HP ProCurve 6200yl Series Access Security Manual page 155

Figure 6-2. Example Configuration for RADIUS Authentication
Note
radius (or tacacs) for primary authentication, you must configure local for the
secondary method. This prevents the possibility of being completely locked
out of the switch in the event that all primary access methods fail.
Syntax: aaa authentication < console | telnet | ssh | web > < enable | login > radius
Configures RADIUS as the primary password authentication
method for console, Telnet, SSH, and/or the web browser interface.
(The default primary < enable | login > authentication is local.)
[< local | none >]
Provides options for secondary authentication
(default: none). Note that for console access, secondary
authentication must be local if primary access is not
local. This prevents you from being locked out of the
switch in the event of a failure in other access methods.
For example, suppose you already configured local passwords on the switch,
but want RADIUS to protect primary Telnet and SSH access without allowing
a secondary Telnet or SSH access option (the switch's local passwords):
If you configure the Login Primary method as local instead of radius (and local
passwords are configured on the switch), then clients connected to your
network can gain access to either the Operator or Manager level without
encountering the RADIUS authentication specified for Enable Primary. Refer
to "Local Authentication Process" on page 6-19.
RADIUS Authentication and Accounting
Configuring the Switch for RADIUS Authentication
Note: The Webui
access task shown
in this figure is
available only on the
switches covered in
this guide.
The switch now
allows Telnet and
SSH authentication
only through
RADIUS.
6-11