HP 6120XG HP ProCurve Series 6120 Blade Switches Access Security Guide - Page 153
Caution Regarding, the Use of Local for, Login Primary, Access, Table 4-2.
View all HP 6120XG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 153 highlights
TACACS+ Authentication Configuring TACACS+ on the Switch Table 4-2. Primary/Secondary Authentication Table Access Method and Authentication Options Privilege Level Primary Secondary Effect on Access Attempts Console - Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Console - Enable local none Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. Telnet - Login local none* Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. tacacs none If Tacacs+ server unavailable, denies access. Telnet - Enable local none Local username/password access only. tacacs local If Tacacs+ server unavailable, uses local username/password access. tacacs none If Tacacs+ server unavailable, denies access. Caution Regarding the Use of Local for Login Primary Access During local authentication (which uses passwords configured in the switch instead of in a TACACS+ server), the switch grants read-only access if you enter the Operator password, and read-write access if you enter the Manager password. For example, if you configure authentication on the switch with Telnet Login Primary as Local and Telnet Enable Primary as Tacacs, when you attempt to Telnet to the switch, you will be prompted for a local password. If you enter the switch's local Manager password (or, if there is no local Manager password configured in the switch) you can bypass the TACACS+ server authentication for Telnet Enable Primary and go directly to read-write (Manager) access. Thus, for either the Telnet or console access method, configuring Login Primary for Local authentication while configuring Enable Primary for TACACS+ authentication is not recommended, as it defeats the purpose of using the TACACS+ authentication. If you want Enable Primary log-in attempts to go to a TACACS+ server, then you should configure both Login Primary and Enable Primary for Tacacs authentication instead of configuring Login Primary to Local authentication. 4-16