7-42
Configuring RADIUS Server Support for Switch Services
Configuring and Using Dynamic (RADIUS-Assigned) Access Control Lists
Event Log Messages
Please see the Event Log Message Reference Guide for information about
Event Log messages.
Causes of Client Deauthentication Immediately
After Authenticating
■ ACE formatted incorrectly in the RADIUS server
• “from”, “any”, or “to” keyword missing
• An IPv4 or IPv6 protocol number in the ACE exceeds 255.
• An optional UDP or TCP port number is invalid, or a UDP/TCP port
number is specified when the protocol is neither UDP or TCP.
■ A RADIUS-assigned ACL limit has been exceeded.
• An ACE in the ACL for a given authenticated client exceeds 80
characters.
• The TCP/UDP port-range quantity of 14 per slot or port group has been
exceeded.
• The rule limit of 3048 per slot or port group has been exceeded.
■ An IPv6 ACE has been received on a port and either the HP-Nas-Rules-
IPv6
attribute is missing or HP-Nas-Rules-IPv6=2 is configured. Refer to
table 7-7 on page 7-23 for more on this attribute.
Monitoring Shared Resources
Currently active, RADIUS-based authentication sessions (including HP IDM
client sessions) using RADIUS-assigned ACLs share internal switch resources
with several other features. The switch provides ample resources for all
features. However, if the internal resources do become fully subscribed, new
RADIUS-based sessions using RADIUS-assigned ACLs cannot be authenti-
cated until the necessary resources are released from other applications.
■ For information on determining the current resource availability and
usage, refer to the appendix titled “Monitoring Resources” in the
Management and Configuration Guide for your switch.
■ For a summary of ACL resource limits, refer to the appendix covering
scalability in the latest Management and Configuration Guide for
your switch.
To Next Page
Loading...
Need help?
General