TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

2-64

Initial Setup in Routing Mode

Configure Management Access

You may choose to leave this field blank. When you leave the Domain Name

field blank, the TMS zl Module assigns the RADIUS server to the global

domain. Then, when users log in using the TMS zl Module's login page,

they simply enter their username. They do not need to include a domain

name. When a user submits credentials without a domain name, the

module checks the username first against the local manager and operator

accounts, and then it checks the username against the RADIUS server in

the global domain. Similarly, when a user submits credentials with a

domain name that is not configured for one of the TMS zl Module’s

RADIUS servers, the module submits the request to the global domain

RADIUS server.

8. As mentioned, users may submit their username followed by

@<domain name>. However, sometimes the RADIUS server will not recog-

nize the domain name. In this case, select the Strip domain from user name

in RADIUS request check box.

9. Click OK. The RADIUS server is now displayed in the Network > Authenti-

cation > RADIUS window.

10. Click Save.

For more information on RADIUS servers, see “Configure Authentication to

an External RADIUS Server” on page 4-62 of Chapter 4: “Firewall.”

You should also verify that your external RADIUS server is ready to authenti-

cate administrators:

■ User accounts with the proper usernames and passwords are configured

in the RADIUS server’s database and assigned to the proper groups.

■ To authenticate manager users, the RADIUS server requires a policy that

meets these criteria:

• It selects RADIUS requests according to any of the attributes shown

in Table 2-13. For example, the policy can select requests from users

in the managers’ group; or it can select requests from specific IP

addresses.

Note If your management users can also be L2TP Virtual Private Network

(VPN) users, you must distinguish the RADIUS policy for granting

management access from the RADIUS policy for granting L2TP

access. One way to do so is to add Service-Type = NAS-Prompt-User to

the selection criteria for the management access policy. (See “Config-

ure an L2TP over IPsec VPN” in Chapter 7: “Virtual Private Networks“

for more information on L2TP.)