Radius Attributes For User Privileges; Tacacs+ Authentication - HP 438031-B21 - 1:10Gb Ethernet BL-c Switch Application Manual

Table 2 User access levels
User account
Administrator

RADIUS attributes for user privileges

When the user logs in, the switch authenticates the level of access by sending the RADIUS access request,
that is, the client authentication request, to the RADIUS authentication server.
If the authentication server successfully authenticates the remote user, the switch verifies the privileges of
the remote user and authorizes the appropriate access. The administrator has the option to allow
backdoor access through the console port only, or through the console and Telnet/SSH/HTTP/HTTPS
access. When backdoor access is enabled, access is allowed even if the primary and secondary
authentication servers are reachable. Only when both the primary and secondary authentication servers
are not reachable, the administrator has the option to allow secure backdoor (secbd) access through the
console port only, or through the console and Telnet/SSH/HTTP/HTTPS access. When RADIUS is on, you
can have either backdoor or secure backdoor enabled, but not both at the same time. The default value
for backdoor access through the console port only is enabled. You always can access the switch via the
console port, by using noradius and the administrator password, whether backdoor/secure backdoor
are enabled or not. The default value for backdoor and secure backdoor access through
Telnet/SSH/HTTP/HTTPS is disabled.
All user privileges, other than those assigned to the administrator, must be defined in the RADIUS
dictionary. RADIUS attribute 6, which is built into all RADIUS servers, defines the administrator. The file
name of the dictionary is RADIUS vendor-dependent. The RADIUS attributes shown in the following table
are defined for user privilege levels.
Proprietary attributes for RADIUS
Table 3
User name/access
User
Operator

TACACS+ authentication

The switch software supports authentication, authorization, and accounting with networks using the Cisco
Systems TACACS+ protocol. The switch functions as the Network Access Server (NAS) by interacting with
the remote client and initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined as someone requiring management access to the switch either through
a data or management port.
Description and tasks performed
Administrators are the only ones that can make permanent changes to the switch
configuration—changes that are persistent across a reboot/reset of the switch.
Administrators can access switch functions to configure and troubleshoot problems on the
switch level. Because administrators can also make temporary (operator-level) changes as
well, they must be aware of the interactions between temporary and permanent changes.
User service type
Vendor-supplied
Vendor-supplied
Accessing the switch
Value
255
252
25