Installation and Getting Started Guide
NOTE: For examples of how to define authentication-method lists for types of authentication other than RADIUS,
see "Configuring Authentication-Method Lists" on page 3-44.
Configuring RADIUS Authorization
HP devices support RADIUS authorization for controlling access to management functions in the CLI. When
RADIUS authorization is enabled, the HP device consults the list of commands supplied by the RADIUS server
during authentication to determine whether a user can execute a command he or she has entered.
You enable RADIUS authorization by specifying a privilege level whose commands require authorization. For
example, to configure the HP device to perform authorization for the commands available at the Super User
privilege level (that is; all commands on the device), enter the following command:
HP9300(config)# aaa authorization commands 0 default radius
Syntax: aaa authorization commands <privilege-level> default radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
0 – Authorization is performed (that is, the HP device looks at the command list) for commands available at
the Super User level (all commands)
4 – Authorization is performed for commands available at the Port Configuration level (port-config and read
5 – Authorization is performed for commands available at the Read Only level (read-only commands)
NOTE: RADIUS authorization is performed only for commands entered from Telnet or SSH sessions. No
authorization is performed for commands entered at the console or the Web management interface.
NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during
authentication, you cannot perform RADIUS authorization without RADIUS authentication.
NOTE: A user's privilege level is set during RADIUS authentication, not with an aaa authorization command.
The command aaa authorization exec default radius is ignored by the system.
Configuring RADIUS Accounting
HP devices support RADIUS accounting for recording information about user activity and system events. When
you configure RADIUS accounting on an HP device, information is sent to a RADIUS accounting server when
specified events occur, such as when a user logs into the device or the system is rebooted.
Configuring RADIUS Accounting for Telnet/SSH (Shell) Access
To send an Accounting Start packet to the RADIUS accounting server when an authenticated user establishes a
Telnet or SSH session on the HP device, and an Accounting Stop packet when the user logs out:
HP9300(config)# aaa accounting exec default start-stop radius
Syntax: aaa accounting exec default start-stop radius | tacacs+ | none
3 - 38
Table 3.5: Authentication Method Values (Continued)
Do not use any authentication method. The device automatically