KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

191

192

193

194

195

196

197

198

199

200

access ports by creating new RADIUS HP vendor-specific attributes (VSAs) that will dynamically

override the authentication limits. The changes are always applied to the port on the authenticator

switch associated with the supplicant being authenticated.

NOTE: All the changes requested by the VSAs must be valid for the switch configuration. For

example, if either MAC or web-based port access is configured while 802.1X port access is in

client mode, a RADIUS client with a VSA to change the 802.1X port access to port-based mode

is not allowed. 802.1X in port-based mode is not allowed with MAC or web-based port access

types. However, if the authenticating client has VSAs to disable MAC and web-based authentication

in conjunction with changing 802.1X to portbased mode, then client authentication is allowed.

RADIUS operation

Switch operating rules for RADIUS

• You must have at least one RADIUS server accessible to the switch.

• The switch supports authentication and accounting using up to fifteen RADIUS servers. The

switch accesses the servers in the order in which they are listed by show radius. If the first

server does not respond, the switch tries the next one, and so-on. To change the order in which

the switch accesses RADIUS servers, see “Changing RADIUS-server access order” (page 179).

• You can select RADIUS as the primary authentication method for each type of access. (Only

one primary and one secondary access method is allowed for each access type.)

• In the HP switch, EAP RADIUS usesMD5 and TLS to encrypt a response to a challenge from a

RADIUS server.

• When primary/secondary authentication is set to Radius/Local (for either Login or Enable)

and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted

in the Event Log with the message radius: Can't reach RADIUS server <

server-ip-addr >. When this type of failure occurs, the switch prompts the client again

to enter a username and password. In this case, use the local username (if any) and password

configured on the switch itself.

• Zero-length usernames or passwords are not allowed for RADIUS authentication, even though

allowed by some RADIUS servers.

• TACACS+ is not supported for the WebAgent access.

Operating notes

• Only RADIUS authentication supports the new VSAs. Other authentication types, such as

TACACS, are not supported.

• The new VSAs are not supported in IDM and they cannot be specified in the configurations.

The new VSAs must be configured manually.

• If the RADIUS server delivers a new VSA to an authenticator switch that does not understand

it, the Access-Accept message is rejected.

NOTE: The switch does not support RADIUS security for SNMP (network management) access.

Beginning with software release K.12.xx, the switch default configuration allows SNMP access to

the hpSwitchAuth Management Information Base (MIB). A management station running an SNMP

networked device management application such as PCM+ or HP OpenView can access the switch

MIB for read access to the switch status. and read/write access to the switch configuration.

Overview 195