KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

191

192

193

194

195

196

197

198

199

200

HP Switches take advantage of vendor-specific attributes (VSAs) applied in a RADIUS server to

support the following optional, RADIUS-assigned attributes:

• 802.1p (CoS) priority assignment to inbound traffic on specified ports (port-access

authentication only)

• Per-Port Rate-Limiting on a port with an active link to an authenticated client (port-access

authentication only)

Commands authorization on HTTPS overview

The RADIUS protocol combines user authentication and authorization steps into one phase. The

user must be successfully authenticated before the RADIUS server will send authorization information

(from the user’s profile) to the Network Access Server (NAS).

Commands authorization assigns a list of CLI commands that can be executed by a specified user.

The permitted CLI commands are defined on the remote RADIUS server in a user’s profile. When

authentication is successful, the RADIUS server returns the permitted list of CLI commands that the

authenticated user is authorized to execute. By default, all users may execute a minimal set of

commands regardless of their authorization status, for example, “exit” and “logout”. This minimal

set of commands can prevent deadlock on the switch due to an error in the user’s authorization

profile on the RADIUS server.

The user’s profile is encoded into HP Vendor Specific Attributes (VSAs):

• HP-Command-String

• HP-Command-Exception

The list of permitted commands is used to filter all the commands executed by the user until the end

of the session. This allows greater authorization control, where different rights can be given to

different manager or operator users.

WebAgent windows when using command authorization

When using Commands authorization, the WebAgent windows may show or hide fields, or allow

or deny configuration steps, based on the access or deny list (VSA filtering) for the authenticated

user. The following differences may be seen depending on the authorized commands in effect:

• When none of the fields in a window are editable, that is, they are readonly, the Change

button is disabled and grayed out.

• When an option is not editable, the Change button is grayed out.

• A field that is not allowed for viewing is blank.

• A window or sections of a window may be hidden.

• Contents of table rows, table columns, and individual table fields can be:

Editable, including delete permission◦

◦ Read-only (no delete permission)

◦ Inaccessible, and hidden from display

• If there are some configured VLANs for which a field is hidden, for example, the Name column,

and configuring a new VLAN is allowed, the currently configured VLANs will appear in the

Name column with a grayish background. The Name column is only completely hidden if

configuring the Name (or any specified column or field) for all VLANs is not allowed.

• When there is a check box for enabling/disabling a feature and that feature is not allowed,

the check box is disabled.

Fields in a window that are marked as “na” are not accessible and will be light gray background.

The contents will be blank. A selection can be missing from the navigation tree in the left pane as

196 RADIUS Authentication, Authorization, and Accounting