on the basis of correct username/password
pairs, and to specify the privilege level to allow if access is granted. This release does not support
TACACS+ authorization or accounting services.
Series 2500 Switch Authentication Options
With software release F.02.02 installed, the Series 2500 switches include these types of authentication:
■
Local:
Employs a username/password pair assigned locally to the switch. This option allows
one username/password pair for manager-level privileges and another username/password
pair for operator-level privileges. Local authentication is automatically available in the
switch. The Management and Configuration Guide you received with your switch describes
this method.
pair for operator-level privileges. Local authentication is automatically available in the
switch. The Management and Configuration Guide you received with your switch describes
this method.
■
TACACS+:
Employs a username/password pair assigned remotely to a TACACS+ server
application. This option allows multiple username/password pairs for any privilege level
available on the switch. The remainder of this section describes TACACS+ authentication
on the Series 2500 switches.
available on the switch. The remainder of this section describes TACACS+ authentication
on the Series 2500 switches.
■
None:
The switch can be accessed by anyone without requiring a username/password pair.
This is the case when TACACS+ is not enabled on the switch and a local, manager-level
password is not configured in the switch. Allowing the switch to operate in this mode is not
recommended because it compromises switch and network access security.
password is not configured in the switch. Allowing the switch to operate in this mode is not
recommended because it compromises switch and network access security.
TACACS+ on the Series 2500 switches
uses an authentication hierarchy consisting of remote control
through a TACACS+ server and the local control (password and user name) built into the switch.
That is, with TACACS+ configured on the switch, if the switch cannot contact any designated
TACACS+ server, then it defaults to its own locally assigned username/password pairs to control
access. To use TACACS+ authentication in a Series 2500 switch, you must enable TACACS+ in the
switch and also purchase, install, and configure a third-party TACACS+ server application on the
device(s) in your network that you want to use for managing TACACS+ authentication.
That is, with TACACS+ configured on the switch, if the switch cannot contact any designated
TACACS+ server, then it defaults to its own locally assigned username/password pairs to control
access. To use TACACS+ authentication in a Series 2500 switch, you must enable TACACS+ in the
switch and also purchase, install, and configure a third-party TACACS+ server application on the
device(s) in your network that you want to use for managing TACACS+ authentication.