General radius setup procedure, General radius setup procedure -5 – HP 2600 Series User Manual

5-5

RADIUS Authentication and Accounting

General RADIUS Setup Procedure

General RADIUS Setup Procedure

Preparation:

1.

Configure one to three RADIUS servers to support the switch. (That is,
one primary server and one or two backups.) Refer to the documentation
provided with the RADIUS server application.

2.

Before configuring the switch, collect the information outlined below.

Table 5-1.

Preparation for Configuring RADIUS on the Switch

• Determine the access methods (console, Telnet, Port-Access (802.1X), SSH, and/or web browser interface) for which

you want RADIUS as the primary authentication method. Consider both Operator (login) and Manager (enable) levels,
as well as which secondary authentication methods to use (local or none) if the RADIUS authentication fails or does
not respond.

Figure 5-1. Example of Possible RADIUS Access Assignments

• Determine the IP address(es) of the RADIUS server(s) you want to support the switch. (You can configure the switch

for up to three RADIUS servers.)

• If you need to replace the default UDP destination port (1812) the switch uses for authentication requests to a specific

RADIUS server, select it before beginning the configuration process.

• If you need to replace the default UDP destination port (1813) the switch uses for accounting requests to a specific

Radius server, select it before beginning the configuration process.

• Determine whether you can use one, global encryption key for all RADIUS servers or if unique keys will be required

for specific servers. With multiple RADIUS servers, if one key applies to two or more of these servers, then you can
configure this key as the global encryption key. For any server whose key differs from the global key you are using,
you must configure that key in the same command that you use to designate that server’s IP address to the switch.

ProCurve> show authentication

Status and Counters - Authentication Information

Login Attempts : 3

Respect Privilege : Disabled

| Login Login Enable Enable

Access Task | Primary Secondary Primary Secondary

----------- + ---------- ---------- ---------- ----------

Console | Radius Local Radius Local

Telnet | Radius None Radius None

Port-Access | EapRadius

Webui | Radius None Radius None

SSH | Radius None Radius None

Web-Auth | ChapRadius

MAC-Auth | ChapRadius

Console access
requires Local as
secondary method to
prevent lockout if the
primary RADIUS
access fails due to loss
of RADIUS server
access or other
problems with the
server.

Webui, Web-Auth, and Mac-Auth access is available on the 2600, 2600-PWR,
and 2800 switches (not on the 4100 and 6108 switches).