RADIUS client and server requirements

  • Clients can be dual-stack, IPv4-only or IPv6 only.

  • Client authentication can be through 802.1X, MAC authentication, or web-based authentication. (clients using web-based authentication must be IPv4-capable.)

  • Server must support IPv4 and have an IPv4 address.

The following information provides an overview about RADIUS services supported on a switch, including CoS (802.1p priority), ingress and egress rate-limiting, and ACL client services on a RADIUS server. For information on configuring client authentication capability on the switch, see RADIUS Authentication, Authorization, and Accounting.

NOTE:

When no allow-v2-modules is specified in the configuration of a switch with V3 modules on KB firmware, Egress VLAN ACLs do not filter mirrored traffic. You must use a port ACL to filter mirrored traffic.

RADIUS services supported on the switch

Service

Application

Standard RADIUS attribute

HP vendor-specific RADIUS attribute (VSA)

Cos (Priority)

per-user

59

40

Ingress Rate-Limiting

per-user

46

Egress Rate-Limiting

per-port1

48

ACLs

IPv6 and IPv4 ACEs(NAS-Filter-Rule)

per-user

92

61

NAS-Rules-IPv6 (sets IP mode to IPv4-only or IPv4 and IPv6)

per-user

63

1

If multiple clients are authenticated on a port where per-port rules are assigned by a RADIUS server, then the most recently assigned rule is applied to the traffic of all clients authenticated on the port.

Hewlett Packard Enterprise recommends using the Standard RADIUS attribute if available. Where both a standard attribute and a VSA are available, the VSA is maintained for backwards compatibility with configurations based on earlier software releases.