Configuring RADIUS Security
You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following types of
access to the HP switch or routing switch:
Web management access
Access to the Privileged EXEC level and CONFIG levels of the CLI
RADIUS Authentication, Authorization, and Accounting
When RADIUS authentication is implemented, the HP device consults a RADIUS server to verify user names
and passwords. You can optionally configure RADIUS authorization, in which the HP device consults a list of
commands supplied by the RADIUS server to determine whether a user can execute a command he or she has
entered, as well as accounting, which causes the HP device to log information on a RADIUS accounting server
when specified events occur on the device.
NOTE: In releases prior to 07.1.10, a user logging into the device via Telnet or SSH would first enter the User
EXEC level. The user could then enter the enable command to get to the Privileged EXEC level.
Starting with release 07.1.10, a user that is successfully authenticated by a RADIUS or TACACS+ server is
automatically placed at the Privileged EXEC level after login.
When RADIUS authentication takes place, the following events occur:
A user attempts to gain access to the HP device by doing one of the following:
Logging into the device using Telnet, SSH, or the Web management interface
Entering the Privileged EXEC level or CONFIG level of the CLI
The user is prompted for a username and password.
The user enters a username and password.
The HP device sends a RADIUS Access-Request packet containing the username and password to the
The RADIUS server validates the HP device using a shared secret (the RADIUS key).
The RADIUS server looks up the username in its database.
If the username is found in the database, the RADIUS server validates the password.
If the password is valid, the RADIUS server sends an Access-Accept packet to the HP device, authenticating
the user. Within the Access-Accept packet are three HP vendor-specific attributes that indicate:
The privilege level of the user
A list of commands
Whether the user is allowed or denied usage of the commands in the list
The last two attributes are used with RADIUS authorization, if configured.
The user is authenticated, and the information supplied in the Access-Accept packet for the user is stored on
the HP device. The user is granted the specified privilege level. If you configure RADIUS authorization, the
user is allowed or denied usage of the commands in the list.
3 - 31