HP ProCurve 9304M Security Manual page 60

Security Guide for ProCurve 9300/9400 Series Routing Switches
Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number> acct-port <number>]
The host <ip-addr> | <server-name> parameter is either an IP address or an ASCII text string.
The <auth-port> parameter is the Authentication port number; it is an optional parameter. The default is 1645.
The <acct-port> parameter is the Accounting port number; it is an optional parameter. The default is 1646.
Specifying Different Servers for Individual AAA Functions
In a RADIUS configuration, you can designate a server to handle a specific AAA task. For example, you can
designate one RADIUS server to handle authorization and another RADIUS server to handle accounting. You can
specify individual servers for authentication and accounting, but not for authorization. You can set the RADIUS key
for each server.
To specify different RADIUS servers for authentication, authorization, and accounting:
ProCurveRS(config)# radius-server host 1.2.3.4 authentication-only key abc
ProCurveRS(config)# radius-server host 1.2.3.5 authorization-only key def
ProCurveRS(config)# radius-server host 1.2.3.6 accounting-only key ghi
Syntax: radius-server host <ip-addr> | <server-name> [authentication-only | accounting-only | default] [key 0 | 1
<string>]
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for authorization and/or
accounting. If the authenticating server cannot perform the requested function, then the next server in the
configured list of servers is tried; this process repeats until a server that can perform the requested function is
found, or every server in the configured list has been tried.
Setting RADIUS Parameters
You can set the following parameters in a RADIUS configuration:
• RADIUS key – This parameter specifies the value that the HP device sends to the RADIUS server when trying
to authenticate user access.
• Retransmit interval – This parameter specifies how many times the HP device will resend an authentication
request when the RADIUS server does not respond. The retransmit value can be from 1 – 5 times. The
default is 3 times.
• Timeout – This parameter specifies how many seconds the HP device waits for a response from a RADIUS
server before either retrying the authentication request, or determining that the RADIUS servers are
unavailable and moving on to the next authentication method in the authentication-method list. The timeout
can be from 1 – 15 seconds. The default is 3 seconds.
Setting the RADIUS Key
The key parameter in the radius-server command is used to encrypt RADIUS packets before they are sent over
the network. The value for the key parameter on the HP device should match the one configured on the RADIUS
server. The key can be from 1 – 32 characters in length and cannot include any space characters.
To specify a RADIUS server key:
ProCurveRS(config)# radius-server key mirabeau
Syntax: radius-server key [0 | 1] <string>
When you display the configuration of the HP device, the RADIUS key is encrypted. For example:
ProCurveRS(config)# radius-server key 1 abc
ProCurveRS(config)# write terminal
...
radius-server host 1.2.3.5
radius key 1 $!2d
2 - 44 June 2005