IronPort Systems 4108GL User Manual
Page 166
9-12
Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security
Usi
n
g P
a
ssword
s a
nd
T
A
CA
CS
+
2.
Determine the following:
3.
Plan and enter the TACACS+ server configuration needed to support
TACACS+ operation for Telnet access (login and enable) to the switch.
This includes the username/password sets for logging in at the Operator
(read-only) privilege level and the sets for logging in at the Manager (read/
write) privilege level.
N o t e o n P r i v i l e g e L e v e l s
When a TACACS+ server authenticates an access request from a switch,
it includes a privilege level code for the switch to use in determining which
privilege level to grant to the terminal requesting access. The switch
interprets a privilege level code of "15" as authorization for the Manager
(read/write) privilege level access. Privilege level codes of 14 and lower
result in Operator (read-only) access. Thus, when configuring the
TACACS+ server response to a request that includes a username/pass-
word pair that should have Manager privileges, you must use a privilege
level of 15. For more on this topic, refer to the documentation you received
with your TACACS+ server application.
If you are a first-time user of the TACACS+ service, HP recommends that
you configure only the minimum feature set required by the TACACS+
application to provide service in your network environment. After you
have success with the minimum feature set, you may then want to try
additional features that the application offers.
■
The IP address(es) of the TACACS+
server(s) you want the switch to use
for authentication. If you will use
more than one server, determine
which server is your first-choice for
authentication services.
■
The encryption key, if any, for
allowing the switch to communicate
with the server. You can use either a
global key or a server-specific key,
depending on the encryption config-
uration in the TACACS+ server(s).
■
The number of log-in attempts you
will allow before closing a log-in
session. (Default: 3)
■
The period you want the switch to wait
for a reply to an authentication request
before trying another server.
■
The username/password pairs you want
the TACACS+ server to use for control-
ling access to the switch.
■
The privilege level you want for each
username/password pair administered
by the TACACS+ server for controlling
access to the switch.
■
The username/password pairs you want
to use for local authentication (one pair
each for Operator and Manager levels).