KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

181

182

183

184

185

186

187

188

189

190

then you can still get access to either the operator or manager level of the switch by entering

the correct username/password pair for the level you want to enter.

• If the username/password pair entered at the requesting terminal does not match either local

username/password pair previously configured in the switch, access is denied. In this case,

the terminal is again prompted to enter a username/password pair. In the default configuration,

the switch allows up to three attempts. If the requesting terminal exhausts the attempt limit

without a successful authentication, the login session is terminated and the operator at the

requesting terminal must initiate a new session before trying again.

Controlling WebAgent access

To help prevent unauthorized access through the WebAgent, do one or more of the following:

• Configure the switch to support RADIUS authentication for WebAgent access.

◦ Configure local authentication (a manager user name and password and, optionally, an

operator user name and password) on the switch.

◦ Configure the switch’s Authorized IP manager feature to allow WebAgent access only

from authorized management stations. (The Authorized IP manager feature does not

interfere with TACACS+ operation.)

◦ Use one of the following methods to disable WebAgent access to the switch via http (Port

80):

CLI: no web-management

Menu Interface—From the Main menu, select the following:

1. Number 2: Switch Configuration

2. Number 1: System Information

3. WebAgent Enabled: No

Commands authorization

The RADIUS protocol combines user authentication and authorization steps into one phase. The

user must be successfully authenticated before the RADIUS server will send authorization information

from the user's profile to the Network Access Server (NAS). After user authentication has occurred,

the authorization information provided by the RADIUS server is stored on the NAS for the duration

of the user's session. Changes in the user's authorization profile during this time will not be effective

until after the next authentication occurs.

You can limit the services for a user by enabling AAA RADIUS authorization. The NAS uses the

information set up on the RADIUS server to control the user's access to CLI commands.

The authorization type implemented on the switches is the "commands" method. This method

explicitly specifies on the RADIUS server which commands are allowed on the client device for

authenticated users. This is done on a per-user or per-group basis.

By default, all users may execute a minimal set of commands regardless of their authorization

status, for example, "exit" and "logout". This minimal set of commands can prevent deadlock on

the switch due to an error in the user's authorization profile on the RADIUS server.

VLAN assignment in an authentication session

A switch supports concurrent 802.1X and either web-based or MAC authentication sessions on a

port (with up to 32 clients allowed). If you have configured RADIUS as the primary authentication

method for a type of access, when a client authenticates on a port, the RADIUS server assigns an

untagged VLAN that is statically configured on the switch for use in the authentication session. See

the documentation provided with the RADIUS server application.)

Using 183