BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
BMD00113, September 2009 Chapter 1: Accessing the Switch 43
RADIUS Authentication and Authorization
BLADE OS supports the RADIUS (Remote Authentication Dial-in User Service) method to
authenticate and authorize remote administrators for managing the switch. This method is based on
a client/server model. The Remote Access Server (RAS)—the switch—is a client to the back-end
database server. A remote user (the remote administrator) interacts only with the RAS, not the
back-end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes UDP over IP (based on RFC 2138 and 2866)
A centralized server that stores all the user authorization information
A client, in this case, the switch
The GbE2c—acting as the RADIUS client—communicates to the RADIUS server to authenticate
and authorize a remote administrator using the protocol definitions specified in RFC 2138 and
2866. Transactions between the client and the RADIUS server are authenticated using a shared key
that is not sent over the network. In addition, the remote administrator passwords are sent encrypted
between the RADIUS client (the switch) and the back-end RADIUS server.
How RADIUS Authentication Works
1. Remote administrator connects to the switch and provides user name and password.
2. Using Authentication/Authorization protocol, the switch sends request to authentication server.
3. Authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny
administrative access.