How authentication operates

General authentication process using a TACACS+ server

Authentication through a TACACS+ server operates generally as described below. For specific operating details, see the documentation you received with your TACACS+ server application.

Using a TACACS+ server for authentication

Using a TACACS+ server for authentication

Using Using a TACACS+ server for authentication, after either switch detects an operator's logon request from a remote or directly connected terminal, the following events occur:

  1. The switch queries the first-choice TACACS+ server for authentication of the request.

    • If the switch does not receive a response from the first-choice TACACS+ server, it attempts to query a secondary server. If the switch does not receive a response from any TACACS+ server, then it uses its own local username/password pairs to authenticate the logon request, see Local authentication process (TACACS+).

    • If a TACACS+ server recognizes the switch, it forwards a username prompt to the requesting terminal via the switch.

  2. When the requesting terminal responds to the prompt with a username, the switch forwards it to the TACACS+ server.

  3. After the server receives the username input, the requesting terminal receives a password prompt from the server via the switch.

  4. When the requesting terminal responds to the prompt with a password, the switch forwards it to the TACACS+ server and one of the following actions occurs:

    • If the username/password pair received from the requesting terminal matches a username/password pair previously stored in the server, then the server passes access permission through the switch to the terminal.

    • If the username/password pair entered at the requesting terminal does not match a username/password pair previously stored in the server, access is denied. In this case, the terminal is again prompted to enter a username and repeat steps 2 through 4 In the default configuration, the switch allows up to three attempts to authenticate a login session. If the requesting terminal exhausts the attempt limit without a successful TACACS+ authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.

Local authentication process (TACACS+)

When the switch is configured to use TACACS+, it reverts to local authentication only if one of these two conditions exists:

  • "Local" is the authentication option for the access method being used.

  • TACACS+ is the primary authentication mode for the access method being used. Local is the secondary authentication method if the switch is unable to connect to any TACACS+ servers.

For a listing of authentication options, see Configuring the switch TACACS+ server access.

For local authentication, the switch uses the operator-level and manager-level username/password set(s) previously configured locally on the switch. (These are the usernames and passwords you can configure using the CLI password command, the WebAgent, or the menu interface–which enables only local password configuration).

  • If the operator at the requesting terminal correctly enters the username/password pair for either access level, access is granted.

  • If the username/password pair entered at the requesting terminal does not match either username/password pair previously configured locally in the switch, access is denied. In this case, the terminal is again prompted to enter a username/password pair. In the default configuration, the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit without a successful authentication, the login session is terminated and the operator at the requesting terminal must initiate a new session before trying again.


[NOTE: ]

NOTE: The switch menu allows you to configure only the local operator and manager passwords, and not any usernames. In this case, all prompts for local authentication will request only a local password. However, if you use the CLI or the WebAgent to configure usernames for local access, you will see a prompt for both a local username and a local password during local authentication.


Using the encryption key

General operation

When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading username and password information in TACACS+ packets moving between the switch and a TACACS+ server. At the TACACS+ server, a key may include both of the following:

  • Global key: A general key assignment in the TACACS+ server application that applies to all TACACS-aware devices for which an individual key has not been configured.

  • Server-Specific key: A unique key assignment in the TACACS+ server application that applies to a specific TACACS-aware device.


[NOTE: ]

NOTE: Configure a key in the switch only if the TACACS+ server application has this exact same key configured for the switch. That is, if the key parameter in switch "X" does not exactly match the key setting for switch "X" in the TACACS+ server application, then communication between the switch and the TACACS+ server will fail.


Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, see the documentation you received with the application.

Encryption options in the switch

When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends to the server. When left at "null", the TACACS+ packets are sent in clear text. The encryption key (or just "key") you configure in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch will use for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use "server-specific" keys in the switch. (If you configure both a global key and one or more per-server keys, the per-server keys will override the global key for the specified servers.)

For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:

HP Switch(config)# tacacs-server key north40campus

Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you will need to assign a server-specific key in the switch that applies only to the designated server:

HP Switch(config)# tacacs-server host 10.28.227.87 key south10campus

With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.