KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

181

182

183

184

185

186

187

188

189

190

Example 7 Example

1. A cached-reauth-period is set to 900 seconds (15 minutes) and the reauth

period is 180 seconds.

2. A client is successfully authenticated or reauthenticated.

3. The RADIUS server becomes unavailable. In 180 seconds from the

authentication in step 1, 802.1X or web-based/MAC authentication initiates

reauthentication.

4. In X seconds after the initiation of authentication in step 3 (1 to 30 seconds if

default values for 802.1X or web-based/MAC authentication are used), 802.1x

or web-based/MAC authentication receives notification that the RADIUS server

is unavailable.

5. 802.1X or web-based/MAC authentication allows the first cached

reauthentication and starts the cached reauth period.

6. A number of cached reauthentications occur within the 900 seconds after the

start of the cached reauth period in step 5. These have a period of 180 + X

seconds.

7. The cached reauthentication period (900 seconds) ends.

8. The next reauthentication begins 180 seconds after the last cached

reauthentication.

9. In X seconds after the reauthentication in step 8, 802.1X or web-based/MAC

authentication receives notification that the RADIUS server is still unavailable.

10. 802.1X or web-based/MAC authentication terminates the client's session.

Determining the maximum amount of time before client session termination

1. The maximum amount of time between step 2 and step 3 is 180 seconds.

2. The amount of time between step 3 and step 5 is X seconds.

3. The reauthentication in step 8 happens less than 180 seconds after step 7, and step 7 happens

in 900 seconds after step 5. The maximum amount of time between step 5 and step 8 is 900

+ 180 seconds.

4. The time between step 8 and step 9 is X seconds.

5. The total time is 180 + X + 900 + 180 + X, which equals 900 +2(180+X) seconds.

NOTE: The period of 1 to 30 seconds, represented by X, is not a firm time period; the time can

vary depending on other 802.1X and web-based/MAC auth parameters.

Local authentication process

When the switch is configured to use RADIUS, it reverts to local authentication only if one of these

two conditions exists:

• Local is the authentication option for the access method being used.

• The switch has been configured to query one or more RADIUS servers for a primary

authentication request, but has not received a response, and Local is the configured secondary

option.

For local authentication, the switch uses the operator-level and manager-level username/password

set(s) previously configured locally on the switch. These are the usernames and passwords you

configure using the CLI password command, the WebAgent, or the menu interfacewhich enables

only local password configuration.

• If the operator at the requesting terminal correctly enters the username/password pair for

either access level (operator or manager), access is granted on the basis of which

username/password pair was used. For example, suppose you configure Telnet primary

access for RADIUS and Telnet secondary access for local. If a RADIUS access attempt fails,

182 RADIUS Authentication, Authorization, and Accounting