HP 2600 Series User Manual
Page 108
5-8
RADIUS Authentication and Accounting
Configuring the Switch for RADIUS Authentication
•
Server Dead-Time:
The period during which the switch will not send
new authentication requests to a RADIUS server that has failed to
respond to a previous request. This avoids a wait for a request to time
out on a server that is unavailable. If you want to use this feature,
select a dead-time period of 1 to 1440 minutes. (Default: 0—disabled;
range: 1 - 1440 minutes.) If your first-choice server was initially
unavailable, but then becomes available before the dead-time expires,
you can nullify the dead-time by resetting it to zero and then trying to
log on again. As an alternative, you can reboot the switch, (thus
resetting the dead-time counter to assume the server is available) and
then try to log on again.
•
Number of Login Attempts:
This is an
aaa authentication command.
It controls how many times in one session a RADIUS client (as well
as clients using other forms of access) can try to log in with the correct
username and password. (Default: Three times per session.)
(For RADIUS accounting features, refer to “Configuring RADIUS Accounting”
on page 5-17.)
1. Configure Authentication for the Access Methods You
Want RADIUS To Protect
This section describes how to configure the switch for RADIUS authentication
through the following access methods:
■
Console:
Either direct serial-port connection or modem connection.
■
Telnet:
Inbound Telnet must be enabled (the default).
■
SSH:
To employ RADIUS for SSH access, you must first configure the
switch for SSH operation. Refer to “Configuring Secure Shell (SSH)”
on page 6-1.
■
Web:
Web browser interface (2600, 2600-PWR, and 2800 switches).
You can also use RADIUS for Port-Based Access authentication. Refer to
“Configuring Port-Based Access Control (802.1X)” on page 8-1.
You can configure RADIUS as the primary password authentication method
for the above access methods. You will also need to select either
local or none
as a secondary, or backup, method. Note that for console access, if you
configure
radius (or tacacs) for primary authentication, you must configure
local for the secondary method. This prevents the possibility of being com-
pletely locked out of the switch in the event that all primary access methods
fail.