Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
141142143144145146147148149150
2. Before configuring the switch, collect the following information:
a. Determine the access methods (console, Telnet, Port-Access (802.1X), WebAgent and/or
SSH) for which you want RADIUS as the primary authentication method. Consider both
operator (login) and manager (enable) levels, as well as which secondary authentication
methods to use (local or none) if the RADIUS authentication fails or does not respond.
Figure 107 Possible RADIUS access assignments
b. Determine the IP addresses of the RADIUS servers to support the switch. You can configure
the switch for up to fifteen RADIUS servers. See the documentation provided with the
RADIUS server application for more information.
c. If you need to replace the default UDP destination port (1812) the switch uses for
authentication requests to a specific RADIUS server, select it before beginning the
configuration process.
d. If you need to replace the default UDP destination port (1813) the switch uses for
accounting requests to a specific Radius server, select it before beginning the configuration
process.
e. Determine whether to use one global encryption key for all RADIUS servers or if unique
keys will be required for specific servers. With multiple RADIUS servers, if one key applies
to two or more of these servers, then you can configure this key as the global encryption
key. For any server whose key differs from the global key you are using, you must configure
that key in the same command that you use to designate that server's IP address to the
switch.
f. Determine an acceptable timeout period for the switch to wait for a server to respond to
a request. HP recommends that you begin with the default (five seconds).
g. Determine how many times the switch can contact a RADIUS server before trying another
RADIUS server or quitting. This depends on how many RADIUS servers you have configured
the switch to access.
h. Determine whether you want to bypass a RADIUS server that fails to respond to requests
for service. To shorten authentication time, you can set a bypass period in the range of
1 to 1440 minutes for non-responsive servers. This requires that you have multiple RADIUS
servers accessible for service requests.
i. Optional: Determine whether the switch access level (manager or operator) for
authenticated clients can be set by a Service Type value the RADIUS server includes in
its authentication message to the switch, see “Enabling manager access privilege
(optional)” (page 146).
j. Configure RADIUS on servers used to support authentication on the switch.
142 RADIUS Authentication, Authorization, and Accounting