KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

181

182

183

184

185

186

187

188

189

190

NOTE: All usernames, passwords, and keys configured in the hpSwitchAuth MIB are not returned

via SNMP, and the response to SNMP queries for such information is a null string. However, SNMP

sets can be used to configure username, password, and key MIB objects.

To help prevent unauthorized access to the switch authentication MIB, HP recommends following

the reviewing “Viewing and changing the SNMP access configuration” (page 168).

If you do not want to use SNMP access to the switch authentication configuration MIB, then use

the snmp-server mib hpswitchauthmib excluded command to disable this access, as described in

the next section.

If you choose to leave SNMP access to the security MIB open (the default setting), HP recommends

that you configure the switch with the SNMP version 3 management and access security feature,

and disable SNMP version 2c access. See ““SNMP access to the authentication configuration

MIB” (page 437).”

Cached reauthentication

Cached reauthentication allows 802.1X, web-based, or MAC reauthentications to succeed when

the RADIUS server is unavailable. Users already authenticated retain their currently-assigned RADIUS

attributes. Uninterrupted service is provided for authenticated users with RADIUS-assigned VLANS

if the RADIUS server becomes temporarily unavailable during periodic reauthentications.

Cached reauthentication is similar to the authorized authentication method in that user credentials

are not checked. Any user credentials are valid even if they are different from those used during

the last successful authentication of the same session. However, cached reauthentication maintains

the current session attributes, unlike the authorized authentication method. New authentications

are not allowed. The RADIUS server can be the only allowed source of session attributes for

authenticated users.

Reauthentications are not disabled when the RADIUS server is unavailable. The switch initiates

reauthentications of clients at the specified period and the clients must comply with the requirements

for the reauthentication procedure exactly as is done for the authorized authentication method.

The table below summarizes the differences between the authorized method and the cached

reauthentication method.

Table 12 Authorized method and cashed reauthentication method

Cached reauthenticationAuthorized

New authentications are not allowed when RADIUS server

is unreachable.

New authentications are allowed when RADIUS server is

unreachable.

All previously assigned attributes remain in effect on

reauthentication when RADIUS server is unreachable.

All previously RADIUS-assigned attributes are voided and

replaced by switch-configured values on reauthentication

when RADIUS server is unreachable.

Cached reauthentication is supported for 802.1X, web-based authentication, and MAC

authentication. For more information about web-based/MAC authentication, see “Configuring

MAC authentication on the switch” (page 72). For more information on 802.1X, see “Port-Based

and User-Based Access Control (802.1X)” (page 455).

Timing considerations

The reauth period when the RADIUS server is unavailable is the configured reauth period plus an

additional X seconds, where X can vary from 1 to approximately 30 seconds in most cases,

depending on the number of RADIUS servers and other RADIUS parameters. This period of time

can be more or less than 30 seconds if the default "server-timeout" values for 802.1X or

web-based/MAC authentication have been changed from their default values. The period of time

represented by X is how long 802.1X or web-based /MAC authentication will wait for a RADIUS

response.

Using 181