HP ProCurve 6400cl Series Access Security Manual page 151

Figure 6-2. Example Configuration for RADIUS Authentication
You can also use RADIUS for Port-Based (802.1X) Access authentication.
Refer to chapter 10, "Configuring Port-Based and Client-Based Access Control
(802.1X)" .
You can configure RADIUS as the primary password authentication method
for the above access methods. You also need to select either local or none as
a secondary, or backup, method. Note that for console access, if you configure
radius (or tacacs) for primary authentication, you must configure local for the
secondary method. This prevents the possibility of being completely locked
out of the switch in the event that all primary access methods fail.
Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > radius
Configures RADIUS as the primary password authentication
method for console, Telnet, SSH, and/or the web browser
interface (5300xl switches running software release E.09.xx
or greater). (The default primary < enable | login > authenti-
cation is local.)
[< local | none >]
Provides options for secondary authentication
(default: none). Note that for console access, secondary
authentication must be local if primary access is not
local. This prevents you from being locked out of the
switch in the event of a failure in other access methods.
For example, suppose you already configured local passwords on the switch,
but want RADIUS to protect primary Telnet and SSH access without allowing
a secondary Telnet or SSH access option (the switch's local passwords):
RADIUS Authentication and Accounting
Configuring the Switch for RADIUS Authentication
Note: The Webui
access task shown
in this figure is
available only on the
5300xl switches.
The switch now
allows Telnet and
SSH authentication
only through
RADIUS.
6-11