Considerations For Radius Use; Accounting Support; Setting Up The Radius Server; Windows 2000 - HP StorageWorks 2/16 - SAN Switch Manual

Fabric OS procedures user guide

Accounting Support

The RADIUS service supports accounting request and response packets so that accounting
records can be centralized on the RADIUS server. The login account name, assigned role, and
password are stored on the RADIUS server for each user.

Setting Up the RADIUS Server

You must know the switch IP address or name to connect to switches. Use the ipaddrshow
command to display a switch IP address.
User accounts should be set up by their true network-wide identity, rather than by the account
names created on a Fabric OS switch. Along with each account name, the administrator should
assign appropriate switch access roles. To manage a nonsecure fabric, these roles can be user
or admin. To manage a secure fabric, these roles can be user, admin, or nonfcsadmin.
When they log in to a switch configured with RADIUS, users enter their assigned RADIUS
account names and passwords at the prompt. After the RADIUS server authenticates a user, it
responds with the assigned switch role in an HP Vendor-Specific Attribute (VSA) as defined in
the RFC. An authentication-accept response without such VSA role assignment grants the user
role.
The following sections explain how to configure a RADIUS server to support HP clients under
different operating systems.

Windows 2000

Use these procedures to add a client to the RADIUS server and create remote access policies
for Fabric OS user and admin roles.
To add a RADIUS client:
1. From the Windows Start menu, select Programs > Administrative Tools:Internet
2. In the Internet Authentication Service window, right-click the RADIUS Clients folder and
138
API. The following items apply:
— When an older version of the API host library authenticates against a switch with
RADIUS support, the host performs the login. However, the old host library does not
recognize the role returned from the switch, which can result in the host displaying an
incorrect read or write attribute for an account. The switch library performs the
permission check again for individual API function calls.
— API provides functions for RADIUS configuration that share the behavior of the
aaaconfig CLI command.
Advanced Web Tools and API. The following items apply to both of these features:
— Users can log in using account names and passwords configured on the RADIUS
server, and gain access with the switch roles defined on the RADIUS server.
— Users can log in through API using account names and passwords configured on the
RADIUS server, and gain access with the switch roles defined on the RADIUS server.
— When a proxy switch is used, the switch-side component performs authentication on
the proxy switch, rather than on the destination switch. Therefore, to use RADIUS in
this environment, you must configure on the proxy switch.
Authentication Service.
select New RADIUS Client.
Fabric OS 3.x Document Addendum