KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

161

162

163

164

165

166

167

168

169

170

and 249 characters in length. Multiple instances of this attribute may be present in

Access-Accept packets. (A single instance may be present in Accounting-Request packets.)

• HP-Command-Exception: A flag that specifies whether the commands indicated by the

HP-Command-String attribute are permitted or denied to the user. A zero (0) means permit all

listed commands and deny all others; a one (1) means deny all listed commands and permit

all others.

The results of using the HP-Command-String and HP-Command-Exception attributes in various

combinations are shown in Table XXX.

Table 10 HP command string and exception

DescriptionHP-command-exceptionHP-command-string

If command authorization is enabled

and the RADIUS server does not

Not presentNot present

provide any authorization attributes in

an Access-Accept packet, the user is

denied access to the server. This

message appears: "Access denied: no

user's authorization info supplied by

the RADIUS server."

Authenticated user is allowed to execute

all commands available on the switch.

DenyList-PermitOthers(1)Not present

Authenticated user can only execute a

minimal set of commands (those that

are available by default to any user).

PermitList-DenyOthers(0)Not present

Authenticated user may execute all

commands except those in the

Commands list.

DenyList-PermitOthers(1)Commands List

Authenticated user can execute only

those commands provided in the

PermitList-DenyOthers(0)Commands List

Commands List, plus the default

commands.

Authenticated user can only execute

commands from the Commands List,

plus the default commands.

Not presentCommands List

Authenticate user can only execute a

minimal set of commands (those that

are available by default to any user).

Not presentEmpty Commands List

Authenticated user is allowed to execute

all commands available on the switch.

DenyList-PermitOthers(1)Empty Commands List

Authenticate user can only execute a

minimal set of commands (those that

are available by default to any user).

PermitList-DenyOthers(0)Empty Commands List

You must configure the RADIUS server to provide support for the HP VSAs. There are multiple

RADIUS server applications; the two examples below show how a dictionary file can be created

to define the VSAs for that RADIUS server application.

Configuring the RADIUS VSAs

Only RADIUS-authenticated port-access clients will be able to dynamically change the port access

settings using the new proprietary RADIUS VSAs. The settings that can be overridden are:

• Client limit (address limit with mac-based port access)

• Disabling the port-access types

• Setting the port mode in which 802.1X is operating

164 RADIUS Authentication, Authorization, and Accounting