Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
141142143144145146147148149150
The default primary < enable|login > authentication is local.
<console | telnet | ssh | web>
[ < local | none | authorized> ]
Provides options for secondary authentication. For console access, secondary
authentication must be local if primary access is not local. This prevents you from
being locked out of the switch in the event of a failure in other access methods.
Default: none
<<web-based | mac-based > login > <chap-radius | peapmschap
v2>
Password authentication for web-based or MAC-based port access to the switch.
Use peap-mschapv2 when you want password verification without requiring
access to a plain text password; it is more secure.
Default: chap-radius
[ none | authorized ]
Provides options for secondary authentication. The none option specifies that a
backup authentication method is not used. The authorized option allows access
without authentication.
Default: none.
You can configure RADIUS as the primary password authentication method for all access methods.
Select either local, none or authorized as a secondary or backup method. For console access,
if you configure RADIUS or TACACS for primary authentication, you must configure local for the
secondary method. This prevents the possibility of being completely locked out of the switch in the
event all primary access methods fail.
In certain situations, RADIUS servers can become isolated from the network. Users are not able to
access the network resources configured with RADIUS access protection and are rejected. To
address this situation, configuring the authorized secondary authentication method allows users
unconditional access to the network when the primary authentication method fails because the
RADIUS servers are unreachable.
CAUTION: Configuring authorized as the secondary authentication method used when there
is a failure accessing the RADIUS servers allows clients to access the network unconditionally. Use
this method with care.
Figure 108 (page 146) shows an example of the show authentication command displaying
authorized as the secondary authentication method for port-access, web-based authentication
access, and MAC authentication access. Since the configuration of authorized means no
authentication will be performed and the client has unconditional access to the network, the "Enable
Primary" and "Enable Secondary" fields are not applicable (N/A).
Configuring 145