If you are new to TACACS+ authentication, HP recommends that you configure your TACACS+ servers before configuring authentication on the switch.
The aaa authentication command configures access control for the following access methods:
-
Console
-
Telnet
-
SSH
-
Web
-
Port-access (802.1X)
However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods. The command specifies whether to use a TACACS+ server or the switch local authentication, or (for some secondary scenarios) no authentication. This means that if the primary method fails, authentication is denied. The command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect user name/password pair.
Syntax
The server grants privileges at the operator privilege level. If the
privilege-modeoption is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default:Single login disabled.
[
<local|none>]If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.
Syntax
Syntax
For the single login feature to work correctly you must check some entries in the User Setup on the TACACS+ server:
-
In the User Setup, scroll to the Advanced TACACS+ Settings section.
-
Make sure the radio button for "Max Privilege for any AAA Client" is checked and the level is set to 15, as shown in Advanced TACACS+ settings section of the TACACS+ server user setup.
-
Privileges are represented by the numbers 0 through 15, with zero allowing only operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that allows manager level access on the switch.
-
Scroll down to the section that begins with "Shell", see The shell section of the TACACS+ server user setup. Check the Shell box.
-
Check the Privilege level box and set the privilege level to 15 to allow "root" privileges. This allows you to use the single login option.
As shown in Configuring the switch TACACS+ server access, login and enable access is always available locally through a direct terminal connection to the switch console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
The tacacs-server command configures these parameters:
-
The host IP addresses for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
-
An optionalencryption key. This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
-
The timeoutvalue in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the
aaa authenticationcommand (local or none), see Selecting the access method for configuration .
Syntax
Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication.
Removes the optional global encryption key. This does not affect any server-specific encryption key assignments.
Syntax
These commands are used to enable TACACS+ authorization.
Brief description of TACACS authorization options:
Local
Locally authenticated clients goes through local authorization. No authentication is performed for RADIUS/TACACS+ authenticate clients.
RADIUS
Locally authenticated clients go through local authorization. RADIUS authenticated clients go through RADIUS authorization. No authorization is performed for TACACS+ authenticated clients.
TACACS
TACACS authenticated clients go through TACACS authorization. No authorization is performed for RADIUS/locally authenticated users.
Auto
Uses the same method as Authentication and Authorization. For example local/radius/tacacs authenticated clients will go through local/radius/tacacs authorization respectively.
Authorization method
Syntax
Configures the dead time for unavailable TACACS+ servers. When a server stops responding, the switch ignores this for a given amount of time and proceeds immediately to the next backup. Configuring the dead time improves server response time as the switch no longer has to wait for connections to time out before contacting the next backup server. The default value of zero disables skipping unavailable servers.
Syntax
Configure command authorization. For each command issued by the user, an authorization request is sent to the server. Command authorization can be applied to all commands or only manager-level commands:
Syntax
[no]
aaa accountingexec|network|system|commandsstart-stop|stop-only|intermim-updateradius|syslog|tacacsConfigure the accounting service on the device. Accounting can be configured for EXEC sessions, network connection, commands and system. The accounting data is collected by a RADIUS, SYSLOG, or TACACS+ server.
NOTE: Network accounting is not supported through TACACS+ and SYSLOG.
session-idaccounting is not supported for TACACS+.
Syntax
Show accounting configuration parameters. If sessions is specified, the command will show accounting data for all active sessions.
show accounting
HP-3500yl-48G(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0 Suppress Empty User : No Sessions Identification : Common Type | Method Mode Server Group -------- + ------ -------------- ------------ Network | None Exec | None System | tacacs Start-Stop tacacs Commands | None
This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access.
Syntax
This example shows the default authentication configuration.
Syntax
Show TACACS+ status and statistics information.
show tacacs
HP-3500yl-24G-PoEP# show tacacs TACACS+ Information Timeout : 5 Source IP Selection : Outgoing Interface Encryption Key : Server Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM ------------ ------ ------ ------ ------ ------- ------- ----show tacacs host
HP-3500yl-48G(config)#Show tacacs host <IP> TACACS+ Server Information Server Addr : 10.0.0.3 OOBM : Enabled Sessions Opened : Sessions Closed : Sessions Aborted : Sessions Error : Authentication : Packets Tx : 0 Packets Rx : 0 Timeouts : 0 Authorization : Packets Tx : 0 Packets Rx : 0 Timeouts : 0 Accounting : Packets Tx : 0 Packets Rx : 0 Timeouts : 0
Syntax
Show accounting data for all active sessions.
show accounting sessions
HP-3500yl-48G(config)# Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed, system event ‘Accounting On’, method ‘radius’ Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Task-id 0x013E00000006, Command Accounting record, 1:45:34 Elapsed, method ‘tacacs’.
Syntax
Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see Encryption options in the switch and the documentation provided with your TACACS+ server application.
For switches that have a separate out-of-band management port, the oobm parameter specifies that the TACACS+ traffic goes through the out-of-band management (OOBM) port.
You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one third-choice).
Use show tacacs to view the current IP address list.
If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.
The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch TACACS+ configuration depends on the order in which you enter the server IP addresses:
-
When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice TACACS+ server.
-
When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-choice (backup) TACACS+ server.
-
When there are two TACACS+ servers already configured, entering another server IP address makes that server the third-choice (backup) TACACS+ server.
The above position assignments are fixed. If you remove one server and replace it with another, the new server assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B, and C, configured in order:
If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new address takes the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1) remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C. The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in the list and then re-enter them in order, with the new first-choice server address first, and so on. To add a new address to the list when there are already three addresses present, you must first remove one of the currently listed addresses. See also General authentication process using a TACACS+ server. Default: None
Syntax
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).
When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends to the server. When left at "null", the TACACS+ packets are sent in clear text. The encryption key (or just "key") you configure in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch uses for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use "server-specific" keys in the switch. (If you configure both a global key and one or more per-server keys, the per-server keys overrides the global key for the specified servers.)
For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:
HPswitch(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you must assign a server-specific key in the switch that applies only to the designated server:
HPswitch(config)# tacacs-server host 10.28.227.87 key south10campus
With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.
When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading user name and password information in TACACS+ packets moving between the switch and a TACACS+ server. At the TACACS+ server, a key may include both of the following:
-
Global key: A general key assignment in the TACACS+ server application that applies to all TACACS-aware devices for which an individual key has not been configured.
-
Server-Specific key: A unique key assignment in the TACACS+ server application that applies to a specific TACACS-aware device.
|
|
|
![[NOTE: ]](images/note.gif) |
NOTE: Configure a key in the switch only if the TACACS+ server application has this exact same key configured for the switch. That is, if the key parameter in switch "X" does not exactly match the key setting for switch "X" in the TACACS+ server application, then communication between the switch and the TACACS+ server fails. |
|
|
Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, see the documentation you received with the application.
Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt fails.)
-
Use a global encryption key if the same key applies to all TACACS+ servers the switch may use for authentication attempts.
-
Use a per-server encryption key if different servers the switch may use have different keys. (For more details on encryption keys, see Encryption options in the switch.
Syntax
Specifies the optional, global "encryption key" that is also assigned in the TACACS+ servers that the switch accesses for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a "per-server" key. (See the
host[<ip-addr>keykey-string]entry above)
You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, "hp~switch". It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character
For more on the encryption key, see Encryption options in the switch and the documentation provided with your TACACS+ server application.
To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command:
HPswitch(config)# tacacs-server host 10.28.227.104
|
|
|
|
|
NOTE: You can save the encryption key in a configuration file by entering this command: |
|
|
The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch Server IP Address list or using the local authentication option. For example, to change the timeout period from 5 seconds (the default) to 3 seconds:
HPswitch(config)# tacacs-server timeout 3
Syntax
Adds a TACACS+ server and optionally assigns a serverspecific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string> is prompted for interactively. See Secure Mode (3800, 5400zl, and 8200zl Switches).
Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. The encrypted-key parameter configures a global encryption key, specified using a base64-encoded aes-256 encrypted strin
Removes the optional global encryption key. (Does not affect any server-specific encryption key assignments.)
Encryption key to use with a TACACS+ server, specified using a base64-encoded aes-256 encrypted string.
When using TACACS+ to control user access to the switch, first login with your user name at the operator privilege level using the password for operator privileges, then login again with the same user name but using the Manger password to obtain manager privileges. You can avoid this double login process by entering the privilege-mode option with the aaa authentication login command to enable TACACS+ for a single login. The switch authenticates your user name/password, then requests the privilege level (operator or manager) that was configured on the TACACS+ server for this user name/password. The TACACS+ server returns the allowed privilege level to the switch. You are placed directly into operator or manager mode, depending on your privilege level.
HP Switch(config) aaa authentication login privilege-mode
The no version of the above command disables TACACS+ single login capability.
Example
Suppose the switch is configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. 10.28.227.15 was entered first and so is listed as the first-choice server:
To move the "first-choice" status from the "15" server to the "10" server, use the no tacacs-server host <ip-addr> command to delete both servers, then use tacacs-server host <ip-addr> to re-enter the "10" server first, then the "15" server.
The servers would then be listed with the new "first-choice" server, that is:
To remove the 10.28.227.15 device as a TACACS+ server, you would use this command:
HPswitch(config)# no tacacs-server host 10.28.227.15