beautypg.com

Encryption options in the switch, Encryption options in the switch -27 – IronPort Systems 4108GL User Manual

Page 181

background image

9-27

Using Passwords and TACACS+ To Protect Against Unauthorized Access

TACACS+ Authentication for Central Control of Switch Access Security

Usi
n

g P
a

sswor

ds and

TA
C

A

CS+

N o t e

Configure a key in the switch only if the TACACS+ server application has this
exact same key configured for the switch. That is, if the key parameter in
switch "X" does not exactly match the key setting for switch "X" in the
TACACS+ server application, then communication between the switch and
the TACACS+ server will fail.

Thus, on the TACACS+ server side, you have a choice as to how to implement
a key. On the switch side, it is necessary only to enter the key parameter so
that it exactly matches its counterpart in the server. For information on how
to configure a general or individual key in the TACACS+ server, refer to the
documentation you received with the application.

Encryption Options in the Switch

When configured, the encryption key causes the switch to encrypt the
TACACS+ packets it sends to the server. When left at "null", the TACACS+
packets are sent in clear text. The encryption key (or just "key") you configure
in the switch must be identical to the encryption key configured in the
corresponding TACACS+ server. If the key is the same for all TACACS+
servers the switch will use for authentication, then configure a global key in
the switch. If the key is different for one or more of these servers, use "server-
specific" keys in the switch. (If you configure both a global key and one or
more per-server keys, the per-server keys will override the global key for the
specified servers.)

For example, you would use the next command to configure a global encryp-
tion key in the switch to match a key entered as

north40campus

in two target

TACACS+ servers. (That is, both servers use the same key for your switch.)
Note that you do not need the server IP addresses to configure a global key in
the switch:

HP4108(config)# tacacs-server key north40campus

Suppose that you subsequently add a third TACACS+ server (with an IP
address of 10.28.227.87) that has

south10campus

for an encryption key. Because

this key is different than the one used for the two servers in the previous
example, you will need to assign a server-specific key in the switch that applies
only to the designated server:

HP4108(config)# tacacs-server host 10.28.227.87 key

south10campus

With both of the above keys configured in the switch, the

south10campus

key

overrides the

north40campus

key only when the switch tries to access the

TACACS+ server having the 10.28.227.87 address.