Configuration Menu 117
TACACS+ offers the following advantages over RADIUS as the authentication device:
• TACACS+ is TCP-based, so it facilitates connection-oriented traffic.
• It supports full-packet encryption, as opposed to password-only in authentication requests.
• It supports decoupled authentication, authorization, and accounting.
The following table describes the TACACS+ Server Configuration Menu options.
Table 83
TACACS+ Server Configuration Menu options
Command Description
prisrv <IP address>
Defines the primary TACACS+ server address.
secsrv <IP address>
Defines the secondary TACACS+ server address.
secret <1-32 characters>
This is the shared secret between the switch and the TACACS+ server(s).
secret2 <1-32 characters>
This is the secondary shared secret between the switch and the
TACACS+ server(s).
port <TCP port number>
Enter the number of the TCP port to be configured, between 1 and
65000. The default is 49.
retries <1-3>
Sets the number of failed authentication requests before switching to a
different TACACS+ server. The range is 1-3 requests. The default is 3
requests.
timeout <4-15>
Sets the amount of time, in seconds, before a TACACS+ server
authentication attempt is considered to have failed. The range is 4-15
seconds. The default is 5 seconds.
bckdoor enable|disable
Enables or disables the TACACS+ back door for Telnet, SSH/SCP,
or HTTP/HTTPS.
Enabling this feature allows you to bypass the TACACS+ servers. It is
recommended that you use Secure Backdoor to ensure the switch is
secured, because Secure Backdoor disallows access through the back
door when the TACACS+ servers are responding.
The default value is disabled.
secbd enable|disable
Enables or disables TACACS+ secure back door access through Telnet,
SSH/SCP, or HTTP/HTTPS only when the TACACS+ servers are not
responding.
This feature is recommended to permit access to the switch when the
TACACS+ servers become unresponsive. If no back door is enabled, the
only way to gain access when TACACS+ servers are unresponsive is to
use the back door via the console port. The default value is disabled.
cmap enable|disable
Enables or disables TACACS+ privilege-level mapping.
The default value is disabled.
usermap <0-15>
user|oper|admin|none
Maps a TACACS+ authorization level to a switch user level. Enter a
TACACS+ authorization level (0-15), followed by the corresponding HP
10GbE switch user level.
on
Enables the TACACS+ server.
off
Disables the TACACS+ server.
cur
Displays current TACACS+ configuration parameters.
