beautypg.com

IronPort Systems 4108GL User Manual

Page 166

background image

9-12

Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security

Usi

n

g P

a

ssword

s a

nd

T

A

CA

CS

+

2.

Determine the following:

3.

Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.

N o t e o n P r i v i l e g e L e v e l s

When a TACACS+ server authenticates an access request from a switch,
it includes a privilege level code for the switch to use in determining which
privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of "15" as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/pass-
word pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.

If you are a first-time user of the TACACS+ service, HP recommends that
you configure only the minimum feature set required by the TACACS+
application to provide service in your network environment. After you
have success with the minimum feature set, you may then want to try
additional features that the application offers.

The IP address(es) of the TACACS+
server(s) you want the switch to use
for authentication. If you will use
more than one server, determine
which server is your first-choice for
authentication services.

The encryption key, if any, for
allowing the switch to communicate
with the server. You can use either a
global key or a server-specific key,
depending on the encryption config-
uration in the TACACS+ server(s).

The number of log-in attempts you
will allow before closing a log-in
session. (Default: 3)

The period you want the switch to wait
for a reply to an authentication request
before trying another server.

The username/password pairs you want
the TACACS+ server to use for control-
ling access to the switch.

The privilege level you want for each
username/password pair administered
by the TACACS+ server for controlling
access to the switch.

The username/password pairs you want
to use for local authentication (one pair
each for Operator and Manager levels).