HP procurve 2500 Manual De Usuario
174
Enhancements in Release F.02.02
TACACS+ Authentication for Centralized Control of Switch Access Security
Configuring the Switch’s Authentication Methods
The
aaa authentication
command configures the access control for console port and Telnet access to
the switch. That is, for both access methods, aaa authentication specifies whether to use a TACACS+
server or the switch’s local authentication, or (for some secondary scenarios) no authentication
(meaning that if the primary method fails, authentication is denied). This command also reconfigures
the number of access attempts to allow in a session if the first attempt uses an incorrect username/
password pair.
server or the switch’s local authentication, or (for some secondary scenarios) no authentication
(meaning that if the primary method fails, authentication is denied). This command also reconfigures
the number of access attempts to allow in a session if the first attempt uses an incorrect username/
password pair.
Syntax:
aaa authentication < console | telnet> < enable | login > < local | tacacs > < local | none >
aaa authentication num-attempts < 1. . 10 >
aaa authentication num-attempts < 1. . 10 >
Table 12. AAA Authentication Parameters
As shown in the following table, login and enable access is always available locally through a direct
terminal connection to the switch’s console port. However, for Telnet access, you can configure
TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the
switch.
terminal connection to the switch’s console port. However, for Telnet access, you can configure
TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the
switch.
Name
Default
Range
Function
console
- or -
telnet
- or -
telnet
n/a
n/a
Specifies whether the command is configuring authentication for the console
port or Telnet access method for the switch.
port or Telnet access method for the switch.
enable
- or -
login
- or -
login
n/a
n/a
Specifies the privilege level for the access method being configured.
login: Operator (read-only) privileges
enable: Manager (read-write) privileges
login: Operator (read-only) privileges
enable: Manager (read-write) privileges
local
- or -
tacacs
- or -
tacacs
local
n/a
Specifies the primary method of authentication for the access method being
configured.
local: Use the username/password pair configured locally in the switch for
the privilege level being configured
tacacs: Use a TACACS+ server.
configured.
local: Use the username/password pair configured locally in the switch for
the privilege level being configured
tacacs: Use a TACACS+ server.
local
- or -
none
- or -
none
none
n/a
Specifies the secondary (backup) type of authentication being configured.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is tacacs, the only secondary method is local.
• If the primary method is local, the default secondary method is none.
local: The username/password pair configured locally in the switch for the
privilege level being configured
none: No secondary type of authentication for the specified
method/privilege path. (Available only if the primary method of
authentication for the access being configured is local.)
Note: If you do not specify this parameter in the command line, the switch
automatically assigns the secondary method as follows:
• If the primary method is tacacs, the only secondary method is local.
• If the primary method is local, the default secondary method is none.
num-attempts
3
1 - 10
In a given session, specifies how many tries at entering the correct username/
password pair are allowed before access is denied and the session terminated.
password pair are allowed before access is denied and the session terminated.