Manualshelf

Common Criteria for HP Networking Switches

ManualsBrandsHP ManualsComputer AccessoriesHP 20-port 10/100/1000 PoE+ / 4-port Mini-GBIC zl Module
11121314151617181920
17
RADIUS Authentication
Authenticating users via RADIUS provides a centralized way to manage access to the switch. This allows
the administrator to make modifications to the set of authorized users without having to make changes
on every network device.
To enable RADIUS authentication as the primary method, and Local as the secondary method, use the
following configuration command:
HP Switch(config)# aaa authentication < console | telnet | ssh| web > < enable | login
> radius local
SSH also includes authentication for SCP and SFTP.
Note: If the secondary access method is “None” or “Local” with no passwords configured, the user
will be granted manager-level access if the primary method fails for any reason.
For details, refer to the chapter titled “RADIUS Authentication and Accounting” in the Access Security
Guide for your switch.
TACACS Authentication
Authenticating users via TACACS also provides a centralized way to manage access to the switch.
TACACS authentication works along the same lines as a RADIUS authentication, allowing the
administrator to manage users from a central server.
To enable TACACS authentication as the primary method, and Local as the secondary method, use the
following configuration command:
HP Switch(config)# aaa authentication < console | telnet | ssh | web > <enable|login>
tacacs local
Note on RADIUS and TACACS keys: When copying off a switch configuration, certain security
parameters, including the RADIUS and TACACS keys, are not included in the copied configuration. If
this configuration is then used to restore a device configuration, it will not include this information,
possibly resulting in a user being denied access due to a mismatched password that is no longer
encrypted.
For details, refer to the chapter titled “TACACS+ Authentication” in the Access Security Guide for your
switch.
Server-Supplied Privilege Level
Login privilege level instructs the switch to accept the authenticating user’s command level (manager or
operator) that is supplied by the server. This allows manager-level users to skip the login context and
proceed immediately to enable context, thus eliminating the need for a manager-level user to login
twice.
To allow the switch to accept the privilege level provided by the server, use the following configuration