General authentication setup procedure

It is important to test the TACACS+ service before fully implementing it. Depending on the process and parameter settings you use to set up and test TACACS+ authentication in your network, you could accidentally lock all users, including yourself, out of access to a switch. While recovery is simple, it can pose an inconvenience that can be avoided. To prevent an unintentional lockout on the switch, use a procedure that configures and tests TACACS+ protection for one access type (for example, Telnet access), while keeping the other access type (console, in this case) open in case the Telnet access fails due to a configuration problem. The following procedure outlines a general setup procedure.

NOTE: If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ operation" in the management and configuration guide for your switch.
Procedure
  1. Familiarize yourself with the requirements for configuring your TACACS+ server application to respond to requests from the switch. (See the documentation provided with the TACACS+ server software.) This includes knowing whether you need to configure an encryption key, see Using the encryption key.
  2. Determine the following:
    • The IP address(es) of the TACACS+ server(s) you want the switch to use for authentication. If you will use more than one server, determine which server is your first-choice for authentication services.

    • The encryption key, if any, for allowing the switch to communicate with the server. You can use either a global key or a server-specific key, depending on the encryption configuration in the TACACS+ server(s).

    • The number of log-in attempts you will allow before closing a log-in session. ( Default: 3)

    • The period you want the switch to wait for a reply to an authentication request before trying another server.

    • The username/password pairs you want the TACACS+ server to use for controlling access to the switch.

    • The privilege level you want for each username/password pair administered by the TACACS+ server for controlling access to the switch.

    • The username/password pairs you want to use for local authentication (one pair each for operator and manager levels).

  3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the username/password sets for logging in at the operator (read-only) privilege level and the sets for logging in at the manager (read/write) privilege level.
    NOTE:

    When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of "15" as authorization for the manager (read/write) privilege level access. Privilege level codes of 14 and lower result in operator (read-only) access. Thus, when configuring the TACACS+ server response to a request that includes a username/password pair that should have manager privileges, you must use a privilege level of 15. For more on this topic, see the documentation you received with your TACACS+ server application.

    If you are a first-time user of the TACACS+ service, Hewlett Packard Enterprise recommends that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment. After you have success with the minimum feature set, you can then want to try additional features that the application offers.

  4. Ensure that the switch has the correct local username and password for manager access. (If the switch cannot find any designated TACACS+ servers, the local manager and operator username/password pairs are always used as the secondary access control method.)
    CAUTION:

    Ensure that the switch has a local manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, unauthorized access will be available through the console port or Telnet.

  5. Using a terminal device connected to the switch console port, configure the switch for TACACS+ authentication only for Telnet login access and Telnet enable access. At this stage, do not configure TACACS+ authentication for console access to the switch, as you may need to use the console for access if the configuration for the Telnet method needs debugging.
  6. Ensure that the switch is configured to operate on your network and can communicate with your first-choice TACACS+ server. (At a minimum, this requires IP addressing and a successful ping test from the switch to the server.)
  7. On a remote terminal device, use Telnet to attempt to access the switch. If the attempt fails, use the console access to check the TACACS+ configuration on the switch. If you make changes in the switch configuration, check Telnet access again. If Telnet access still fails, check the configuration in your TACACS+ server application for misconfigurations or missing data that could affect the server's inter-operation with the switch.
  8. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for misconfigurations or missing data that could affect the console access.
  9. When you are confident that TACACS+ access through both Telnet and the switch console operates properly, use the write memory command to save the switch running-config file to flash.