ProLiant BL p-Class GbE2 Interconnect Switch Application Guide
Accessing the GbE2 Interconnect Switch 20
• Allows network administrator to define privileges for one or more specific users to access the GbE2
Interconnect Switch at the RADIUS user database.
• Allows the administrator to configure RADIUS backdoor and secure backdoor for Telnet, SSH, HTTP, and
HTTPS access.
User accounts for RADIUS users
The user accounts listed in the following table can be defined in the RADIUS server dictionary file.
Table 2 User access levels
User account Description and tasks performed
User User interaction with the GbE2 Interconnect Switch is completely passive; nothing can be
changed on the GbE2 Interconnect Switch. Users may display information that has no
security or privacy implications, such as GbE2 Interconnect Switch statistics and current
operational state information.
Operator Operators can only effect temporary changes on the GbE2 Interconnect Switch. These
changes are lost when the GbE2 Interconnect Switch is rebooted/reset. Operators have
access to the GbE2 Interconnect Switch management features used for daily switch
operations. Because any changes an operator makes are undone by a reset of the GbE2
Interconnect Switch, operators cannot severely impact switch operation, but do have access
to the Maintenance menu. By default, the operator account is disabled and has no
password.
Administrator Administrators are the only ones that can make permanent changes to the switch
configuration—changes that are persistent across a reboot/reset of the GbE2 Interconnect
Switch. Administrators can access GbE2 Interconnect Switch functions to configure and
troubleshoot problems on the switch level. Because administrators can also make temporary
(operator-level) changes as well, they must be aware of the interactions between temporary
and permanent changes.
RADIUS attributes for user privileges
When the user logs in, the GbE2 Interconnect Switch authenticates the level of access by sending the RADIUS
access request, that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the GbE2 Interconnect Switch verifies the
privileges of the remote user and authorizes the appropriate access. The administrator has the option to allow
backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS access.
When backdoor access is enabled, access is allowed even if the primary and secondary authentication servers
are not reachable. Only when both the primary and secondary authentication servers are not reachable, the
administrator has the option to allow secure backdoor (secbd) access through the console port only, or through
the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you can have either backdoor or secure
backdoor allowed, not both. The default value for backdoor access through the console port only is enabled.
The default value for backdoor and secure backdoor access through Telnet/SSH/HTTP/HTTPS is disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS dictionary.
RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file name of the
dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table are defined for user
privilege levels.
Table 3 Proprietary attributes for RADIUS
User name/access User service type Value
User Vendor-supplied 255
Operator Vendor-supplied 252