Table of Contents
Advertisement
Configuring RADIUS Accounting for CLI Commands
You can configure RADIUS accounting for CLI commands by specifying a privilege level whose commands
require accounting. For example, to configure the HP device to perform RADIUS accounting for the commands
available at the Super User privilege level (that is; all commands on the device), enter the following command:
HP9300(config)# aaa accounting commands 0 default start-stop radius
An Accounting Start packet is sent to the RADIUS accounting server when a user enters a command, and an
Accounting Stop packet is sent when the service provided by the command is completed.
NOTE: If authorization is enabled, and the command requires authorization, then authorization is performed
before accounting takes place. If authorization fails for the command, no accounting takes place.
Syntax: aaa accounting commands <privilege-level> default start-stop radius | tacacs | none
The <privilege-level> parameter can be one of the following:
•
0 – Records commands available at the Super User level (all commands)
•
4 – Records commands available at the Port Configuration level (port-config and read-only commands)
•
5 – Records commands available at the Read Only level (read-only commands)
Configuring RADIUS Accounting for System Events
You can configure RADIUS accounting to record when system events occur on the HP device. System events
include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to the RADIUS accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
HP9300(config)# aaa accounting system default start-stop radius
Syntax: aaa accounting system default start-stop radius | tacacs+ | none
Configuring an Interface as the Source for All RADIUS Packets
You can designate the lowest-numbered IP address configured an Ethernet port, loopback interface, or virtual
interface as the source IP address for all RADIUS packets from the routing switch. Identifying a single source IP
address for RADIUS packets provides the following benefits:
•
If your RADIUS server is configured to accept packets only from specific links or IP addresses, you can use
this feature to simplify configuration of the RADIUS server by configuring the HP device to always send the
RADIUS packets from the same link or source address.
•
If you specify a loopback interface as the single source for RADIUS packets, RADIUS servers can receive the
packets regardless of the states of individual links. Thus, if a link to the RADIUS server becomes unavailable
but the client or server can be reached through another link, the client or server still receives the packets, and
the packets still have the source IP address of the loopback interface.
The software contains separate CLI commands for specifying the source interface for Telnet, TACACS/TACACS+,
and RADIUS packets. You can configure a source interface for one or more of these types of packets.
To specify an Ethernet port or a loopback or virtual interface as the source for all RADIUS packets from the device,
use the following CLI method. The software uses the lowest-numbered IP address configured on the port or
interface as the source IP address for RADIUS packets originated by the device.
To specify the lowest-numbered IP address configured on a virtual interface as the device's source for all RADIUS
packets, enter commands such as the following:
HP9300(config)# int ve 1
HP9300(config-vif-1)# ip address 10.0.0.3/24
HP9300(config-vif-1)# exit
HP9300(config)# ip radius source-interface ve 1
Securing Access
3 - 39
Advertisement
Chapters
Table of Contents
