Radius attributes for user privileges, Tacacs+ authentication – HP 445946-001 User Manual

Accessing the switch

25

Table 2

User access levels

User account

Description and tasks performed

Administrator

Administrators are the only ones that can make permanent changes to the switch

configuration—changes that are persistent across a reboot/reset of the switch.

Administrators can access switch functions to configure and troubleshoot problems on the
switch level. Because administrators can also make temporary (operator-level) changes as

well, they must be aware of the interactions between temporary and permanent changes.

RADIUS attributes for user privileges

When the user logs in, the switch authenticates the level of access by sending the RADIUS access request,

that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of

the remote user and authorizes the appropriate access. The administrator has the option to allow

backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS

access. When backdoor access is enabled, access is allowed even if the primary and secondary

authentication servers are reachable. Only when both the primary and secondary authentication servers
are not reachable, the administrator has the option to allow secure backdoor (

secbd

) access through the

console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you

can have either backdoor or secure backdoor enabled, but not both at the same time. The default value
for backdoor access through the console port only is

enabled

. You always can access the switch via the

console port, by using

noradius

and the administrator password, whether backdoor/secure backdoor

are enabled or not. The default value for backdoor and secure backdoor access through
Telnet/SSH/HTTP/HTTPS is

disabled

.

All user privileges, other than those assigned to the administrator, must be defined in the RADIUS

dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file

name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table

are defined for user privilege levels.

Table 3

Proprietary attributes for RADIUS

User name/access

User service type

Value

User Vendor-supplied

255

Operator Vendor-supplied

252

TACACS+ authentication

The switch software supports authentication, authorization, and accounting with networks using the Cisco

Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with

the remote client and initiating authentication and authorization sessions with the TACACS+ access

server. The remote user is defined as someone requiring management access to the switch either through
a data or management port.