3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

891

892

893

894

895

896

897

898

899

900

Configuring RADIUS 897

■ Local authentication checks the service types of a local user. If the service types

are not available, the user cannot pass authentication. During authorization, a

user with no service type configured is authorized with no service by default.

■ If you specify an authentication method that requires the username and

password, including local authentication, RADIUS authentication and

HWTACACS authentication, the level of the commands that a user can use

after logging in depends on the priority of the user, or the priority of user

interface level as with other authentication methods. For an SSH user using

RSA public key authentication, the commands that can be used depend on the

level configured on the user interface. For details regarding authentication

method and command level, refer to

“User Interface Configuration” on page

43.

■ Both the service-type and level commands can be used to specify user

priority. The one used later has the final effect.

■ The attribute ip command only applies to authentications that support IP

address passing, such as 802.1x. If you configure the command to

authentications that do not support IP address passing, such as MAC address

authentication, the local authentication will fail.

■ The attribute port command binds a port by its number only, regardless of

the port type.

■ The idle-cut command configured in user view applies to lan-access users only.

■ In active/standby mode, if the directory specified by the active card does not

exist on the standby card, you may fail to log into the system or cannot

perform normal operation subsequent to successful login after active/standby

switchover occurs.

■ If the current working directory specified by FTP/SFTP contains the slot number

of the standby card, you will fail to log into the system after active/standby

switchover occurs. Therefore, it is recommended that the specified working

directory should contain no slot number information.

Tearing down User

Connections Forcibly

Follow these steps to tear down user connections forcibly:

Configuring RADIUS The RADIUS protocol is configured scheme by scheme. After creating a RADIUS

scheme, you need to configure the IP addresses and UDP ports of the RADIUS

servers for the scheme. The servers include authentication/authorization servers

and accounting servers, or from another point of view, primary servers and

secondary servers. In another words, the attributes of a RADIUS scheme mainly

To do... Use the command... Remarks

Enter system view system-view -

Tear down user connections

forcibly

cut connection {

access-type { dot1x |

mac-authentication | portal

} | all | domain isp-name |

interface interface-type

interface-number | ip

ip-address | mac mac-address

| ucibindex ucib-index |

user-name user-name | vlan

vlan-id } [ slot slot-number ]

Required

Applies to only LAN access

user connections