Manualshelf

Access Security Guide K/KA/KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch
141142143144145146147148149150
that client. Thus, an authenticated user authorized for the manager privilege level must authenticate
again to change privilege levels. Using the optional login privilege-mode command overrides
this default behavior for clients with enable access. That is, with privilege-mode enabled, the
switch immediately allows enable (manager) access to a client for whom the RADIUS server specifies
this access level.
Syntax:
[no] aaa authentication login privilege-mode
When enabled, the switch reads the Service-Type field in the client authentication
received from a RADIUS server. The following table describes the applicable
Service-Type values and corresponding client access levels the switch allows upon
authentication by the server.
Table 9 Service-type value
Client access levelValueService-type
manager6Administrative-user
operator7NAS-Prompt-user
Access DeniedAny value except 6 or 7Any other type
This feature applies to console (serial port), Telnet, SSH, and WebAgent access to
the switch. It does not apply to 802.1X port-access.
NOTE: While this option is enabled, a Service-Type value other than 6 or 7, or
an unconfigured (null) Service-Type causes the switch to deny access to the requesting
client.
The no form of the command returns the switch to the default RADIUS authentication
operation. The default behavior for most interfaces is that a client authorized by
the RADIUS server for Enable (manager) access will be prompted twice, once for
Login (operator) access and once for Enable access. In the default RADIUS
authentication operation, the WebAgent requires only one successful authentication
request. For more information on configuring the Service Type in your RADIUS
application, see the documentation provided with the application.
Configuring the switch to access a RADIUS server
This section describes how to configure the switch to interact with a RADIUS server for both
authentication and accounting services.
NOTE: If you want to configure RADIUS accounting on the switch, see Accounting services
(page 185).
Syntax:
[no] radius-server host < ip-address > [oobm]]
Adds a server to the RADIUS configuration or (with no) deletes a server from the
configuration. You can configure up to three RADIUS servers, and up to 15 RADIUS
server addresses. See “Using multiple RADIUS server groups” (page 174) for
information about grouping multiple RADIUS servers.
The switch uses the first server it successfully accesses, see “Changing RADIUS-server
access order” (page 179).
Configuring 147