Manuals / HP / Computer Equipment / Switch

HP Ethernet BL-c manual Radius

Models: Ethernet BL-c

1 66
Download 66 pages 27.04 Kb
Page 13
Image 13

RADIUS

The switch supports the RADIUS method to authenticate and authorize remote administrators for managing the switch. This method is based on a client/server model. The RAS, the switch, is a client to the back-end database server. A remote user (the remote administrator) interacts only with the RAS, not the back-end server and database.

RADIUS authentication consists of:

A protocol with a frame format that utilizes UDP over IP, based on RFC 2138 and 2866

A centralized server that stores all the user authorization information

A client, in this case, the switch

The switch, acting as the RADIUS client, communicates to the RADIUS server to authenticate and authorize a remote administrator using the protocol definitions specified in RFC 2138 and 2866. Transactions between the client and the RADIUS server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the RADIUS client (the switch) and the back-end RADIUS server.

The benefits of using RADIUS are:

Authentication of remote administrators

Identification of the administrator using name/password

Authorization of remote administrators

Determination of the permitted actions and customizing service for individual administrators

TACACS+

The switch supports the TACACS+ method to authenticate, authorize, and account for remote administrators managing the switch. This method is based on a client/server model. The switch is a client to the back-end TACACS+ AAA server. A remote user (the remote administrator) interacts only with the client, and not with the back end AAA server.

The TACACS+ AAA method consists of:

A protocol with a frame format that utilizes TCP over IP

A centralized AAA server that stores all the user authentication, authorization, and accounting (of usage) information

A NAS or client (in this case, the switch)

The switch, acting as the TACACS+ client or NAS, communicates to the TACACS+ server to authenticate, authorize, and account for user access. Transactions between the client and the TACACS+ server are authenticated using a shared key that is not sent over the network. In addition, the remote administrator passwords are sent encrypted between the TACACS+ client (the switch) and the back-end TACACS+ server.

The switch supports:

Only standard ASCII inbound login authentication. PAP, CHAP, or ARAP login methods are not supported. One-time password authentication is also not supported.

Authorization privilege levels of only 0, 3, and 6. These map to management levels of user, oper, and admin, respectively.

Introduction 13

Page 12 Page 14
Page 13
Image 13
HP Ethernet BL-c manual Radius
Page 12 Page 14