6-4
RADIUS Authentication, Authorization, and Accounting
Switch Operating Rules for RADIUS
Sometimes termed a RADIUS host.
Shared Secret Key: A text value used for encrypting data in RADIUS packets.
Both the RADIUS client and the RADIUS server have a copy of the key, and
the key is never transmitted across the network.
Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS
server to specific an optional switch feature assigned by the server during an
authenticated client session.
Switch Operating Rules for RADIUS
■ You must have at least one RADIUS server accessible to the switch.
■ The switch supports authentication and accounting using up to fifteen
RADIUS servers. The switch accesses the servers in the order in
which they are listed by show radius (page 6-62). If the first server does
not respond, the switch tries the next one, and so-on. (To change the
order in which the switch accesses RADIUS servers, refer to
“Changing RADIUS-Server Access Order” on page 6-67.)
■ You can select RADIUS as the primary authentication method for each
type of access. (Only one primary and one secondary access method
is allowed for each access type.)
■ In the HP switch, EAP RADIUS uses MD5 and TLS to encrypt a
response to a challenge from a RADIUS server.
■ When primary/secondary authentication is set to Radius/Local (for
either Login or Enable) and the RADIUS server fails to respond to a
client attempt to authenticate, the failure is noted in the Event Log
with the message radius: Can't reach RADIUS server < server-ip-addr >.
When this type of failure occurs, the switch prompts the client again
to enter a username and password. In this case, use the local user-
name (if any) and password configured on the switch itself.
■ Zero-length usernames or passwords are not allowed for RADIUS
authentication, even though allowed by some RADIUS servers.
■ TACACS+ is not supported for the WebAgent access.
To Next Page
Loading...
Need help?
General