TACACS+ Authentication
Controlling Web Browser Interface Access When Using TACACS+ Authentication
in the switch must be identical to the encryption key configured in the
corresponding TACACS+ server. If the key is the same for all TACACS+
servers the switch will use for authentication, then configure a global key in
the switch. If the key is different for one or more of these servers, use “server-
specific” keys in the switch. (If you configure both a global key and one or
more per-server keys, the per-server keys will override the global key for the
specified servers.)
For example, you would use the next command to configure a global encryp-
tion key in the switch to match a key entered as
north40campus in two target
TACACS+ servers. (That is, both servers use the same key for your switch.)
Note that you do not need the server IP addresses to configure a global key in
the switch:
ProCurve(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP
address of 10.28.227.87) that has
south10campus for an encryption key. Because
this key is different than the one used for the two servers in the previous
example, you will need to assign a server-specific key in the switch that applies
only to the designated server:
ProCurve(config)# tacacs-server host 10.28.227.87 key
south10campus
With both of the above keys configured in the switch, the
south10campus key
overrides the
north40campus key only when the switch tries to access the
TACACS+ server having the 10.28.227.87 address.
Controlling Web Browser Interface
Access When Using TACACS+
Authentication
Configuring the switch for TACACS+ authentication does not affect web
browser interface access. To prevent unauthorized access through the web
browser interface, do one or more of the following:
■ Configure local authentication (a Manager user name and password and,
optionally, an Operator user name and password) on the switch.
4-27
