5-10
TACACS+ Authentication
Configuring TACACS+ on the Switch
Configuring the Switch’s Authentication Methods
The aaa authentication command configures access control for the following 
access methods:
■  Console
■ Telnet
■ SSH
■ Web
■ Port-access (802.1X)
However, TACACS+ authentication is only used with the console, Telnet, or 
SSH access methods. The command specifies whether to use a TACACS+ 
server or the switch’s local authentication, or (for some secondary scenarios) 
no authentication (meaning that if the primary method fails, authentication is 
denied). The command also reconfigures the number of access attempts to 
allow in a session if the first attempt uses an incorrect username/password 
pair.
Using the Privilege-Mode Option for Login
When using TACACS+ to control user access to the switch, you must first login 
with your username at the Operator privilege level using the password for 
Operator privileges, and then login again with the same username but using 
the Manger password to obtain Manager privileges. You can avoid this double 
login process by entering the privilege-mode option with the aaa authentication 
login command to enable TACACS+ for a single login. The switch authenti-
cates your username/password, then requests the privilege level (Operator or 
Manager) that was configured on the TACACS+ server for this username/
password. The TACACS+ server returns the allowed privilege level to the 
switch. You are placed directly into Operator or Manager mode, depending on 
your privilege level. 
HP Switch(config) aaa authentication login privilege-mode
 
The no version of the above command disables TACACS+ single login capa-
bility.