RADIUS Authentication, Authorization, and Accounting

Switch Operating Rules for RADIUS

Vendor-Specific Attribute: A vendor-defined value configured in a RADIUS server to specific an optional switch feature assigned by the server during an authenticated client session.

Switch Operating Rules for RADIUS

You must have at least one RADIUS server accessible to the switch.

The switch supports authentication and accounting using up to three RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius (page 5-46). If the first server does not respond, the switch tries the next one, and so-on. (To change the order in which the switch accesses RADIUS servers, refer to “Changing RADIUS-Server Access Order” on page 5-50.)

You can select RADIUS as the primary authentication method for each type of access. (Only one primary and one secondary access method is allowed for each access type.)

In the ProCurve switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.

When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message radius: Can't reach RADIUS server < server-ip-addr>. When this type of failure occurs, the switch prompts the client again to enter a username and password. In this case, use the local user- name (if any) and password configured on the switch itself.

Zero-length usernames or passwords are not allowed for RADIUS authentication, even though allowed by some RADIUS servers.

TACACS+ is not supported for the web browser interface access.

5-6