HP ProCurve 9304M Security Manual page 64

Security Guide for ProCurve 9300/9400 Series Routing Switches
NOTE: RADIUS command authorization can be performed only for commands entered from Telnet or SSH
sessions, or from the console. No authorization is performed for commands entered at the Web management
interface or SNMP management applications.
NOTE: Since RADIUS command authorization relies on the command list supplied by the RADIUS server during
authentication, you cannot perform RADIUS authorization without RADIUS authentication.
Command Authorization and Accounting for Console Commands
The HP device supports command authorization and command accounting for CLI commands entered at the
console. To configure the device to perform command authorization and command accounting for console
commands, enter the following:
ProCurveRS(config)# enable aaa console
Syntax: enable aaa console
CAUTION: If you have previously configured the device to perform command authorization using a RADIUS
server, entering the enable aaa console command may prevent the execution of any subsequent commands
entered on the console.
This happens because RADIUS command authorization requires a list of allowable commands from the RADIUS
server. This list is obtained during RADIUS authentication. For console sessions, RADIUS authentication is
performed only if you have configured Enable authentication and specified RADIUS as the authentication method
(for example, with the aaa authentication enable default radius command). If RADIUS authentication is never
performed, the list of allowable commands is never obtained from the RADIUS server. Consequently, there would
be no allowable commands on the console.
Configuring RADIUS Accounting
HP devices support RADIUS accounting for recording information about user activity and system events. When
you configure RADIUS accounting on an HP device, information is sent to a RADIUS accounting server when
specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a
Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out:
ProCurveRS(config)# aaa accounting exec default start-stop radius
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
Configuring RADIUS Accounting for CLI Commands
You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands require
accounting. For example, to configure the HP device to perform RADIUS accounting for the commands available
at the Super User privilege level (that is; all commands on the device), enter the following command:
ProCurveRS(config)# aaa accounting commands 0 default start-stop radius
An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command, and an
Accounting Stop packet is sent when the service provided by the command is completed.
NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed
before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs | none
The <privilege-level> parameter can be one of the following:
• 0 – Records commands available at the Super User level (all commands)
2 - 48 June 2005