KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

461

462

463

464

465

466

467

468

469

470

1. Enable 802.1X authentication on the individual ports you want to serve as authenticators.

(The switch automatically disables LACP on the ports on which you enable 802.1X.) On the

ports you will use as authenticators with VLAN operation, ensure that the port-control parameter

is set to auto (the default). (See “Enable 802.1X Authentication on Selected Ports” (page 458).)

This setting requires a client to support 802.1X authentication (with 802.1X supplicant

operation) and to provide valid credentials to get network access.

Syntax

aaa port-access authenticator < port-list> control auto

Activates 802.1X port-access on ports you have configured as authenticators.

2. Configure the 802.1X authentication type. Options include

Syntax

aaa authentication port-access < local | eap-radius |

chap-radius >

Determines the type of RADIUS authentication to use.

local

Use the switch’s local username and password for supplicant authentication

(the default).

eap-radius

Use EAP-RADIUS authentication, (see the documentation for your RADIUS server.)

chap-radius

Use CHAP-RADIUS (MD5) authentication, (see the documentation for your

RADIUS server software.)

3. If you selected either eap-radius or chap-radius for step 2, use the radius host command to

configure up to three RADIUS server IP address(es) on the switch.

Syntax

radius host < ip-address > [oobm]

Adds a server to the RADIUS configuration. For switches that have a separate

out-of-band management port, the oobm parameter specifies that the RADIUS traffic

will go through the out-of-band management (OOBM) port.

[key < server-specific key-string >]

Optional. Specifies an encryption key for use with the specified server. This key

must match the key used on the RADIUS server. Use this option only if the specified

server requires a different key than configured for the global encryption key The

tilde (~) character is allowed in the string. It is not backward compatible; the “~”

character is lost if you use a software version that does not support the “~” character.

Syntax

radius-server key < global key-string >

Specifies the global encryption key the switch uses for sessions with servers for

which the switch does not have a server-specific key. This key is optional if all

RADIUS server addresses configured in the switch include a server- specific

encryption key. The tilde (~) character is allowed in the string, for example,

radiusserver key hp~switch. It is not backward compatible; the “~” character is lost

if you use a software version that does not support the “~” character.

Default: Null

466 Port-Based and User-Based Access Control (802.1X)