RADIUS Authentication, Authorization, and Accounting

Commands Authorization

The results of using the HP-Command-String and HP-Command-Exception attributes in various combinations are shown below.

HP-Command-String HP-Command-Exception

Description

Not present

Not present

If command authorization is enabled

 

 

and the RADIUS server does not

 

 

provide any authorization attributes in

 

 

an Access-Accept packet, the user is

 

 

denied access to the server. This

 

 

message appears: “Access denied: no

 

 

user’s authorization info supplied by

 

 

the RADIUS server.”

Not present

DenyList-PermitOthers(1)

Authenticated user is allowed to

 

 

execute all commands available on

 

 

the switch.

Not present

PermitList-DenyOthers(0)

Authenticated user can only execute

 

 

a minimal set of commands (those that

 

 

are available by default to any user).

Commands List

DenyList-PermitOthers(1)

Authenticated user may execute all

 

 

commands except those in the

 

 

Commands list.

Commands List

PermitList-DenyOthers(0)

Authenticated user can execute only

 

 

those commands provided in the

 

 

Commands List, plus the default

 

 

commands.

Commands List

Not present

Authenticated user can only execute

 

 

commands from the Commands List,

 

 

plus the default commands.

Empty Commands

Not present

Authenticate user can only execute a

List

 

minimal set of commands (those that

 

 

are available by default to any user).

Empty Commands

DenyList-PermitOthers(1)

Authenticated user is allowed to

List

 

execute all commands available on

 

 

the switch.

Empty Commands

PermitList-DenyOthers(0)

Authenticate user can only execute a

List

 

minimal set of commands (those that

 

 

are available by default to any user).

 

 

 

You must configure the RADIUS server to provide support for the HP VSAs. There are multiple RADIUS server applications; the two examples below show how a dictionary file can be created to define the VSAs for that RADIUS server application.

5-29