next

RADIUS Services Support on HP Switches

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users that connect and use a network service. RADIUS is the transport for AAA services. The services can include the user profiles including storing user credentials, user access policies, and user activity statistics which can reside on the same server. Gateway devices that control network access, such as remote access servers, VPN servers, and network switches, can use the RADIUS protocol to communicate with a RADIUS server for:

  • Authentication — verifying user credentials regarding granted access to their networks.

  • Authorization — verifying user access policy on how much and what kind of resources are allowed for an authenticated user.

  • Accounting — keeping statistic information about the user activities for accounting purpose.

Configuring

Configuring the switch to support RADIUS-assigned ACLs

An ACL configured in a RADIUS server is identified by the authentication credentials of the client or group of clients the ACL is designed to support. When a client authenticates with credentials associated with a particular ACL, the switch applies that ACL to the switch port the client is using. To enable the switch to forward a client's credentials to the RADIUS server, you must first configure RADIUS operation and an authentication method on the switch.

  1. Configure RADIUS operation on the switch:

    Syntax:

    radius-server host <ipv4-address> key <key-string>

    This command configures the IPv4 address and encryption key of a RADIUS server. The server should be accessible to the switch and configured to support authentication requests from clients using the switch to access the network.

  2. Configure RADIUS network accounting on the switch (optional).

    aaa accounting network <start-stop|stop-only> radius

    You can also view ACL counter hits using either of the following commands:

    show access-list radius <port-list>

    show port-access <authenticator|mac-based|web-based> <port-list> clients detailed
    [NOTE: ]

    NOTE: See the documentation provided with your RADIUS server for information on how the server receives and manages network accounting information, and how to perform any configuration steps necessary to enable the server to support network accounting data from the switch.

  3. Configure an authentication method. Options include 802.1X, web-based authentication, and MAC authentication. You can configure 802.1X, web-based authentication, and/or MAC authentication to operate simultaneously on the same ports.

    802.1X Option:

    Syntax:

    aaa port-access authenticator <port-list>

    aaa authentication port-access chap-radius

    aaa port-access authenticator active

    These commands configure 802.1X port-based access control on the switch, and activates this feature on the specified ports. For more on 802.1X configuration and operation, see User authentication methods.

    MAC Authentication Option:

    Syntax:

    aaa port-access mac-based <port-list>

    This command configures MAC authentication on the switch and activates this feature on the specified ports. For more on MAC authentication, see Web and MAC Authentication.

    Web Authentication Option:

    Syntax:

    aaa port-access web-based <port-list>

    This command configures web-based authentication on the switch and activates this feature on the specified ports. For more on web-based authentication, see Web and MAC Authentication.

prev

 		  

 next

Security event log 

home

 Viewing

Copyright © 2015 Hewlett-Packard Development Company, L.P.