Radius Authentication And Authorization - HP GbE2c - Blc Layer 2/3 Fiber SFP Option Application Manual

In this example, the management network is set to 192.192.192.0 and management mask is set to
255.255.255.128. This defines the following range of allowed IP addresses: 192.192.192.1 to 192.192.192.127.
The following source IP addresses are granted or not granted access to the switch:
A host with a source IP address of 192.192.192.21 falls within the defined range and would be allowed to
access the switch.
A host with a source IP address of 192.192.192.192 falls outside the defined range and is not granted access.
To make this source IP address valid, you would need to shift the host to an IP address within the valid range
specified by the mnet and mmask or modify the mnet to be 192.192.192.128 and the mmask to be
255.255.255.128. This would put the 192.192.192.192 host within the valid range allowed by the mnet and
mmask (192.192.192.128-255).

RADIUS authentication and authorization

The switch supports the Remote Authentication Dial-in User Service (RADIUS) method to authenticate and authorize
remote administrators for managing the switch. This method is based on a client/server model. The Remote Access
Server (RAS)—the switch—is a client to the back-end database server. A remote user (the remote administrator)
interacts only with the RAS, not the back-end server and database.
RADIUS authentication consists of the following components:
A protocol with a frame format that utilizes User Datagram Protocol (UDP) over IP, based on Request For
Comments (RFC) 2138 and 2866
A centralized server that stores all the user authorization information
A client, in this case, the switch
The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a remote
administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the
RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote
administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end RADIUS server.
How RADIUS authentication works
RADIUS authentication works as follows:
1. A remote administrator connects to the switch and provides the user name and password.
2. Using Authentication/Authorization protocol, the switch sends the request to the authentication server.
3. The authentication server checks the request against the user ID database.
4. Using RADIUS protocol, the authentication server instructs the switch to grant or deny administrative access.
Configuring RADIUS on the switch (CLI example)
To configure RADIUS on the switch, do the following:
1. Turn RADIUS authentication on, and then configure the Primary and Secondary RADIUS servers. For example:
>> Main# /cfg/sys/radius
>> RADIUS Server# on
Current status: OFF
New status:
>> RADIUS Server# prisrv 10.10.1.1
Current primary RADIUS server:
New pending primary RADIUS server: 10.10.1.1
>> RADIUS Server# secsrv 10.10.1.2
Current secondary RADIUS server:
New pending secondary RADIUS server: 10.10.1.2
ON
0.0.0.0
(Select the RADIUS Server menu)
(Turn RADIUS on)
(Enter primary server IP)
(Enter secondary server IP)
0.0.0.0
Accessing the switch 18